We recently told you about the analytical tools implemented in Defensys SENSE.
Some of them are programmatic experts – algorhytms that use statistical analysis and machine learning methods to detect anomalies and threats in users and endpoints behaviors.
Today we’re going to continue the overview of Defensys SENSE capabilities and will take a look at behavioral models that are the basis of programmatic experts. In this article we’ll tell you in details about the processes of additional learning and relearning of behavioral models and how they can help to get rid of false positives and false negatives increasing the effectiveness of working with the detected anomalies.
Behavioral models and its learning
Behavioral models work is established on the processes of the knowledge extraction and updating related to the observation entities. This data is being processed from the event logs and this process is built on the complex mathematical models and calculations.
This helps to build observation entity profile and to detect the deviation in its behavior.
Picture 1– The process of the system’s initial learning
Among the programmatic experts there are behavioral models that use retro data for the observation entity profile building.
The process itself of building such a profile is call Learning. At the same time actions that are not usual for the object’s built profile will be considered as abnormal and leverage the object’s rating.
Picture 2 – Object’s rating and anomalies
The initial learning of programmatic experts should last not less than 2 weeks. But we strictly recommend to keep this process for not less than 1 month, this helps experts to receive the data related to observation objects that is enogh for the profile building.
Observation objects/entities
There are such objects like users, accounts and hosts available in Defensys SENSE for the analysis.
The data related to users and accounts comes from the MS AD or from the similar systems and the hosts data is being collected from the information systems logs and from SIEM systems in particular.
Picture 3 – Observation entites
Besides for the building of the most precise behavioral profile of the analyzed object its very crucial to conduct additional learning and relearning (retraining). This helps to provide the expert with the up-to-date information about the actions made by this object.
Additional training
“Incomplete data” error
While the behavioral models routine it usually comes an “incomplete data” error.
This can occur when the object’s details haven’t been updated on time.
For example the user worked with the Windows workstation for a long time but for a week he’s already using Ubuntu and in particular uses bash instead of powershell.
In this case the use of the previously trained model while analyzing the bash execution by the user will create anomalies each time which are the false positives actually.
If to keep it as is and to work with the outdated data the bash using will be always the anomaly for this particular user and as a result analysts will receive a lot of false postitves notifications before the next iteration of the full training of the System.
Solution
We can avoid this error with the process of additional training of the programmatic experts deployed in Defensys SENSE.
Additional training is the enrichment of the existing data with the new information about the observation entity. The example is the update of the user’s working schedule.
Picture 4 -The additional training process in Defensys SENSE
The programmatic expert receives the new data related to observation objects and complements the existing profiles during the additional training process. This enables the System to timely update the knowledge of the current objects state and to reduce the number of errors.
The Defensys SENSE user can customize the additional training frequency. We strictly recommend to do the additional training daily. Because if the user switched the software and started using bash the Defensys SENSE will notify the analyst about the abnormal object’s behavior while a new utility is launched.
The next day when the programmatic experts retraining has been already done the system already knows that this particular user uses bash, its usage becomes the legitimate for the System. And the object’s severity score wouldn’t increase respectively.
This way Defensys SENSE helps SOC analysts not to waste additional resources for the research of events which are not abnormal due to the System’s independent work with these “incomplete data” errors.
Retraining
“ Outdated data” error
The “outdated data” error is typical for objects which details for some reasons are not relevant for the behavioral profile.
For example the lab engineer changed his role for the Development Unit Manager that of course leverages his access rights to the business systems. The behavioral model with the basic data doesn’t know this that is why if this person used privilege commands on dev servers that is abnormal for the manager so the System wouldn’t create an anomaly of this case and this is a false negative error.
If to keep these things as is there comes the risk of privileges accumulation effect.
This means that using such an account somebody can do the illegal actions: for example a new account can be created and added to the admins group, a new software can be installed etc. At the same time the behavioral model will consider these activities as normal.
Solution via retraining
Retraining of the behavioral models is the process of repeated training with the removal of the old data and its exchange with the new one. For example the update of data related to the access rights change. This feature in Defensys SENSE enables the System to timely detect illegal activity.
Picture 5 – The retraining process in Defensys SENSE
During the retraining process the expert builds objects profiles from the beginning using the latest data so the outdated data will no more play role in profile building.
The user can customize the retraining frequency with his needs. We strictly recommend to do the retraining once in 3-6 months so the outdated data wouldn’t be normal for the System.
This way after the user’s new role data update and his rights change in Defensys SENSE all the privileged activity of the user on servers will be considered by the System as abnormal.
As a result the programmatic expert will not take into account the outdated information while analyzing data and will mark suspicious activity as anomalies.
Summarizing all that was said above we’d like to note that the data update process automation helps to significantly reduce the number of false positives and respectively reduce the analysts load enabling them to concentrate on real threats.
We would be glad to give you details on the Defensys SENSE features and capabilities during online demos and answer all your questions. Please use this application form for such needs.