ABCs of UEBA: I is for Insider Threat

Insider threat detection is one of the top use cases for User and Entity Behavior Analytics (UEBA). The only way to detect malicious insiders is by monitoring their behavior – to notice when it becomes anomalous. The old adage rings true here: you can steal an identity, but you can’t steal behavior. Behavior is the “tell”.

The Three Types of Insider Threats

An insider threat is a malicious threat to an organization that comes from within: employees, former employees, business associates, or contractors. These individuals have inside information concerning the organization’s security practices, infrastructure and data.  There are three types of insider threats: user error, malicious insider, and compromised account.

User error is common. According to the 2019 Verizon Data Breach Investigations Report (DBIR), Errors were causal events in 21% of breaches. Someone clicks on a phishing link in an email and their account gets compromised. Someone posts an internal confidential file on a public website. A laptop is left at an airport. Yes, these are human errors, and they are considered insider threats because insider data is exposed – if unintentionally.

The malicious insider is as bad as it sounds. It’s been documented extensively that people leave companies and try to take company intellectual property with them. People are bribed, have pressure put on their families, or realize they can monetize internal data or intellectual property. Employees also get disgruntled and want to hurt the company because they feel the company hasn’t treated them well. There are many different reasons why someone originally hired as a good employee could ultimately become a risk to the company. Verizon DBIR reports that 15% of breaches were Misuse by authorized users: privilege abuse, data mishandling, unapproved workarounds, knowledge abuse, and email misuse.

A compromised account is considered an insider threat because the account in question is an internal corporate account. Yes, it’s a compromised account, but it’s still a valid user account in terms of granting access to applications and data. The difference with a compromised account is that the hacker has no knowledge of the network, so the behavior will be very telling. A hacker with compromised credentials will demonstrate abnormal behavior for that user since he will need to traverse the network looking for company data and IP. An insider already knows where the data resides.

How UEBA Predicts, Detects and Stops Insider Threats

A mature UEBA solution provides models with predictive intent, to identify malicious insider activities. This tool will detect compromised account scenarios such as brute-force attacks, suspicious password resets, account sharing, account usage from an unusual device or location, etc. In the case of a malicious insider, it detects the unusual behavior such as wanderer or network or file crawling where a malicious insider tries to access multiple resources to gain access to an organization’s crown jewels (IP, sensitive info, customer data, etc.). Models also detect any unauthorized access to sensitive PII/PCI data or unusual/excessive data downloads as well as exfiltration attempts through print, email, cloud storage or USB devices. Risk scoring and weightages are defined at the model level which can be tweaked based on organizations’ risk exposure and prioritizations.

The real value in a UEBA solution is its ability to detect not only known threats but unknown threats based on user and entity behavior. UEBA implements innovative data processing and machine learning-based analytics techniques oriented towards unearthing threats that bypass traditional detection and prevention systems. Machine learning algorithms allow for automatic and scalable ways in which insights are obtained from large multi-dimensional data. UEBA leverages various models using supervised, unsupervised, and semi-supervised algorithms. It also uses advanced techniques like deep-learning and text mining to perform sentiment analysis in order to detect insider threats.

As a part of modeling, the analytics engine creates the baseline behavior profiles for every identity (user and entity) defined in the system and then runs in the prediction mode to detect any deviation from its own baseline or peer-group baseline. The outlier detection, in combination of contextual information like Threat Intelligence feeds and alerts generated by external systems, provides an overall risk-prioritized score for every identity, which can be used to further investigate the incident.

What to Look for in a UEBA Solution

Not all UEBA solutions are created equal. Here’s what you should you look for in a UEBA solution to ensure you can successfully predict, detect and stop insider threats.

