With new security threats emerging daily, it’s incredibly difficult to stop hackers and malware from evading your defenses and infiltrating your network. Most (74 percent) of the malware detected during the first quarter of this year was zero-day and subsequently capable of slipping past cybersecurity solutions that rely on known signatures, according to a report from WatchGuard’s Threat Lab.
Due to the high probability of an advanced threat making it past defensive measures, high-level detection and response solutions and services have become essential for businesses looking to spot the signs of a breach as quickly as possible and stop malicious actors and programs before they have the chance to cause extensive damage.
Creating, sharing, uploading or downloading documents
Accessing and exporting information stored in the cloud
Utilizing collaboration solutions for messaging and sending attachments
By monitoring IoBs, security professionals can learn what’s typical for users and subsequently recognize anomalous behavior as well as identify sequences of IoBs that can indicate criminal behavior, the Forcepoint article explains.
For instance, if an employee tries to exfiltrate proprietary data, the organization’s security team might be able to catch them in the act after piecing together IoBs like copying information from a sensitive application, uploading info to a USB, and attempting to upload a large amount of data to a personal cloud solution.
How Do Indicators of Behavior Differ From Indicators of Compromise?
IoCs consist of data that signals potential infiltration, according to Fortinet. Some examples include the following:
Atypical outbound network traffic
Multiple failed login attempts or login attempts from users who don’t exist
Unusual HTML response sizes
Numerous requests for one file
Database read volume spikes
While IoCs serve as documentation artifacts related to one action that’s already happened, IoBs provide a lot more context about user, device and account behavior, according to the Forcepoint article “Shifting Gears from IOCs to IOBs.”
By monitoring users’ typical behavior, security teams can also give them an overall risk score and enable them to proactively predict malicious activity. They can also allow activity that might seem risky in isolation but that they know is necessary with context for a particular user.