We all know that there are three basic ways to authenticate somebody: something you know, something you have, and something you are. I’ve wondered recently though where habits and behavior fit in. For example, I’m writing this post from India. I don’t usually go to India and I’ve just used my credit card here a few times. Sure enough my card got red flagged and not long after blocked. The card company got “concerned” when they saw charges from somewhere new; somewhere outside of my typical charging radius. This happened to me a couple of times in Europe but a quick call, a mother’s maiden name, a birtdate, a social security number, and a DNA sample later and the card was back in action.
This “behavioral” monitoring wasn’t an authentication mechanism so much as a “de-authentication” trigger. That out-of-the-ordinary behavior sparked suspicion despite all standard authentication mechanisms being in place (meaning that the clerks in India processed my card in the standard way). This profiling/“look for weird stuff” philosophy has been used in Intrusion Detection Systems (IDS) forever but is now moving to watching employees on their desktops in hopes of preempting insider attacks. It’s even being used as a method for authentication as one company (http://www.biopassword.com) has a tool to observe the cadence with which a password is typed to guard against the inevitable employee with a bad memory and an inviting yellow sickynote pad.
Measuring behavior “post authentication” brings a whole new dimension to trust but verify. It basically makes the statement “We trust that this person is who the say they are because they just *proved* it…but we’ll keep checking to see what they do just incase.” It can automatically tune security controls. Right now, if you’re making a bigger-than-normal transfer on many banking sites they may ask you for some additional information like your mothers maiden name. What if this was taken a step further? If my browsing behavior on a site was “different” is some meaningful way maybe a series of safeguards kick in even if the transaction that I made was “normal.”
Initially it seems shocking and intolerable from a privacy perspective that sites would keep track of enough historical information to realize what “abnormal” is but most web sites do this already; except the data is used for marketing. Amazon.com always tweaks their landing page based on personal browsing history (either that or books on Reverse Engineering are truly more popular than the works of Dr. Phil) and we accept that this data is aggregated. If that behavioral data is laying around anyway – be it in user profiles, logs, server access records, whatever – it seems like a natural (and, if done right, user transparent) fit to throttle security controls up when risk is afoot.
Like anything else though there can be false positives and hiccups – like having to switch to cash in India till I could get to Skype to call my credit card company. Still, I’m glad I’m not funding somebody else’s shopping spree.
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
WHITE PAPER
Discover whether hosting is your smartest choice for enterprise messaging.
To host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.
I've seen an article about some small university spin off from Sweden that does this. They talk about creating a ongoing authentication of end users. Very interesting stuff.
Yes, it's Intrusion Detection, but it must be "embedded" (at design time) in applications, with appropriate corrective actions. I don't see why critical applications like ERPs don't have something like this...
Alfredo
areino.com
By the way, Hugh, the RSS feed in your blog seems to be broken.
I believe there is some potential for access to high-risk category informationt. I had for a few years working for a behavioral-based IPS developer and I can tell you this is very tricky business. It no doubt works best when there is more control over the variables that impact this problem. For example, we had spent an enormous amount of effort on time-based variables associated with an application-layer protocol. Unfortunately when dealing with small delays, Internet network latency became a significant factor that was not observed in out test bed. Sometimes even the application layer creates the problem along with the network. Take Citrix for example, the delays associated this protocol in addition to the network, causes errors, backspaces, rekeying, etc that could appear as someone with a different behavioral profile (e.g., can make an efficient hacker who usually makes few mistakes in manipulating a protocol look like a real noob). So in order to cut down on the false positives (for an IPS these are show stoppers), we made the system less sensitive, thus, increasing the likelihood of false negatives - you know the game. Saying that, I do believe there are some variables that could be used this fourth factor.
Sure nobody does it in their applications, but it's not exactly a new concept.