袭扰战术_战术十行为分析

袭扰战术

What Is It? We’ve probably all been somewhere and seen something at one time that didn’t quite seem right or sit well with us. How many of us bothered to do something about it? Perhaps it was a suitcase left unattended at the airport. Maybe it was a car that sat on the side of the road for weeks and never moved. Maybe it was someone on the train that was acting very agitated. In many cases, people seem to fail to act and when something does happen, they seem to recall that very observation. Even some of the public transport organisations run campaigns to the effect of “If you see something, say something”. Behavioural Analytics, in this instance, take that to a technical degree.

它是什么？ 我们可能都曾经到过某个地方，一次看到的东西看起来不太正确或与我们相处得很好。 我们当中有多少人愿意为此做些什么？ 也许这是一个没有人去机场的手提箱。 也许这是一辆在路边坐了好几个星期却从未动过的汽车。 也许是火车上有人激动不已。 在许多情况下，人们似乎无法采取行动，当某些事情发生时，他们似乎想起了这种观察。 甚至一些公共交通组织都开展了运动，其效果是“如果看到什么，就说些什么”。 在这种情况下，行为分析将其提高到了技术水平。

Behavioural Analytics in an information assurance sense looks for anomalies in data that seems out of place when compared to “normal” transactions. Skilled attackers are incredibly knowledgeable about how to obfuscate their activity within the networks and applications that make up your business. These do not always must be user activities but can also be machine activities. People tend to be creatures of habit, so when something unusual happens (such as a random login after-hours when this person never does) may be readily obvious. Machine behaviour may not be as obvious, and the unexpected behaviour may be much subtler. Behavioural Analytics watch for these subtle variations the human element often overlooks.

从信息保证的角度来看，行为分析旨在查找与“正常”交易相比似乎不合时宜的数据异常。 熟练的攻击者非常了解如何混淆构成您企业的网络和应用程序中的活动。 这些不一定总是用户活动，而也可以是机器活动。 人们倾向于养成习惯，因此，当发生异常情况时(例如，下班后该人从未做过的随机登录)，这很容易看出来。 机器行为可能不那么明显，并且意外行为可能更加微妙。 行为分析关注这些人为因素经常忽略的细微变化。

Ideally, the implementation of a Behavioural Analytics solution will understand what is and what is not expected, advising you and acting when the undesirable behaviour occurs. Whether user- initiated or machine driven, acting upon these anomalies can provide a solid layer of defence and protect data without users ever being aware. I’d almost consider this lack of visibility of anomalies a leading reason why a compromise takes so long to be discovered; we simply don’t know what belongs and what does not.

理想情况下，行为分析解决方案的实施将了解什么是预期和什么不是预期，并在出现不良行为时为您提供建议并采取行动。 无论是由用户启动还是由机器驱动，对这些异常采取措施都可以提供坚实的防御层，并在用户不知情的情况下保护数据。 我几乎会认为这种对异常现象的可见性不足是导致折中发现需要这么长时间的主要原因。 我们根本不知道什么属于什么，什么不属于。

Where Do I Start? Implementing a Behavioural Analytics solution can yield greater protection, but it must be done correctly or else it will simply generate more noise that will ultimately be ignored. It cannot be as simple as the Sesame Street song, “One of these things is not like the others” nor is it like the “Spot the difference” puzzles in comic books. If I were to compare, imagine the Sesame Street version having a million things to pick from and the “spot the difference” version having 1 pixel the slightest colour gradient darker. Now you get the idea.

我从哪说起呢？ 实施行为分析解决方案可以提供更好的保护，但是必须正确执行，否则它将产生更多的噪音，最终将被忽略。 它不能像芝麻街上的歌曲那样简单，“其中一件事情与其他事情不一样”，也不像漫画中的“发现差异”之谜。 如果要进行比较，可以想象一下芝麻街版有100万种选择，而“发现差异”版只有1像素，颜色梯度最小。 现在您知道了。

The point is that Behaviour Analytics are incredibly powerful, but very specific. They also need a fair bit of horsepower to handle the flow of data, especially if used at a major ingress / egress point. Limiting its implementation via network segmentation may be more palatable, such as restricting it to the networks with the most at stake, such as your payroll systems or where your intellectual property is stored. The first place to start is identifying what data and systems are valuable and where they’re located. Start where you will realise the most value for your investment.

