Seasonality factors need to be considered while attempting to detect behavior anomalies of users and hosts in a network. But before we make a case for that, let's first try and understand what seasonality is by looking at a few examples from daily life:
Seasonality in product sales: Numerous products such as chocolates, summer clothes, workout gear, and Halloween costumes belong to seasonal markets. The demand for these products typically peaks for a few days or months and then tapers off. Depending upon the market, the sales that can be attributed to seasonality can vary. For instance, the sales of winter clothes during the winter months may actually eclipse the sales during the rest of the year.
Seasonality in water consumption: This is an easy example to understand: People usually consume a lot more water during the summer months.
Seasonality in the stock market: Historically, stocks have underperformed between the months of May and October but have done well from November to April. There is a popular saying that goes, "Sell in May and go away."
Is there an example of seasonality when it comes to an organization's computer network? Yes, there is....
In an organization's network, users and hosts may exhibit seasonal behavior such as:
A database server that's heavily queried on Monday every week.
A user who works on alternate Saturdays.
A user who accesses a particular file server only once a month, particularly on the last working day of the month.
The three examples above involve relatively rare occurrences that are seasonal in nature, but they're not anomalies.
An anomaly, by definition, is something that deviates from what's expected. These three activities (and others like it), though rare, aren't anomalies because they start to become accepted as normal after they occur a few times. They're normal activities that follow a seasonal trend.
It's important for organizations to detect anomalies that happen in the network to ward off potential cyberattacks. To do this, organizations typically use a security analytics solution or a SIEM solution that has anomaly detection capabilities fueled by machine learning algorithms. This solution creates a baseline of expected behavior for every user and host in the network. If a user's or host's observed behavior deviates beyond a learned threshold, it's flagged as an anomaly and the risk score is raised accordingly.
The machine learning algorithms used to detect anomalies must be able to account for seasonality. They should understand seasonal effects on the behavior of users and hosts and be able to identify a particular activity as non-anomalous even if it's rare. After accounting for seasonality, no red flags should be identified and risk scores should not be raised. So, what if the activity occurs outside of this seasonal window? That would be an anomaly, as the use case below illustrates.
Your bank operates on the first and third Saturday of every month. On the second Saturday of the month, your security analytics platform notices an employee logging in to the network. A lesser-trained system would accept this; after all, the employee was online the previous Saturday, so why not today? But yours is well-trained to spot seasonal anomalies just like this. It knows the difference between the various Saturdays of a month. An alarm goes off, and the risk score of the employee increases.
Seasonality factors are critical for calculating the real risk posed by users and hosts in your network. Without considering seasonality, there are chances of both blind spots and false negatives. The anomaly detection engine within your SIEM solution should make use of this capability to show you a more accurate picture of what's taking place.
To learn the nuances of seasonality in anomaly detection, including the way it works and how it improves your risk scoring accuracy, read this blog
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.