Dan's Take

Applying Behavioral Analysis to Security

A discussion with Fortscale about version 2.0.

• By Dan Kusnetzky
• 12/17/2015

I had an interesting conversation with Fortscale's Chief Marketing Officer, Bert Rankin, about Fortscale 2.0 and the use of behavioral analysis of log information as a way to detect both insider and external security attacks. The process involves prioritizing anomalies to first separate the wheat from the chaff; find important "needles in a stack of needles"; and direct security analysts' efforts to identify and halt security issues in progress.

The Security Challenge
Rankin pointed out that more and more of the time, security attacks can be categorized as slow entry and a long-term grab for information or control, rather than the smash-and-grab approach seen in the past. Often legitimate credentials are used to gain access.

Fortscale's research shows that 88 percent of security attacks involve malicious use of legitimate credentials, and 82 percent involve use of stolen credentials. The security analyst's challenge centers on ferreting out the indications of inappropriate use of an enterprise's systems and data out of mounds of normal activity. They key is determining what's normal. Fortscale believes that its approach, using behavioral analysis, can make that process faster and can limit or minimize damage.

How It Works
Fortscale bases its approach on sophisticated machine learning, rather than having analysts go through a complex process of setting up access parameters for each and every machine, operating system, database, application framework and application function. Fortscale's software examines security and operational logs and learns "normal" so that it can quickly point out what appears to be abnormal. It does this by collecting data, profiling user and group behaviors and finding anomalous behavior. It can then take that information, prioritize it based upon potential danger, then alert the security analyst and provide necessary context, making it easy for the analyst to know what's going. It can also suggest actions to be taken.

Rankin spent quite a bit of time discussing what data the behavioral analysis examines. He said that this is accomplished by interrogating important security tools such as IBM Qradar, McAfee Enterprise Security Manager, HP ArcSight, RSA Security Analytics, and/or SPLUNK; Fortscale's own machine intelligence technology is then applied to the results. The analysis also includes contextual information contained in Microsoft Active Directory and Cisco's ISE as well as information from the enterprise's own custom applications, Web access, customer service applications and customer billing systems.

This multi-factor analysis is used to create dynamic thresholds that help limit false alerts and help the enterprise learn what's going on.

Dan's Take: Kick the Tires on Fortscale
I've spoken with Fortscale many times in the past, and have always come away knowing a bit more about finding and addressing security threats. I was impressed by the thought behind the product. While it appears pretty straightforward, implementing the technology clearly was exacting and difficult.

Don't take my word for it; I'd suggest seeing their demonstration to see how smart Fortscale's machine intelligence really is.