UEBA – CyberSecurity Confabulation

By Sanjay Raja, VP of Product Marketing and Solutions

Insider threats are more dangerous and more top of mind for security pros in 2022 than they’ve ever been. That’s one of the major findings from the 2023 Insider Threat Report from Cybersecurity Insiders. This report (sponsored by Gurucul) surveyed hundreds of cybersecurity professionals to reveal the latest trends and challenges facing organizations related to insider threats and how they are preparing to protect their data and infrastructure.

Let’s break down the top findings from the report.

A Rising Threat

Overall, security professionals are not confident they can reliably detect and block insider attacks. 74% reported their organization was moderately to extremely vulnerable to an insider attack. 74% also say insider threat attacks have been getting more frequent, a 6% increase over 2021. 60% of respondents reported that they experienced an insider attack in 2022, while 8% experienced more than 20. 48% agree that insider attacks are more difficult to detect and prevent than external attacks. Since insider threats use legitimate accounts and credentials and abuse IT tools, it’s challenging for defenders to tell them apart from normal user activity. These results suggest that security teams should dedicate considerable resources to defending against them in 2023.

Insider Threats Under the Hood

This report dug deep into the motivations, types of attacks, and targets that security professionals are most concerned about. Monetary gain was the top malicious motivation for an insider threat at 59%, but many other drivers were close behind. Reputation damage was at 50%, theft of intellectual property was at 48%, and fraud was at 46%. Since no one factor was the clear winner, insider risk programs must take all of these factors into account.

71% of security pros are most concerned about compromised accounts/machines. This is followed by inadvertent data breaches/leaks (66%), negligent data breaches (64%), and malicious data breaches (54%). This is a good reminder that accidents, mistakes, and confusion among employees can create insider risks just as easily as a malicious insider. Among insiders, security pros are understandably most concerned about IT users and admins with elevated access privileges. If these accounts are compromised, attackers will have a great deal of access to sensitive data and important systems. Third-party contractors and service providers come in a close second in priority, followed by regular users and then privileged business users like CEOs. All of these groups present a significant risk (albeit in different ways) and security professionals are taking all of them very seriously.

Insider Risk Program Adoption

With so many security professionals worried about insider threats, one might expect that defensive efforts to detect and prevent them are a high priority. The report found that this was largely true; thirty-nine percent of organizations already have an insider threat program in place. Another 46% are planning to add insider threat programs in the future – a rise of 5 percentage points since the 2021 survey. 13% are fired up and ready to add a program in the next six months. I expect there will be greater demand for products, tools and expertise in this area in the next few years. Some insider risk programs have executive buy-in, but the exact chain of command varies from company to company. 25% report to the CISO, 24% report to an IT security manager, 14% report to the director of security and 13% report to an Information Security Officer.

What is driving the creation of corporate insider threat programs? Again, it varies. Nearly half of respondents reported their insider threat program is part of the overall information security governance program. 44% reported their insider threat program is driven by proactive security team initiatives, and 40% said it came from regulatory compliance mandates. It’s encouraging to see many teams taking the initiative to tackle insider threats without being forced by regulation.

All in all, insider threats are a growing threat and a top priority for security teams in 2023. They include a wide range of motives, types, and targets and defenders are actively working to build programs to detect and prevent them. For the full results, you can access the report here: https://gurucul.com/2023-insider-threat-report

Detecting and Stopping Insider Threats Using Gurucul Behavioral Analytics

For organizations building or updating an insider threat program, Gurucul User and Entity Behavior Analytics (UEBA) can detect suspicious behavior immediately and identify high-risk profiles and threats to manage and monitor insider risk. The Gurucul platform monitors an organization’s environment, natively ingests data across multiple data sources including applications, and analyzes this data using advanced behavioral and insider threat machine learning (ML) models and data science. Then it creates time-based behavioral baselines and continuously learns what is acceptable behavior to identify anomalous behavior and zero in on actual threats. By unifying collection and analysis of telemetry across the entire security stack and applying the largest library of pre-packaged ML models in the industry (over 1500), Gurucul can pinpoint unintended and malicious privilege access abuse, unexpected lateral movement and external communications, and data exfiltration quickly and accurately. Overall, Gurucul UEBA provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response.

The post 2023 Insider Threat Report Finds Three-Quarters of Organizations are Vulnerable to Insider Threats appeared first on Cybersecurity Insiders.

What is UEBA?

User and entity behavior analysis (UEBA) is a cybersecurity technology that helps organizations detect malicious attacks by highlighting anomalous behavior.

