Book Review: Borderless Behavior Analytics

With the death of traditional security architectures, what new cyberstrategies can protect global enterprises moving forward? This book offers an impressive lineup of global CIO and CISO luminary experts who provide thoughtful answers and insightful perspectives on the coming era of user and entity behavior analytics (UEBA) and identity analytics (IdA).

by / July 23, 2017
Used with permission from T. Takai

As we head toward 2020, our cyberdefenses must evolve rapidly to keep up with the growing breadth and depth of online threats. Even as exciting digital advances are announced daily in virtually every global industry from travel to finance to health care to government, new data breaches often undermine our technical progress and business efficiencies.

How did we get here? What security buzzwords, architectures, technologies, processes and frameworks were widely used over the past decade — and why are they failing now?

Most important, what are leading enterprises doing in 2017 to counter these trends and prepare for the future? What trends in security, architectures and buzzwords are emerging? Where are we going and how can data analytics help solve our pressing security concerns?

These are just some of the topics covered in this outstanding 2017 book entitled: Borderless Behavior Analytics.

Ms. Saryu Nayyar, the CEO of Gurucul Predictive Security Analytics, is the primary author. However, the list of contributing experts who write a chapter is truly a “who’s who” of leading technology and cybersecurity industry names.

Contributing authors include: 

  • Jerry Archer — CEO of a major financial services company, with 30 years of security experience at leading companies and government agencies including Intuit, Visa and the CIA.
  • Gary Eppinger — Global VP, CISO, for Carnival Corporation, ranked 24th in the ExecRank’s “Top Security Executives.”
  • Gary Harbison — CISO at Monsanto, has over 19 years of experience in information security, including multiple Fortune 500 companies and U.S. Dept of Defense.
  • Leslie K. Lambert — Former CISO for Juniper Networks and Sun Microsystems, has 30 years' experience in IS, intrusion detection, threat assessments and mitigation.
  • Robert Rodriguez — Chairman, Founder of the Security Innovation Network (SINET) — advancing public and private innovations in cybersecurity.
  • Joe Sullivan — Chief Security Officer (CSO), Uber; Past CISO of Facebook, a member of President Obama’s Commission on Enhancing National Cybersecurity.
  • Teri Takai — CIO at large, she has served as the CIO and EVP of Meridian Health Plan, CIO for the Department of Defense (DoD), as well as CIO for the states of California and Michigan.

Jim Routh, CSO of Aetna, offers a compelling foreword that strongly endorses the book’s content. He closes with these words, “This book is a collection of thought-provoking content from industry luminaries presenting practical guidance based on expertise essential to the impact of models on identity and risk-based security maturity, for enterprises large and small moving at customer speed. Welcome the future of cyber security coming soon to an enterprise near you.”

Book Overview & Key Topics Covered

This book covers a lot of ground in a short amount of time. I really like the flow, examples, case studies, and diversity of backgrounds and viewpoints offered by the executive writers. At the same time, Ms. Saryu Nayyar brings the writing together in a cohesive manner that flows together well.

Here are the chapter titles:

  1. Impact of Cloud and Mobility for Identity
  2. The Compromise and Misuse of Identity
  3. Insider Threats, Account Compromise and Data Exfiltration
  4. Identity, Access Risks and Access Outliers
  5. We Need a New Approach — Key Drivers
  6. Discovering the Unknown: Big Data and Machine Learning
  7. Cloud and Mobility: Unknowns for Identity Risks and Misuse
  8. Requirements for Borderless Behavior Analytics
  9. Predictive Security Analytics Use Cases
  10. Afterword — The Borderless Road Ahead

After first glance at this table of contents, one might think that this book offers a solid reference for your bookshelf on the topics listed, which is somewhat true. However, I found great benefit in reading the book from cover to cover — mainly to gain the unique perspectives and case studies from the diverse set of luminary experts.

Stated in another way, all of the chapters cover the need for better use of big data to find the data needles in the haystack, and the examples and words used by different experts vary to some extent. For example, Teri Takai brings an amazing amount of government expertise from the Department of Defense (DoD), two very different state government enterprises (California and Michigan) as well as Ford Motor Company. Her insights are very different than Joe Sullivan's and Leslie Lambert's, both of whom come from different professional backgrounds.

Regardless of your current industry, I found the depth and breadth of the examples offered to be refreshing and thought-provoking for CIOs, CISOs and other technical leaders. Other books and white papers on these similar topics are either too high-level or too vendor-specific to provide the needed guidance for security and technology executives moving forward.  

A Deeper Look at the First Two Chapters

Chapter one of the book explores the impact of cloud and mobility for identity. The history of various industry drivers, technologies, job titles and approaches are examined, with trends described that led to data being dispersed outside organization firewalls — with no single security control point for data anymore.

Enterprise risk terminology, like the term “dwell time,” are explained, which is the average time between infection and detection. Also, Nayyar explains the importance of new approaches, “The era of user and entity behavior analytics (UEBA) and identity analytics (IdA) security solutions had arrived, and none too soon.”

