In many aspects of the physical world, we’re quite accustomed to seeing things from the user perspective.
In the course of our daily lives, we continually interact with different environments and systems that are keyed or based off of a person. For example, when we fly, our ticket, our frequent flyer program, and the security screening process are all per person. Similarly, if we shop at a retail store with a rewards program, each reward account is typically tied to a person. Our financial accounts are also tied closely to us as people. The list goes on and on – there is no shortage of familiar examples here. In fact, were we to encounter a situation where this were not the case, we would find it quite strange. For example, imagine a store that allocated items per shopping cart, independent of the people pushing the cart and the items that they were actually interested in. That would be quite unusual and would feel quite strange, wouldn’t it
Given our comfort level with this concept, I’ve always found it quite remarkable how little the security profession relates back to actual people. I’m continually surprised by how much of our defensive effort is centered on systems, rather than people. What do I mean by this? Think about how we in the security profession trade indicators, configure alert logic, and report incidents. Is the story we tell anchored around people? Sometimes that is the case, but most often it is not.
Sure, there may be individual pieces of information around compromised credentials, email addresses that were targeted, or specific users that were victimized, but in general, the security story is a system-based one. Rarely do we detect, analyze, contain, or remediate intrusions from the point of view of the user. Alerts and events are generated per system. Investigations are based on detecting, analyzing, containing, and remediating infected systems. Intelligence is primarily leveraged to identify systems of interest. Reports involve detailed accounts of compromised systems and any associated data that may have been stolen from them.
What’s interesting to me, though, is that if we take a step back, we see that systems aren’t actually the true pivot point — users are. Users are the ones who are granted access to sensitive, confidential, or proprietary information, not systems. Since it is that very same sensitive, confidential, or proprietary information we are most often looking to protect, where is the user in all of this? Or, to put it another way, what are we doing to tell the security story from the point of view of the user? I think if we explore some of the possibilities that the user perspective opens up for us, we’ll quickly see its advantage.
Each user in an organization may use a number of different systems. For example, a given user may have a desktop computer, a laptop computer, a tablet, smartphone, and other devices. Likewise, each system may be used by a number of different users. For example, a virtual desktop environment may have one IP address but be used by dozens of users. If all of our analysis is centered on systems, we miss the correlation that arises from linking a single user to multiple systems, or conversely, multiple users to a single system.
Why is this important? Let’s have a look at what happens when we shift our perspective to the user for a few different use cases.
Insider Threat: Insider threat is topic on many people’s minds these days. Whether the concern is a rogue employee, espionage, or something else, insider threat is a challenge that was designed for the user perspective. Trying to identify insider threat activity is already extremely difficult. Trying to identify it solely by analyzing the activity of systems, rather than analyzing the activity of users is nearly impossible.
Serial Offender: What is the difference between five different systems infected over a period of a few months and a serial offender? The difference is correlation at the user level. Sometimes users have bad security “hygiene” that causes them to pose a greater risk to the organization. Taking a user perspective allows us to identify serial offenders and take steps to address the issue.
Lateral Movement/Staging for Exfiltration: From the system perspective, lateral movement and staging of data for exfiltration look very similar to legitimate network activity. The difference lies mainly in intent, which is nearly impossible to infer when looking at the problem from a system perspective. Looking at the problem from the user perspective allows us to gain an edge. Correlating activity to the user allows us to see if users are logging in from unusual places or logging into unusual places, among other suspect behaviors. Perspective changes everything here.
Stolen Credentials: Two systems may log in to a server or access a file share at the same time, and we would think nothing of it. But if the same user account was used at the same time from two different systems in two different divisions of the organization on two different sides of the globe, that activity becomes a bit more suspect. Looking at the activity through the lens of user-level correlation allows us to tease out the difference.
Essentially, systems are merely tools leveraged by users to perform their various different job functions. Taking a look at security from a different vantage point that allows us to correlate activity by user, rather than by system alone gives us a very different perspective. That different perspective allows us to better identify and analyze certain types of activity on the network that we may want to investigate further. Regardless of the maturity of your security program, chances are that it could benefit from taking a look at the user perspective.