November 02, 2021

3 min

Make the Move to Behavior-Based Security Monitoring

These five steps can help you get a better understanding of how your IT systems are being attacked.

Every CISO understands the importance of deploying robust security monitoring technology. It’s hard to imagine a modern cybersecurity team that doesn’t already invest in monitoring suspicious activity across endpoints, applications and other critical points of control. However, many of these monitoring programs fail to incorporate behavior monitoring into their work, leaving a critical gap that might allow attackers to lurk undetected on their networks for an extended period.

I recently worked with an organization whose IT leaders suspected that it had been breached. They didn’t detect any signs of unusual activity via their malware detection systems, but their newly deployed extended detection and response (XDR) platform raised an alert for suspicious activity. It seemed that a user account was performing unusual administrative commands on the network that didn’t match normal patterns of behavior. Even more troubling was the fact that the same account began logging in to other systems on the corporate network and connecting to remote command and control networks.

We were witnessing the early stages of an attack. The attackers hadn’t yet installed ransomware or taken any of the other steps that they might use to achieve their ultimate goal. They were simply exploring the environment and trying to determine an exploitation plan. They couldn’t continue their attack until they understood the systems and networks they had compromised. Fortunately, the XDR system was able to detect this suspicious activity, enabling us to stop the attack before any damage could be done.

Organizations that want to upgrade their existing threat management capabilities to incorporate behavior-based monitoring should consider taking five steps toward a more robust monitoring program:

1. Use an Enhanced Endpoint Protection Suite

Simple signature-based anti-virus software cannot provide the detailed information needed to conduct behavior-based monitoring. Organizations should deploy an endpoint protection technology with modern capabilities that include memory protection, predictive machine learning, behavior analysis, a host-based firewall, and, most important, an Integrated XDR agent.

2. Deploy Email Protection Technology

Most attacks arrive via email, and a strong monitoring program must have insight into this activity. Email protection systems can not only block and quarantine suspicious messages but also track messages after the fact to determine the possible extent of an attack. In addition, email protection technology must be able to integrate with an organization’s XDR technology.

3. Incorporate Network Security Monitoring

Next-generation firewalls (NGFWs) protect the networks of most organizations today, but the information they provide is often underutilized or siloed. Organizations should integrate NGFW and other threat detection network sensors with their XDR technology to gain a more detailed picture of behavior-based security incidents.

4. Deploy a Centralized XDR Dashboard

Endpoint protection vendors offer integrated consoles that pull together information from diverse security data sources and provide correlated views for threat hunting teams. The XDR console must have the ability to compare system activity to known activity. Integrating the MITRE Att&ck Framework with your XDR technology is a great way to compare activity on an endpoint to known threat behaviors. This can identify the attack early in the attack cycle.

5. Train the Response Team

Security responders need to understand the security technologies at their disposal and how they are deployed on their networks. To keep the team sharp, make sure that new members receive training during the onboarding process, mentoring on the job and recurring training at regular intervals to refresh them on technology changes.

This might sound like a lot of work, and it is. Running a behavior-based monitoring program requires an investment of both financial and human resources. Organizations that aren’t staffed to conduct this work themselves may wish to consider using an outsourced security operations center (SOC) provider that can triage events and hand off vetted security incidents to internal teams for further investigation.

Story by Steven Allison, an accomplished risk management and cybersecurity expert with over 30 years in cybersecurity and cyber warfare intelligence. He is currently an Executive Security Strategist at CDW, sharing his security expertise with clients from the largest enterprise organizations and serving all verticals. He is an experienced mentor in helping security leaders create and implement security and risk management programs on a global scale. Steven’s experience working in corporate enterprises, military cyber operations, sales, and with strategic partners gives him a unique business viewpoint. He holds professional certifications including CISSP, HCISPP, and dozens of industry certifications from top cybersecurity firms such as Symantec, Trend Micro, VMWare, Cisco, EnCase, as well as certification in Certified Ethical Hacker & Countermeasures, Disaster Recovery, and Business Continuity. Steven is also a former professional musician. He mostly enjoys spending time with his family and working in his woodshop making one-of-a-kind art pieces.


Acronis® Cyber Protect keeps your business running, protecting any workload, scaling without limits, and saving you money.