As in each of the following chapters, an expert perspective is offered by a leading CISO or CIO. Gary Eppinger explains how data access is changing with examples from Carnival Corp. He describes symptoms that reveal security defenses are a problem today, discusses business vulnerabilities in today’s changing environments, describes security driving business value, shows how insider threats lead to data breaches, describes growing concerns about privilege misuse and compromise and gives examples of how systems around the world affect hybrid environment security.

As with other experts, Eppinger focuses on key identity solutions needed in our constantly changing security environments. “If you don’t know who your users, your employees and your customers are, then you have no chance of ensuring you’re giving the right access at the right time.”

The answer: Utilize new UEBA and IdA solutions to analyze the staggering scale of big data. He describes how we cannot have identity management is silos anymore to be effective, and machine learning adoption can lower false positives. “We’re improving on filtering the false positives as we get deeper context from our peer group baselines and mining the big data more effectively.”

To address a balance between people, process and technology risks in the enterprise, Carnival has adopted a holistic approach to centralized identity that uses machine learning to examine big data trends and minimize alerts.

Chapter two looks at the compromise and misuse of identity. The chapter describes terms in detail, such as identity consisting of users, their accounts, access entitlements, and activity on-premises and in the cloud. Some quotes that I really like include: “Identity is the easiest doorway into your network … the quickest pathway to the enterprise’s kingdom of value assets.”

Jerry Archer describes why some current security approaches are failing and vulnerabilities in the status quo security.  “A number of organizations are moving to a solution which is not searching for predefined specifics, but looking for actors doing something nefarious.” Also, “There will be seismic shifts in security, away from the perimeter-based models.”

Jerry describes security measures against insider threats and factors influencing UEBA adoption as a security supplement. He describes the need to focus on outbound traffic as much as inbound data in motion. He also observes that 60 percent of cyberthreats are at the endpoint, and manual solutions will no longer be effective moving forward. The problems with excess access, access outliers, and orphan or dormant accounts must be addressed for enterprises to have any hope of cyberdefense success.

My Favorite Quotes from the Book

Besides the quotes already offered from the first two chapters, here are my favorite quotes from the book:

Joe Sullivan (from chapter 3):

“Most of the existing security defenses have been built for a model of an enterprise technology architecture that no longer exists.”

“The more of this qualified anomaly identification that can be performed with technology, and the less the security analysts have to surface for manual review, the better.”

“If you have a technology that sees what all twenty analysts would have seen, and it’s ingesting data from many more different angles and perspectives, then everyone on the team is working at a much higher level of performance.”

Teri Takai (from chapter 4):

“It’s quickly reaching the point … where it’s impossible for organizations to keep up with the threat vector.”

“The only realistic approach now is to move into a machine learning environment where the comprehensive visibility, monitoring and analytics can be set up based on the behaviors observed and reliable effective alerts can be provided.”

“Security leaders must now assume that external actors are in their infrastructure. This urgently reinforces their prime mandate: protect your data.”

“Before, they had to identify, and manage the red and the green — the bad and the good activities. Now they must also manage and monitor the massive amount of gray — the unknown unknowns — in their environments.”

Robert D. Rodriguez (from chapter 5):

“We’ve moved from finding the needle in the haystack, to finding the needle in the haystack of needles ...”

“People are jumping the perimeter all the time. Most are good people, with legitimate behavior — but not all — and that’s where the danger lies.”

“Sometimes, just to establish identity becomes tricky because there are so many handoffs, so many proxies, so much masking, and all the required procedures to make sure you are able to have the right attribution.”

Leslie K. Lambert (from chapter 6):

“Because this data was underutilized, the victim company left itself wide open to several types of compromises.”

“What makes it difficult to detect insider threats like this one is context, or more accurately, the lack of it.”

‘Without machine learning, normal patterns of discovery and response cycles for this type of attack would be in the range between months and years.”

Gary Harbison (from chapter 7):  

“Security teams often find themselves duplicating and rebuilding controls several times based upon what IaaS/ PaaS environment they’re migrating to.”

“Context and scale are other critical factors in assessing BYOD security policy. It’s not one size fits all.” [Note: Meaning that the sales team is different from product development or research team ...]

“UEBA provides analysts with the deep data insights they’re not getting today, yet which allows them to drive additional value from their existing data sources.”

Wrap-up

I highly recommend that CxOs, security architects and other technology and security professionals read this book. I am going so far as to say this is a MUST READ for understanding the next generation of security solutions — especially related to the area of identity.

Why? The definitions, perspectives and unique industry experience poured into this book provide a great resource. I also think undergraduate and graduate cybersecurity programs around the country should consider this book as a textbook and/or reference for a variety of topics related to security, technology and business leadership academic disciplines.

I thoroughly enjoyed reading this book. I also learned quite a bit, but it does take concentration and focus. It is not a quick or "light" read, although you can break it up and read the chapters one at a time over several weeks, which is what I did.

Finally, there are many one-page data breach examples with lessons learned. All of these positive aspects make Borderless Behavior Analytics an outstanding book for technology and security professionals, and a resource that I recommend without hesitation.