Cybersecurity pros should switch from Indicators of Compromise to Indicators of Behavior

Security experts suggest using IOBs to move from reacting to a cyberattack to preventing the incident.

istock-1265582618.jpg

Image: Getty Images/iStockPhoto

More about cybersecurity

Most cybersecurity professionals have been trained to use Indicators of Compromise (IOC) when reacting to a cyberattack, and they are not happy about the after-the-fact nature of this approach. The switch to a work-from-home model is another significant limitation cybersecurity pros are battling. It removes the well-defined perimeter that they were used to.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

“We believe users are the new perimeter, not the network; and the data gravity has shifted from company-operated centralized data centers to SaaS applications and cloud workloads, and this poses new challenges, especially in terms of connectivity and data protection,” said Nicolas Fischbach, global CTO and vice president of SASE Engineering at Forcepoint, in Shifting Gears from IOCs to IOBs.

What are Indicators of Behavior?

Fischbach and Alan Ross, chief architect at Forcepoint’s X-Labs, champion a different solution: Indicators of Behavior (IOB). “IOBs are behaviors that are monitored to understand risk within an organization,” Ross said in his article Indicators of Behavior (IOBs)–With 2020 Vision. “Any time a document is created, saved, changed, mailed, shared, uploaded, downloaded, or deleted, those actions are analyzed as a series to determine context and intent.”

SEE: Security chaos engineering helps you find weak links in your cyber defenses before attackers do (TechRepublic)

IOBs are unexpected and unauthorized modifications to the normal operating baseline. Some examples might be:

  • Creating or modifying scheduled tasks
  • Installing new applications or services
  • Creating new user accounts
  • Sending email and attachments to a personal domain
  • Creating new compute instances
  • Accessing stored information
  • Running queries and exporting the results

Ross said the use of collaboration tools and website activities such as messaging, sending attachments, uploading information, or leveraging new tools or sites should be considered IOBs.

What’s the difference between IOCs and IOBs? 

It may appear there is very little difference between the two, but it is an important difference. Ross said IOBs are more than activity monitoring, adding the industry needs to truly understand every part of the sequence. For example, rather than just knowing data is being stolen, Ross wants to know the individual steps that make the theft possible by dividing the process into IOBs.

SEE: Don’t make these cyber resiliency mistakes (TechRepublic)

Examining the IOBs increases understanding of what risks are being taken. “There are hundreds of Indicators of Behavior that we can observe and collect,” Ross said. “Once we collect the IOBs, we can put them together to spell out specific behaviors, personas, and business outcomes that may manifest from these behaviors.”

One positive outcome of using IOBs, Ross said, is the ability to predict what will happen if an organization makes a security process change (for example, disabling USB for external storage devices).

Some examples of what he would consider IOBs:

  • Users create an email forwarding address to a Slack channel.
  • Users change from the corporate network to phone hotspot and back again. 
  • Users upload code into a Git repository or an unknown domain.
  • Users download information to a removable storage device. 
  • Users install a personal cloud application on their laptops. 

The ability to modify behaviors

This approach allows asset protection by taking actions depending on the risk level and context of the user’s situation. “We can warn the user and allow them to stop or proceed, and, if need be, we can take action to protect the data, block activities, or even disable access for the user’s account and device,” Ross said. 

SEE: How to show an ROI on cybersecurity spends (TechRepublic)

“Leveraging IOBs to formulate behavioral detections will drastically reduce the amount of noise and false positives that an organization needs to chase down,” he said. “We are very aware of analyst ‘alert fatigue’ and believe there is a much better way to collect and present the most relevant information to the end user.”

Why use IOBs?

The advantage of using IOBs is understanding users’ history and behavior, which allows a judgment on whether the behavior should be allowed to continue or be altered. 

An example might be that of a salesperson giving a presentation at an important conference. The organizer needs a copy of the presentation. The salesperson saves the presentation to a flash drive and provides the drive to the organizer. Knowing this behavior is likely to happen for this particular user avoids an alert for using flash drives and allows the salesperson to fulfill an obligation. Ross concluded: “IOBs present the best opportunity to provide adaptive trust by stopping the bad and allowing the good.”

Also see