关键是行为分析功能强大，但非常具体。 他们还需要相当大的能力来处理数据流，尤其是在主要的入口/出口点使用时。 通过网络分段来限制其实施可能更可口，例如将其限制在最受威胁的网络上，例如薪资系统或存储知识产权的网络。 首先要确定哪些数据和系统有价值，以及它们位于何处。 从您将实现最大投资价值的地方开始。

If you have the resources and the appetite to take on a Behavioural Analytics system, be sure to get the right people involved. Once you know what data you have and where it is, you should know how the applications and transactions behave “normally”. By normally, you also need to allow for variations beyond typical day-to-day use, such as daily backups, system updates, and new users. One of the biggest failings I have encountered with behavioural analytics is the large number of false-positives that can make you start jumping at shadows.

如果您有足够的资源和胃口接受行为分析系统，请确保让合适的人员参与。 一旦知道了拥有的数据以及数据的位置，就应该知道应用程序和事务如何“正常”运行。 通常，您还需要允许超出常规日常使用范围的各种变化，例如每日备份，系统更新和新用户。 我在行为分析中遇到的最大失败之一就是大量的假阳性，这些假阳性会让您开始不知所措。

Some systems integrate Behavioural Analytics into their products, so you may already have the capability but may not be using it. If you have an accurate inventory of your systems in the various layers of security, it may be worthwhile to sniff them out. Next Generation Firewall and UTM appliances, Endpoint Protection suites, cloud-based filtering and threat analytics systems, and even Data Loss Prevention systems may have what you’re looking for. After all, if they already handle the traffic to and from the endpoints plus on the networks, they may already have the visibility. I’m a big advocate of using what you already must its full potential and realising a good return on investment.

一些系统将Behavioral Analytics集成到其产品中，因此您可能已经具备此功能，但可能没有使用它。 如果您对各个安全级别的系统都有准确的清单，那么将它们嗅出来可能是值得的。 下一代防火墙和UTM设备，Endpoint Protection套件，基于云的筛选和威胁分析系统，甚至是Data Loss Prevention系统都可以满足您的需求。 毕竟，如果它们已经处理了往返于端点以及网络上的流量，则它们可能已经具有可见性。 我是一个大倡导者，它会充分利用您已经拥有的潜力并实现良好的投资回报。

In some instances, you may decide that behavioural analytics is just the solution for you, but you may not have the budget, resources, or appetite to handle it yourself. In this case, look to Managed Security Services that often run some advanced Behavioural Analytics systems as part of their offerings. Just because you can’t afford to have your own doesn’t mean you can’t benefit from someone else’s! Whether in-house or outsourced, Behavioural Analytics is worth your consideration.

在某些情况下，您可能会决定行为分析只是您的解决方案，但您可能没有预算，资源或胃口自行解决。 在这种情况下，请查看托管安全服务，这些服务通常会在其产品中运行一些高级行为分析系统。 仅仅因为您负担不起自己的财产，并不意味着您无法从别人的财产中受益！ 无论是内部还是外包，Behavior Analytics都值得您考虑。

How do I make It Work? So now that you’ve figured out that Behavioural Analytics can help your organisation as part of your information assurance strategy, what you’re trying to protect, where you’re going to locate it, and what “normal” activity looks like, now what? It all looks good on paper, sounds great in theory, your management is on board, and you might even have some existing tools you can use. Now what?

