Are you afraid of insider threats?
Most likely if you are a CISO, CIO, or another enterprise executive, the answer is already “yes.” If you answered “no,” then, in all honesty, you really should be:
- 75% of data breaches start from insider threats, according to a study by Ipswitch.
- 90% of cybersecurity experts feel their enterprises are vulnerable to insider threats, according to a separate study by Veriato.
Indeed, the danger of insider threats to your enterprise cannot be overstated. After all, insiders know your enterprises’ network and its security better than any external hacker possibly could. Insiders know where your corporate assets are stored, which databases are most valuable to you, and how they are accessed. Because they operate within your enterprise rather than from outside, insider threats can disguise their malicious activity in the course of their normal business processes during regular work hours. Therefore, these threat actors can conceal the damage they wreck for months or years.
Furthermore, the number of potential insider threats can be massive even for small businesses. Enterprises tend to think of insider threats as stemming from current and former employees, but in fact insider threats can include from contractors, temporary staff, and partners. Managers and executives shouldn’t be considered above suspicion either. Employees that aren’t direct insider threats could unwittingly assist their malicious counterparts by engaging in poor cybersecurity practices like password sharing or security subversion.
UEBA vs Insider Threats: What It Can Do
Behaviors indicative of suspicious activity from your employees can be diverse and disparate, including:
- Abnormal Logon/Logoff Time
- Files Accessed By Unauthorized Employees
- Unusual Email Usage
- Poor Job Performance
- Expressions of Discontentment
The challenge is in finding and properly contextualizing this information. Between their storage platforms, applications, and on-premise networks, enterprises can generate gigabytes of unstructured security event data every month. That is an overwhelming amount of information to correlate and analyze for even the most dedicated human IT security teams to make sense of. The most relevant information about an insider threat might be separated by weeks or months, further concealing them from investigating eyes.
Compounding the issue, much of the suspicious activity are false positives—perfectly innocent activity only indicative of an employee having a busy day, working on a project outside their normal responsibilities, or just having a bad day. These limit the effectiveness of your IT security resources and increase their job stress while letting legitimate threats slip by unnoticed.
This is where user and entity behavior analytics—UEBA—steps in.
UEBA is an artificial intelligence program designed to help determine and distinguish normal employee behaviors from abnormal behaviors that indicate a potential threat. UEBA patrols your enterprise’s network and digital perimeter, using detection algorithms to protect your sensitive corporate assets.
Via UEBA, IT security teams can use advanced analytics to follow user behaviors across time if they detect potential insider threat activity, finding correlated potentially malicious activities that may otherwise have been missed. UEBA provides visibility into your entire enterprise’s IT environment, compiling user activities from multiple datasets into complete profiles. It then sends this information to an automated alerting system to help your IT security team make sense of the severity and likelihood of the threat.
In other words, UEBA can help your IT security team find the information they need to make an informed decision about a potential employee insider threat and then close that threat. It can find and flag the patterns of suspicious behaviors human eyes might miss in the deluge of corporate network information. It can reduce the strain of cybersecurity, which can prove a herculean weight overall.
Is it time your cybersecurity solution employed UEBA? It just might be.
Thanks to SIEM solution provider LogRhythm for help with the research!
Latest posts by Ben Canner (see all)
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020
- Recent SIEM Statisitics for Cybersecurity Professionals: Q3 2020 - September 11, 2020