SC Magazine | Saryu Nayyar | CEO, Gurucul
User and Entity Behaviour Monitoring uses modern machine learning algorithms which can automatically track and analyse employee behaviour to identify anomalous and suspicious activities.
When most people think of the “insider threat” there are usually some common stereotypes that spring to mind. Often people conjure up an image of a nefarious employee acting like a super villain out of a 60s James Bond film.
In reality, the insider threat is much more complex. Many times, insider threat behaviour can be attributed to a number of causes. There are three types of insider threats: user error, malicious insider and compromised account. Good examples could be an employee who received a poor performance review and is now itching to “get even” with the company. Or perhaps it’s a rogue IT admin who is using their unmonitored elevated access to snoop out confidential data on the network. It could also be a former employee who still retains access into key systems, even long after leaving the company.
According to the 2019 Verizon Data Breach Investigations Report (DBIR), user errors were causal events in 21 percent of breaches. They occur when someone clicks on a phishing link in an email and the account, subsequently, becomes compromised. Or when a laptop is left at an airport and sensitive data is stolen as a result. These human errors are considered insider threats simply because insider data is exposed, even unintentionally.
The malicious insider is as bad as it sounds. People are bribed, have pressure put on their families, or realise they can monetise internal data or intellectual property. Employees also get disgruntled and want to hurt the company because they feel the company hasn’t treated them well. There are many different reasons why someone originally hired as a good employee could ultimately become a risk to the company. Verizon DBIR reports that 15 percent of breaches were misuse by authorised users: privilege abuse, data mishandling, unapproved workarounds, knowledge abuse, and email misuse.
A compromised account is considered an insider threat because the account in question is an internal corporate account. What sets a compromised account aside from the rest is the fact that while, yes, the account has been compromised, the attacker isn’t normally familiar with the company network and so the behaviour on the account is very telling. An attacker with compromised credentials will demonstrate abnormal behaviour for that user since they will need to traverse the network looking for company data and IP. A regular employee would already know where the data resides.
As it stands, conventional cyber-security tools offer very little when it comes to defending against insider threats. Each of the above insider threat personas have a common feature. In all instances, the insider has access to all the information they might need on the network. It’s a given that employees and contractors need certain levels of access on a variety of networks to do their jobs, however the price paid for such access is often the risk of intentional or accidental misuse of these privileges.
Thankfully, solutions exist that allow organisations to stay on top of insider threat behaviour and monitor the likelihood of malicious behaviour coming from within an organisation.
User and Entity Behaviour Monitoring uses modern machine learning algorithms which can automatically track and analyse employee behaviour to identify anomalous and suspicious activities. These activities could range from an accountant who downloads a confidential file he never looked at before, to a salesman who suddenly starts emailing large volumes of customer data to his personal account. Machine learning allows organisations to compare current user behaviour to baselined “normal” behaviour. From there, it’s easy to identify suspicious trends and spot outliers to remediate threats.
A User and Entity Behaviour Analytics (UEBA) solution provides models with predictive intent, to identify malicious insider activities. It will detect compromised account scenarios such as brute-force attacks, suspicious password resets, account sharing, account usage from an unusual device or location, etc. In the case of a malicious insider, it detects the unusual behaviour such as wanderer or network or file crawling where a malicious insider tries to access multiple resources to gain access to an organisation’s data.
Detecting high-risk users with abnormal behaviours through machine learning and statistical analysis is a force multiplier. It exposes anomalies among enormous volumes of data that humans or traditional security tools could never identify. Since attackers will exploit whatever accounts they can successfully compromise to break into an organisation, it is critical that organisations take a holistic view when it comes to monitoring user activity and device and identity behaviour. As the world moves further towards automation and machine learning algorithms become more complex, it is only natural that, as a community, we take active steps in eradicating the most dangerous facet threatening organisations.
External Link: Identifying the Threat from Within