我该如何运作？ 因此，现在您已经知道，行为分析可以作为信息保证策略的一部分来帮助您的组织，您要保护的内容，要定位的位置以及“正常”活动的样子什么？ 从表面上看，这一切看起来都不错，从理论上来说听起来不错，您的管理工作也很忙，甚至可能有一些可用的现有工具。 怎么办？

If you’re implementing this as an in-house solution, be sure you have the right people involved (including vendors, integrators, and subject-matter experts) and set about with designing, testing, implementing and (please don’t forget this part) documentation. I won’t go into details here as I could write volumes but be sure not to rush this project. If you can, I’d recommend letting your chosen solution run for a period to establish a baseline of what is “expected”. By the same token, be sure to pay attention to any anomalies detected during this run-up phase — you may even find you have an unknown compromise. You will probably even learn more about your daily operations than you thought. The more you know, the better off you are.

如果您将其作为内部解决方案实施，请确保您有合适的人员(包括供应商，集成商和主题专家)参与其中，并着手进行设计，测试，实施和(请不要忘记这一点)部分)文档。 由于可以编写卷，因此在此不再赘述，但请确保不要着急进行此项目。 如果可以，我建议让您选择的解决方案运行一段时间，以建立“预期”结果的基准。 同样，一定要注意在此启动阶段检测到的任何异常-您甚至可能发现未知的妥协。 您甚至可能比您想像的更多地了解日常操作。 了解的越多，您的生活就越好。

If you’ve decided to go with managed services for your Behavioural Analytics or use some sort of a cloud-based resource, be sure to configure anything locally as needed to capture and relay the correct data (and this traffic outside your network is encrypted, right?). The more complete the data, the more likely you will detect anomalies and be able to act accordingly. Managed Security Services, such as those I discussed in an earlier article, usually have a slick on-boarding process to meet your needs so really, getting this up and running doesn’t must be all-consuming. There are experts in the market incredibly skilled at what they do; take advantage of their knowledge and capabilities

如果您决定为行为分析使用托管服务，或者使用某种基于云的资源，请确保根据需要在本地配置任何内容，以捕获和中继正确的数据(并且网络外部的流量已加密，对？)。 数据越完整，您越有可能检测到异常并能够采取相应措施。 托管安全服务(例如我在上一篇文章中讨论的那些服务)通常具有灵活的入职流程来满足您的需求，因此，确实，启动并运行它不一定非要费劲。 市场上的专家非常擅长于他们的工作； 利用他们的知识和能力

For what it’s worth, consider the Notifiable Data Breach (NDB) Scheme and General Data Protection Regulation (GDPR) requirements. You must be reasonably aware if a breach has occurred or is occurring and behavioural analytics can get you on the front foot for this.

对于它的价值，请考虑可报告数据泄露(NDB)计划和通用数据保护法规(GDPR)的要求。 您必须合理地知道是否发生了违规行为，并且行为分析可以使您立足于此。

With a solid baseline, implementation plan, and being satisfied that the solution will work for your business, roll it into production and let it do the heavy lifting. In the beginning, expect to see a lot of noise, even after testing, but this is all part of the fine-turning process. Even after a mechanic sets up a race car perfectly in the shop, it takes a few laps around the track to get it dialled in. Be patient.

有了可靠的基准，实施计划，并确信该解决方案将适合您的业务，并将其投入生产并让其承担繁重的工作。 刚开始时，即使经过测试，也希望看到很多噪音，但这都是微调过程的一部分。 即使技工在车间里完美地安装了赛车，也需要花几圈的时间才能拨通它。请耐心等待。

With any kind of management and monitoring solution, be sure to have an SLA for escalation of issues when they come to your attention and have a plan to handle them. Gaining visibility of anomalies via behavioural analytics is only beneficial if you do something with the information. As with anything else event and incident based, a plan to respond is key. For bonus point, put the plan to the test now and then to make sure it works in anger.

