With new security threats emerging daily, it’s incredibly difficult to stop hackers and malware from evading your defenses and infiltrating your network. Most (74 percent) of the malware detected during the first quarter of this year was zero-day and subsequently capable of slipping past cybersecurity solutions that rely on known signatures, according to a report from WatchGuard’s Threat Lab.
Due to the high probability of an advanced threat making it past defensive measures, high-level detection and response solutions and services have become essential for businesses looking to spot the signs of a breach as quickly as possible and stop malicious actors and programs before they have the chance to cause extensive damage.
Historically, security professionals have searched for Indicators of Compromise (IoCs), which are clues that signal an ongoing or upcoming cyberattack, according to Fortinet. However, some in the cybersecurity solutions space have advocated for switching to Indicators of Behavior (IoBs) to better combat threats in a world of widespread remote work, according to the TechRepublic article “Cybersecurity pros should switch from Indicators of Compromise to Indicators of Behavior.”
If you’re a business leader curious about IoBs, how they compare to IoCs and whether they should be part of your cybersecurity strategy, here’s some essential information to consider.
What Are Indicators of Behavior?
IoBs are end user behaviors security teams keep track of to assess the organization’s risk level, according to the Forcepoint article “Indicators of Behavior (IOBs) – With 2020 Vision.” Here are just a few examples:
- Sending email attachments
- Creating, sharing, uploading or downloading documents
- Accessing and exporting information stored in the cloud
- Utilizing collaboration solutions for messaging and sending attachments
By monitoring IoBs, security professionals can learn what’s typical for users and subsequently recognize anomalous behavior as well as identify sequences of IoBs that can indicate criminal behavior, the Forcepoint article explains.
For instance, if an employee tries to exfiltrate proprietary data, the organization’s security team might be able to catch them in the act after piecing together IoBs like copying information from a sensitive application, uploading info to a USB, and attempting to upload a large amount of data to a personal cloud solution.
How Do Indicators of Behavior Differ From Indicators of Compromise?
IoCs consist of data that signals potential infiltration, according to Fortinet. Some examples include the following:
- Atypical outbound network traffic
- Multiple failed login attempts or login attempts from users who don’t exist
- Unusual HTML response sizes
- Numerous requests for one file
- Database read volume spikes
While IoCs serve as documentation artifacts related to one action that’s already happened, IoBs provide a lot more context about user, device and account behavior, according to the Forcepoint article “Shifting Gears from IOCs to IOBs.”
By monitoring users’ typical behavior, security teams can also give them an overall risk score and enable them to proactively predict malicious activity. They can also allow activity that might seem risky in isolation but that they know is necessary with context for a particular user.
Ultimately, with new threats emerging every day and ransomware hitting businesses of all sizes, it’s crucial to invest in advanced cybersecurity solutions and services like extended detection and response (XDR), zero-trust network with secure access service edge (SASE), Security Operations Center as a Service (SOCaaS), and incident response services.
Read more at: https://www.stratospherenetworks.com/blog/what-are-indicators-of-behavior-how-iobs-can-help-you-combat-cybersecurity-threats/
Contributed blog courtesy of Stratosphere Networks and authored by Kevin Rubin, president and CIO, Stratosphere Networks. Read more contributed content from Stratosphere Networks here.