How UEBA Can Prevent Insider Threats in your Enterprise

UEBA insider threats

Are you afraid of insider threats?

Most likely if you are a CISO, CIO, or another enterprise executive, the answer is already “yes.” If you answered “no,” then, in all honesty, you really should be:

  • 75% of data breaches start from insider threats, according to a study by Ipswitch.
  • 90% of cybersecurity experts feel their enterprises are vulnerable to insider threats, according to a separate study by Veriato.

Indeed, the danger of insider threats to your enterprise cannot be overstated. After all, insiders know your enterprises’ network and its security better than any external hacker possibly could. Insiders know where your corporate assets are stored, which databases are most valuable to you, and how they are accessed. Because they operate within your enterprise rather than from outside, insider threats can disguise their malicious activity in the course of their normal business processes during regular work hours. Therefore, these threat actors can conceal the damage they wreck for months or years.      

Furthermore, the number of potential insider threats can be massive even for small businesses. Enterprises tend to think of insider threats as stemming from current and former employees, but in fact insider threats can include from contractors, temporary staff, and partners. Managers and executives shouldn’t be considered above suspicion either. Employees that aren’t direct insider threats could unwittingly assist their malicious counterparts by engaging in poor cybersecurity practices like password sharing or security subversion.

UEBA vs Insider Threats: What It Can Do

Behaviors indicative of suspicious activity from your employees can be diverse and disparate, including:

  • Abnormal Logon/Logoff Time
  • Files Accessed By Unauthorized Employees
  • Unusual Email Usage
  • Poor Job Performance
  • Expressions of Discontentment

The challenge is in finding and properly contextualizing this information. Between their storage platforms, applications, and on-premise networks, enterprises can generate gigabytes of unstructured security event data every month. That is an overwhelming amount of information to correlate and analyze for even the most dedicated human IT security teams to make sense of. The most relevant information about an insider threat might be separated by weeks or months, further concealing them from investigating eyes.

Compounding the issue, much of the suspicious activity are false positives—perfectly innocent activity only indicative of an employee having a busy day, working on a project outside their normal responsibilities, or just having a bad day. These limit the effectiveness of your IT security resources and increase their job stress while letting legitimate threats slip by unnoticed.

This is where user and entity behavior analytics—UEBA—steps in.

UEBA is an artificial intelligence program designed to help determine and distinguish normal employee behaviors from abnormal behaviors that indicate a potential threat. UEBA patrols your enterprise’s network and digital perimeter, using detection algorithms to protect your sensitive corporate assets.

Via UEBA, IT security teams can use advanced analytics to follow user behaviors across time if they detect potential insider threat activity, finding correlated potentially malicious activities that may otherwise have been missed. UEBA provides visibility into your entire enterprise’s IT environment, compiling user activities from multiple datasets into complete profiles. It then sends this information to an automated alerting system to help your IT security team make sense of the severity and likelihood of the threat.       

In other words, UEBA can help your IT security team find the information they need to make an informed decision about a potential employee insider threat and then close that threat. It can find and flag the patterns of suspicious behaviors human eyes might miss in the deluge of corporate network information. It can reduce the strain of cybersecurity, which can prove a herculean weight overall.  

Is it time your cybersecurity solution employed UEBA? It just might be.

Thanks to SIEM solution provider LogRhythm for help with the research!  

Other Resources:

Common Problems in SIEM: Should You Switch to Security Analytics?

What to Look for in Your Security Analytics Solution

Illustrating SIEM Compliance Via PCI DSS Compliance

Cloud Adoption and SIEM: New Security Challenges

Comparing the Top SIEM Vendors — Solutions Review

What’s Changed? The Gartner 2017 Security Information and Event Management (SIEM) Magic Quadrant

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner

Leave a Reply

Your email address will not be published. Required fields are marked *