对于任何类型的管理和监视解决方案，请确保在问题引起您注意时制定SLA，以制定解决问题的计划。 通过行为分析获得异常的可见性仅在您对信息有所作为时才有用。 与其他基于事件和事件的情况一样，响应计划是关键。 为了获得加分，请立即对计划进行测试，以确保它在愤怒中有效。

Pitfalls? Behavioural Analytics may be a bit of a witch hunt if not socialised correctly. We’d all agree that your users shouldn’t be doing anything unacceptable and really, if you have a solid acceptable use policy and are supported by management, it may be a non-issue. The fact is that people are jumpy if they think they are being watched, so don’t use this strategy (or any other for that matter) to micro-manage your users. Behavioural Analytics should be used to protect the business from risk rather than to manage what users are doing. Users may not need to know every detail, but they do must be aware that as a business network, the business has the right to manage it in line with enterprise needs first.

陷阱？ 如果未正确社交，那么行为分析可能会有点像巫婆狩猎。 我们都同意您的用户不应做任何不可接受的事情，实际上，如果您拥有可靠的可接受使用政策并得到管理层的支持，则这可能不是问题。 事实是，如果人们认为自己受到监视，就会感到不安，因此请勿使用此策略(或其他任何相关策略)来微管理您的用户。 行为分析应用于保护业务免受风险影响，而不是管理用户的行为。 用户可能不需要了解每个细节，但他们必须知道，作为企业网络，企业有权首先根据企业需求对其进行管理。

You also don’t want to focus strictly on user behaviour. Computers can and do silly things now and then, so a machine that is acting up unbeknownst to its user can be detected and save everyone a lot of headaches. We may be lulled into a false sense that when our computers go wonky that it will let us know. Hardly, because often when the user finds out, it’s often too late. Imagine being able to stop a compromise that’s running quietly in the background while the user works away none the wiser.

您也不想完全专注于用户行为。 计算机可以时不时地做一些愚蠢的事情，因此可以发现一台运行不佳的计算机，并为所有人省去很多麻烦。 我们可能会被误认为是当我们的计算机不稳定时，它会让我们知道。 几乎没有，因为通常在用户发现时，为时已晚。 想象一下，能够阻止在后台悄悄运行的折衷方案，而用户却没有明智的选择。

Ghosts in the Machine? Getting the right balance of what is considered an anomaly and what is not can be a battle in the beginning, but that can escalate into all-out configuration fine-tuning war if you’re in a very dynamic environment. For example, in a development environment, what constitutes “normal” is a lot different than payroll where the same event occurs at the same time, by the same users, on the same day using the same applications. Be sure to allow for this when doing your initial discovery and design work.

机器里有鬼吗？ 在一开始就获得正确的平衡，哪些是异常，哪些不是异常，这可能是一场战斗，但是如果您处于动态环境中，那可能会升级为全面配置的微调战争。 例如，在开发环境中，“正常”的构成与工资单有很大不同，在工资单上，同一用户在同一时间使用同一应用程序在同一时间发生同一事件。 进行初始发现和设计工作时，请务必考虑到这一点。

Anything Missing? We’ve looked at user and machine behaviour, using on premise or cloud-based services, even considered using Managed Security Services. Regardless of the solution you choose, consider reporting as a key component. Having reliable information based on your own Behavioural Analytics can be a valuable resource for planning and budgeting going forward. Perhaps there are other elements of your security to be addressed, maybe a modification to the machines, and perhaps even user education. Consider all angles.

缺少什么？ 我们已经研究了使用内部服务或基于云的服务(甚至考虑使用受管安全服务)的用户和机器行为。 无论选择哪种解决方案，都应考虑将报告作为关键组成部分。 根据您自己的行为分析获得可靠的信息对于将来进行计划和预算编制可能是宝贵的资源。 也许还有其他要解决的安全问题，可能是对机器的修改，甚至是用户培训。 考虑所有角度。

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock

免责声明：本博客中提出的想法和观点是我自己的，而不是任何相关第三方的想法。 提供的内容仅用于一般信息，教育和娱乐目的，并不构成法律建议或建议； 绝对不能以此为依据。 在实际情况下应寻求适当的法律咨询。 除非另有说明，否则所有图片均通过ShutterStock授权

翻译自: https://medium.com/swlh/tactical-ten-behavioural-analytics-75c2dd7351e0

袭扰战术