Insider threat detection is one of the top use cases for User and Entity Behavior Analytics (UEBA). The only way to detect malicious insiders is by monitoring their behavior – to notice when it becomes anomalous. The old adage rings true here: you can steal an identity, but you can’t steal behavior. Behavior is the “tell”.
An insider threat is a malicious threat to an organization that comes from within: employees, former employees, business associates, or contractors. These individuals have inside information concerning the organization’s security practices, infrastructure and data. There are three types of insider threats: user error, malicious insider, and compromised account.
User error is common. According to the 2019 Verizon Data Breach Investigations Report (DBIR), Errors were causal events in 21% of breaches. Someone clicks on a phishing link in an email and their account gets compromised. Someone posts an internal confidential file on a public website. A laptop is left at an airport. Yes, these are human errors, and they are considered insider threats because insider data is exposed – if unintentionally.
The malicious insider is as bad as it sounds. It’s been documented extensively that people leave companies and try to take company intellectual property with them. People are bribed, have pressure put on their families, or realize they can monetize internal data or intellectual property. Employees also get disgruntled and want to hurt the company because they feel the company hasn’t treated them well. There are many different reasons why someone originally hired as a good employee could ultimately become a risk to the company. Verizon DBIR reports that 15% of breaches were Misuse by authorized users: privilege abuse, data mishandling, unapproved workarounds, knowledge abuse, and email misuse.
A compromised account is considered an insider threat because the account in question is an internal corporate account. Yes, it’s a compromised account, but it’s still a valid user account in terms of granting access to applications and data. The difference with a compromised account is that the hacker has no knowledge of the network, so the behavior will be very telling. A hacker with compromised credentials will demonstrate abnormal behavior for that user since he will need to traverse the network looking for company data and IP. An insider already knows where the data resides.
A mature UEBA solution provides models with predictive intent, to identify malicious insider activities. This tool will detect compromised account scenarios such as brute-force attacks, suspicious password resets, account sharing, account usage from an unusual device or location, etc. In the case of a malicious insider, it detects the unusual behavior such as wanderer or network or file crawling where a malicious insider tries to access multiple resources to gain access to an organization’s crown jewels (IP, sensitive info, customer data, etc.). Models also detect any unauthorized access to sensitive PII/PCI data or unusual/excessive data downloads as well as exfiltration attempts through print, email, cloud storage or USB devices. Risk scoring and weightages are defined at the model level which can be tweaked based on organizations’ risk exposure and prioritizations.
The real value in a UEBA solution is its ability to detect not only known threats but unknown threats based on user and entity behavior. UEBA implements innovative data processing and machine learning-based analytics techniques oriented towards unearthing threats that bypass traditional detection and prevention systems. Machine learning algorithms allow for automatic and scalable ways in which insights are obtained from large multi-dimensional data. UEBA leverages various models using supervised, unsupervised, and semi-supervised algorithms. It also uses advanced techniques like deep-learning and text mining to perform sentiment analysis in order to detect insider threats.
As a part of modeling, the analytics engine creates the baseline behavior profiles for every identity (user and entity) defined in the system and then runs in the prediction mode to detect any deviation from its own baseline or peer-group baseline. The outlier detection, in combination of contextual information like Threat Intelligence feeds and alerts generated by external systems, provides an overall risk-prioritized score for every identity, which can be used to further investigate the incident.
Not all UEBA solutions are created equal. Here’s what you should you look for in a UEBA solution to ensure you can successfully predict, detect and stop insider threats.
Gurucul provides risk-based behavior analytics delivering actionable intelligence for security teams with low false positives. Gurucul leads the market in demonstrating UEBA results where others cannot. We consume the most data sources out-of-the-box and leverage the largest machine learning library. Additionally, we deliver a single unified prioritized risk score per user and entity. Gurucul’s unique Self-Audit capabilities empower users to proactively monitor and report any suspicious access, fraud and activity on their own accounts. With Gurucul you can find threats – unknown unknowns – quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules or signatures.
Gurucul created the UEBA market in 2010, well before Gartner coined the term “User and Entity Behavior Analytics”. Learn more about how the Gurucul UEBA solution helps detect insider threats by downloading the whitepaper, Uncover Insider Threats Through Predictive Security Analytics. Then request a demo to see for yourself why Gurucul is considered a leader in insider threat detection.
Prev: ABCs of UEBA: H is for Hijacking Next: ABCs of UEBA: J is for JSON