[BreachExchange] Catch insider threats with User Behavior Analytics
Audrey McNeil
audrey at riskbasedsecurity.com
Thu May 26 19:12:06 EDT 2016
http://www.csoonline.com/article/3074960/data-protection/catch-insider-threats-with-user-behavior-analytics.html
Securing and protecting confidential data and Intellectual Property (IP)
assets has been always a challenge for organizations despite having various
tools including data loss prevention (DLP) added to the cybersecurity
strategy. According to Ponemon Institute’s 2015 study, most costly
cybercrimes are those caused by malicious insiders, followed by denial of
services and web-based attacks.
Mitigation of malicious insiders requires enabling advanced technologies
such as User Behavior Analytics - an emerging technology that could provide
data protection and fraud detection capabilities that otherwise would go
unnoticed. UBA uses a specialized security analytics algorithms that
focuses beyond an initial login and includes tracking every movement of
user activities in connection with systems that they use to perform their
day-to-day operations and roles.
User behavior analytics technology performs two main functionalities.
First, it helps determine a baseline of the normal activities that a user
performs, and second, it can quickly identify deviations from the normal
behavior that trigger an action for security analysts to conduct
investigation. The anomalous or negligent behavior might not be the
malicious at first look but requires security analysts to investigate and
determine legitimate vs malicious behavior.
UBA uses statistical analysis and machine learning techniques to analyze
and learn the user behavior and patterns on the go to detect and assess
risky user behavior in the enterprise. The UBA technology proactively helps
hunt for insider threats, frauds, detect advanced malware activity, follow
user actions to automatically identify risky behavior, and present a risk
profile of a user to security analysts. All of this without having analysts
spend long hours and days in looking through thousands of noise alerts. UBA
effectively consolidates and prioritizes security alerts.
A simple UBA use case can be a privileged user trying to access an
organization’s file server in the middle of the night - which he never did
in the past. However, there could be a maintenance activity scheduled that
night as generally performed, and he is needed to access the server. At the
same time, this could be an incident of compromised credential wherein an
attacker was trying to exfiltrate the data out of the server to steal the
information or intellectual property. UBA technology can help to model and
profile user behavior, and automate such incidents in near real-time. It
can also alert security analysts to take action, otherwise the behavior
would go un-noticed resulting a successful data breach.
The value User Behavior Analytics technology
UBA can offer a huge value on a number of fronts. It can provide visibility
into potential insider threats showing early red flags when a privileged
account is being compromised by external attacker luring a user, to
measuring change of behavior in user’s normal vs anomalies actions.
UBA uses many technology components - data sources, data integration, data
mining, correlation, enrichment, data presentation and visualization and
service delivery. Various vendor have been optimizing their capabilities
around a specific security use cases and domains. However, the success of
these capabilities relies on the collection of structure and unstructured
information.
Analytics engine capability would greatly depend on feeding the right
sources of data and applying the right context to the information, knowing
which data and variables need to be analyzed, and how much weight is given
to the key variables that are used to analyze risk rating functions.
Getting the right data feeds into the engine with business context is the
key step to get optimal value of the investment in UBA technology. The raw
data sources could include VPN gateway logs user connecting to enterprise
network from remote, Active Directory logs, Windows and Unix servers logs,
security event logs from firewall, DLP etc., to connect the dots right from
when a user successfully connects to the VPN gateway and establishes a
session, login into an application server, access data from sensitive
systems, the time he spent processing and moving data around, and if he
transfers any data out of a server to external systems.
Lastly, IP theft and data exfiltration, fraud detection, malware detection
and analyzing employee’s social media activities are some of the use cases
that UBA technology can help detect and flag early warnings to the security
teams. Once a vendor solution is selected and deployed in the enterprise,
the next big step is to establish initial baseline by watching the user
activities for few weeks before getting the actual results or value.
If the technology is not based lined and fine-tuned then it’s another tool
generating thousands of noisy alerts. To get the optimal results, one needs
to spend quality time to watch and understand user behavior in the
enterprise and distinguish normal vs anomalous behavior. Self-learning
algorithms, machine learning and statistics can help highlight abnormal
behavior and frequencies in identification, and detect critical insider
threats and targeted advanced attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160526/b734bc58/attachment.html>
More information about the BreachExchange
mailing list