  • An Experienced Vendor with Proven Success: You want to make sure you are working with a vendor partner who has proven success implementing UEBA. Your vendor should provide you with reference customers who are in a similar vertical industry and have similar use cases as your organization.
  • Advanced Machine Learning Models: With insider threats in particular, you need to utilize advanced machine learning models that are predictive in nature. If the data has already left the organization, you’re too late. You need to find a vendor with a large library of machine learning models optimized for predicting and detecting insider threats. Ask about the models used – are they supervised, unsupervised, a mix of both? Find out how many are in production.
  • Open Analytics: This is a key differentiator. If the vendor has “black box” analytics, walk away. With black box analytics, results have to be taken on faith since nobody knows how the answers are obtained, or if the results are valid. You want a vendor who can show you exactly how their machine learning models work. You need to be able to customize the vendor models or create your own.
  • Open Choice of Big Data: UEBA solutions sit on top of big data. You want to be able to leverage your existing data lake, if you have one. And if you don’t, you should be given a data lake for free. You don’t want to have to buy a heavily customized data lake for use with just your UEBA solution. You want a vendor who gives you open choice of big data.
  • Extensive Out-of-the-Box Connectors/Integrations: One of the most important criteria in monitoring user and entity behavior is to ingest as many data feeds as possible. The more context you can provide, the better the results. You need to be able to take unlimited data feeds from structured and unstructured security sources – SIEMs, firewalls, Identity and access management systems, NetFlow and more. You also need to garner context from your business applications – like SAP, EPIC, Salesforce or even your own proprietary applications on virtually any platform. Your UEBA vendor should be able to ingest transaction logs from most of your applications out-of-the-box and offer a capability to quickly create a connector to new applications.
  • Risk Prioritized Intelligence: It’s absolutely critical that your UEBA vendor provide risk prioritized intelligence in the form of a single unified risk score for every user and entity in your organization. Your disparate applications may perform analytics on their siloed data, but all that gives you is a distorted and incomplete view of risk. Your PAM solution may say user Monroe is a high risk user. Your IGA product rates him as medium risk. And, your SIEM sees him as low risk. Which platform are you going to believe? Your UEBA solution must aggregate all those disparate data feeds to give you a holistic view of that user (or entity) across all your applications and systems. Why is that important? It’s important because you can focus on the highest risk areas in your organization. This enables you to automatically orchestrate downstream actions and apply automated risk-based controls.
  • Next Generation Threat Intelligence: Threat hunting involves searching for key indicators to find threats in specific datasets and is heavily dependent on people and processes. You need to be able to investigate incidents quickly with contextual search using big data to mine linked users, accounts, entitlements, structured and unstructured data, along with risk score and peer group analytics. From a single console, you can use any query you like to investigate incidents and correlate data across channels. Unlike traditional threat hunting tools and SIEMs, contextual search uses artificial intelligence capabilities to uncover all behavior patterns and data relationships that map to the search profile. It conducts natural language searches across any combination of structured and unstructured data to provide a 360 degree view of user and entity behaviors based on HR/profile attributes, events, accounts, access permissions, devices, cases/tickets and anomalies.
  • Ability to Incorporate Comprehensive Identity Analytics Capabilities: A mature UEBA vendor will offer Identity Analytics tightly integrated with UEBA. Identity Analytics provides in-depth intelligence about a user’s identity attributes and the privileges he has on the network. This involves analyzing the access rights and entitlements a person has; the activities he has been performing across multiple accounts, both now and in the past; and the typical activities that members of his peer groups are doing. It takes a combination of the right data sources, sophisticated machine learning and perceptive data science to pinpoint truly aberrant actions that are good indicators of misuse of assigned privileges.
  • Quick Time to Value: Look for a UEBA vendor that offers a results-oriented Proof of Concept (POC) process. Within five days, you should be able to find true positive anomalies within your production environment in a contained POC.

Insider Threat Detection Done Right with Gurucul UEBA

Gurucul provides risk-based behavior analytics delivering actionable intelligence for security teams with low false positives. Gurucul leads the market in demonstrating UEBA results where others cannot. We consume the most data sources out-of-the-box and leverage the largest machine learning library. Additionally, we deliver a single unified prioritized risk score per user and entity. Gurucul’s unique Self-Audit capabilities empower users to proactively monitor and report any suspicious access, fraud and activity on their own accounts. With Gurucul you can find threats – unknown unknowns – quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules or signatures.

Gurucul created the UEBA market in 2010, well before Gartner coined the term “User and Entity Behavior Analytics”. Learn more about how the Gurucul UEBA solution helps detect insider threats by downloading the whitepaper, Uncover Insider Threats Through Predictive Security Analytics. Then request a demo to see for yourself why Gurucul is considered a leader in insider threat detection.

Prev: ABCs of UEBA: H is for Hijacking Next: ABCs of UEBA: J is for JSON