Normally, if an organization deployed a Data Security Platform with some sort of anomaly detection capabilities, usually backed by machine learning or artificial intelligence, they could leave it running for a few weeks to learn what normal behavior looks like. After the learning period, anything that went against this “normal” could be called an anomaly and be addressed accordingly.
Companies that have already deployed this kind of technology, however, are running into a bit of a problem – COVID19.
Lockdowns have forced companies, where possible, to operate with a remote workforce whilst the world tries to battle the spread of Coronavirus. This means that any previously learned behavior before the shutdown is completely useless. What would usually be considered abnormal behavior is now very much the new normal.
This radical shift in working habits has led to a large number of false positives when being generated when it comes to anomaly detection. IT and security teams are being overwhelmed with alerts for anomalous user behavior for almost every action. Sifting through these alerts to determine what is really anomalous and what isn’t defeats the purpose of machine learning in the first place.
So, what’s the solution to this?
Unfortunately, I think the answer is time. We won’t know what the new normal looks like for some time, and once machine learning technologies have established what normal behavior looks like for remote workers, the shutdown could be lifted, and the process will have to be started all over again.
Organizations will likely need to set a new learning period for their anomaly detection solutions to give themselves a chance of reacting to real anomalies. Remote working might well become the new norm heading forward, as organizations realize they can be productive without the costly overheads of an office. Whilst anomaly spotting catches up with the new world, IT teams will have to look for other ways to ensure data security in the meantime.
To do this, IT teams need to ensure they have a solution in place that can identify where sensitive data is located, who has access to it and what users are doing with it. There are some “anomalies” in user behavior that are single-point anomalies and should always be investigated regardless of where and when it happened. For example, if a file containing sensitive data related to a compliance mandate is copied, you need to be able to find out who copied the file, whether their access levels are appropriate and whether this action has led to a potential data breach.
Most data security platforms will enable you to identify and classify your most sensitive data to ensure that you know where to focus your security strategies. They will also enable you to see who has access to this data and how those access rights were applied to help you spot users with excessive permissions. Real time alerts and pre-defined reports can be set up for a wide range of potential threats, including ransomware, insider threats and privilege abuse. You just have to make sure you have the right Data Security Platform to fit your requirements.
In summary, don’t turn off your anomaly detection, but you might want to reset the learning period. You’ve got to let it adjust to the new norm. In the meantime, ensure you’ve got the basics of data-centric security right to protect yourself against threats both internal and external.
If you would like to see how Lepide are helping organizations during the COVID19 pandemic, schedule a demo with one of our experts.