Behavioral Monitoring - Tip Tuesday for NCSAM

October 11, 2016 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

NCSAM week 2 behavioral monitoringDuring Week Two of National Cyber Awareness Month (NCSAM), our focus is on behavioral monitoring.

Often times, behavioral monitoring is uttered in the same sentence as big data analytics, or algorithms - making it sound as if behavioral monitoring is a form of witchcraft.

In many instances, behavioral monitoring can be undertaken with few resources in a simple way.

Behavioral monitoring is more about understanding what constitutes normal or acceptable behavior. For example, it is normal, or expected, that many children will cry on their first day of school as their parents leave them alone for the first time. But after a few years, a child crying when dropped off to school is a less common occurrence and such behavior warrants some investigation.

Here's a video on behavioral monitoring with some examples.

In monitoring terms, analysts can monitor certain aspects of the infrastructure in order to gain insight into normal behavior. For example, service monitoring provides visibility into the service uptime – and any unexpected outages can be identified quickly if being unavailable is not expected behavior for these services.

Similarly, netflow analysis can provide high level trends related to which protocols are being used, which hosts use the protocol, and the average bandwidth usage. Any major deviations from the norm can indicate malicious activity.

If the IT team develops a regular routine to monitor activity and analyze patterns, anomalies can be spotted. Several studies have shown that despite the advancements in AI, the human brain still remains one of the best pattern-recognition machines. In his book ‘how to create a mind’ Ray Kurzweil argues that the brain contains a hierarchy of pattern recognizers.

The real value in behavoral monitoring is that one does not need to be intimately familiar with the underlying technology to recognise an anomaly. For example, if traffic between two systems is relatively stable, but then suddenly spikes, it can be recognised as an anomaly – even if information about the kinds of systems, or the protocols used, are unknown.

Developing even basic behavioral monitoring capabilities can be extremely beneficial for spotting unknown threats, suspicious behavior, and even policy violations.

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL