So what exactly is intelligent security?

In my early engineering career (which feels like it was like yesterday), I had a very candid approach to software. Every piece of code that was shipped to production was meant to help people’s businesses, if not lives, and it felt really good to think of it this way. Sat opposite me, my former colleague was somewhat more pessimistic - he had a few more years of experience. In our frequent discussions, the subject of security came up. We exchanged our opinions, and after a few minutes he paused and then dropped a poignant thought: “If you think about it, all systems are secure until they’ve been proven not to be.”

This really stuck in my mind.

He continued with: “We often picture security breaches like in the movies, where the hacker nerd types frantically type on the keyboard, in front of a green and black screen, ominously displaying ENTER PASSWORD. However, it’s actually way easier to hack. Even if your system is proofed, you can hack people and pretend to be their superiors in order to perform a costly money transaction”

Even if this scenario feels exaggerated, Cyber-crime is not so far from reality: data leaks, Distributed Denial of Service (DDoS) attacks, Cybersecurity Vulnerabilities Exploits (CVE) or just plain old identity-theft are pretty common in the tech sphere nowadays. It seems like having ever stronger and longer passwords is not sufficient enough anymore to protect your security and privacy.

So, how can we prevent our users from falling foul of these security attacks when using our platforms ?

Common authentication and authorization approaches

OAuth2 and OpenID are the leading standards in terms of Authentication and Authorization today, with grant flows providing one-time authorization code. They do this by removing the responsibility of managing login from the application, and hands it over to an identity provider (e.g. Google). This is useful as any changes to how authentication and authorization flows do not need to be handled by the application itself. You can find out more about how OAuth2 and OpenID work here. However, it’s not just about securing access to an application or a website, we also want to think about securing the connection between machines. This is good practice when adopting the ‘trust nothing’ approach. This is commonly achieved using mTLS to ensure mutual authentication between the server and the client by the way of certificates. My colleague Jeoffrey has written a great blog post on this.

So, is this enough to secure our end users and systems from attacks? Unfortunately, we have a little bit more work to do. Whilst we can never be 100% sure we’ve secured everything, there are additional steps we can take to protect our users even more. Let’s check those out.

Security Information and Event Management

Security Information and Event Management (SIEM) is a software system whose purpose is to provide a centralized, real-time analysis platform in order to both analyze and set up rule mechanisms to prevent threats. This can work in coordination with Multi-Factor Authentication (MFA). MFA is the use of different factors (think mobile phone, text messages, one-time passwords, etc.) to provide extra assurances that the individual logging in is who they say they are.

This can be done via multiple techniques:

• Data collection: this takes place prior to SIEM. If we don't have data to exploit, no analysis can be performed. This meets the "event management" part of our acronym
• Data retention: The further we can look into the past, the better. This can help to investigate additionally on a potential network breach or account theft.
• Alerting and Rules: Should your user’s accounts become compromised, your administrators are notified about it as it happens.

The types of intelligent and curated rules to implement may include:

• Raising an alert if the user is not using their usual devices
• Asking the user to confirm their identity via MFA if their most recent connections occur from two different locations in a short space of time
• Sending an email to the operation team if the IP of the user seems malicious

Setting up arbitrary rules can be an efficient way to protect your systems and end users. However, these rules are not learning, they do not follow trends, nor do they catch up with how the world works, -in fact they constantly need to be maintained.

On the other hand, attacks and threats are constantly evolving, making it challenging to catch them as time passes. This drives our need for more efficient and responsive methods. All is not lost, there are approaches that do allow us to have a more dynamic, learning system to protect our users and our systems.

User-Entity Behavior Analytics

Finally, let’s take a look at User-Entity Behavior Analytics (UEBA). We are often taught that we are special and unique, but in reality we all behave more or less the same way over time - at least when it comes to how we log in and use systems! That’s what User-Entity is all about.

UEBA, like SIEM, aims to prevent a potential threat entering a system by prompting Multi-Factor Authentication, and associated alerting. This is typically supported along with insightful dashboards to help drive the right decision. To be honest, the difference between these two approaches can be very subtle. What draws the line between them is that UEBA mixes a curated list of techniques such as statistical inference to advanced machine learning in order to be more efficient with low maintenance from a human perspective.

Based on information about end users on a platform, we can regroup and classify them into groups based on their behaviors. This means that whenever an un-classified new entity appears, we are able to study it and determine whether this entity is a threat or not.

This does not mean that we’ll behave the same way from seven to 77 years of age, so we’ll need to take into account how people change over time. This is exactly what Behavior-Analytics is all about:

• On a defined data set, we define what is the regular behavior in order to detect outliers
• We constantly refresh this behaviour model over time to update to what is the current trend

Conclusion

At Gravitee.io, we are continuously innovating to make your systems and users as safe and secure as possible when using APIs and other features, with UEBA and SIEM taking a key place.

Take a look at our recent 3.18 release on Risk-based MFA and Alerts. If you are interested in learning more, don’t hesitate to check out our community forum, or check out our update on this.