Big data has become the golden goose for businesses, so it's no surprise that data theft is surging. In its latest Breach Level Index, SafeNet found that nearly 200 million data records were stolen in Q1 2014, a 233% increase over the year prior.

Businesses traditionally zero in on the point of compromise – malware detection – to curb these breaches, but doing so is an uphill battle given there are an average of 82,000 new malware threats created per day. Even the best malware detection technology is incapable of keeping up. But hackers only activate malware at the beginning of the attack, using it simply as the gateway to steal login credentials and move within a business' IT environment undetected while they access precious data.

Rather than exhausting their resources to detect malware, which typically doesn't hang around for longer than an hour after activation, security teams should balance their efforts by monitoring for and detecting suspicious user behavior to identify compromised credentials before greater damage can be done.

SIEM limitations

The challenge with this is that existing security event and information management (SIEM) systems have no way of quantifying threats or identifying patterns of anomalous activity, as impersonating users does not trigger signature-based detection alerts.

It's quickly become a serious problem, as stolen credentials accounted for 76% of network intrusions in 2013 – more than twice as many as in 2012. The rapid evolution of malware, and the acute focus on its detection as a security strategy, is leaving businesses more vulnerable to stolen user credentials. Of course, malware isn't the only way hackers steal credentials.

Social engineering tactics, such as email phishing, pretexting and diversions, are also on the rise and have proven to be just as successful in gaining access to IT environments.

To improve security operations efficiency and better identify compromised users, businesses can do the following.

  1. Track your users. See how and when they access the business' IT assets on a regular basis. This also includes vendors and other partners that have access to the IT environment.
  2. Establish a baseline. Once normal behavior has been determined, baseline this activity so suspicious behavior can be measured.
  3. Detect anomalies. Record every anomaly detected that deviates from the established baseline.
  4. Quantify the anomalies. Not all anomalies are created equal. Sometimes a user needs to access the network at night to grab a file, or log in from their hotel on the road. Measuring how much the suspicious activity deviates from the norm is crucial to separating valid from invalid behavior.

IT teams need to build their security posture around fighting against attacker tactics, not weapons. The weapons are changing every day, and the time to compromise is becoming shorter. What hasn't changed are the tactics of stealing user credentials to access the IT network. Businesses can improve security intelligence by developing a system to monitor for suspicious user behavior, enabling them to react more quickly and stop a data breach before it's too late.