It expands from the earlier ‘UBA’ security solution by incorporating analysis of both ‘users’ and ‘entities’ in a network. UEBA seeks to detect any suspicious activity on a network, whether it comes from a user or machine, meaning it has a wider breadth than its predecessor.

The technology works by building a model of regular network behavior. From here, unusual activity is flagged and IT systems are alerted of a potential attack in due course. For this reason, UEBA works particularly well as an automated early threat detection system.

UEBA can be characterized by its application of machine learning techniques and algorithms in detecting cyberattacks. As this tech becomes more developed, so too will the scope of UEBA. In fact, market research by ReporterLink projects UEBA to reach a global $4.2 billion market cap by 2026. As such, now is a great time to learn about UEBA’s role in cybersecurity systems.

This article will explain the history of UEBA, how it works, and its importance and role in a comprehensive cybersecurity system.

UEBA vs UBA

The term UEBA was first used in 2017 by tech consultancy firm Gartner. The addition of the letter ‘E’ to UBA may be understood by first looking at the context of that predecessor tech.

The most common use case of UBA is the protection of sensitive data (namely in the financial, government, and healthcare sectors). Of course, this high-value IP has been relentlessly targeted by data thieves and fraudsters. As these attacks have become more sophisticated in recent years, cybersecurity processes have also advanced to reflect market demands.

While UBA simply focused on threats from human users (internal employees or third parties), UEBA has expanded to detect threats from non-human entities too. For example, routers, servers, endpoints, and software are now common sources of attacks.

This reflects a general shift in cybersecurity to consider the privileges of every device on a network. Even one device with enhanced privileges may undermine the overall network’s security if a hacker knows to exploit that weakness. Gartner’s decision to include ‘entities’ into UBA was a recognition of hackers using orchestration of multiple machines beyond the scope of the ‘user’.

How UEBA works

We’ve covered the history and basics of UEBA, but how does this cybersecurity tech work in practice? Firstly, the UEBA tech must be installed on every device connected to an organization’s system. The scope of this is wide: consider that even an employee’s mobile phone may be considered a source of attack when connected to the network.

Once installed on the necessary devices, the UEBA cybersecurity solution may be explained in three stages.

1. Data Analytics

During its first phase, the UEBA software collects and organizes network data to ascertain a standard model of behavior of users and entities. The system will build a profile of how each user and device normally acts on the network e.g. app usage or download activity. From here, anomalies and deviations from the usual activity will be detected and highlighted. As such, we can think of analytics as the ‘learning phase’ of the UEBA system.

Often, machine learning and AI tech will be used in UEBA to build statistical models of regular activity. However, ML tech can take some time to fine-tune correctly, due to the risk of returning false positives of suspicious behavior. It is useful to note that not all UEBA solutions will use ML tech for this reason and may stick to standard rule-based detection.

2. Data Integration

The second phase of a UEBA security solution is its integration with other security products. As networks grow and expand, UEBA will be able to compare data from various sources. For instance, it may compare data from network logs and info packets, or novel data structures in pandas dataframes. What is a pandas dataframe you ask? It’s a data structure written for the Python coding language that is immensely useful in loading databases from varied sources.

As UEBA scales across your network, this data may be compared to the findings from existing security systems, creating a robust overall defense structure.

3. Data Presentation

Finally, data presentation is simply the communication of UEBA’s findings to the relevant IT admins. Depending on the perceived severity of the threat detected, UEBA will usually create an alert for a cybersecurity employee to investigate and resolve. For severe attacks, some UEBA systems will be set up to automatically shut off that user or device from the network.

Pros & cons of using UEBA

UEBA is certainly an attractive cybersecurity solution for organizations focused on data security. However, that does not mean to say that it is a catch-all solution, or indeed optimal for every network to implement. Before investing in UEBA tech, you should consider the reasons and benefits for that solution, as well as any potential challenges.

The biggest strength of UEBA is that it allows for 24/7 automated data security. UEBA tools process all user/entity activities and highlight only the most severe anomalies. This means security analysts can focus on high-risk events instead of manually analyzing the large bulk of network logs. Not only that, UEBA can shut down a potential attack as soon as an anomaly is detected, which is often before any damage has been done.

On the other hand, there are some potential downsides and challenges to a UEBA solution. These are usually encountered at the deployment stage. For a UEBA system to be effective, it needs to spend a long time analyzing and creating models of ‘usual’ network behavior. This can become a time-consuming and costly process as IT staff may need training to get to grips with configuration.

Generally speaking, once a UEBA system is up-and-running, it should save the organization money in the long run. The automated security data analysis negates the need for employing a large IT security team, though they must be trained to understand and action UEBA’s findings. As such, you’ll want to look for UEBA products that are easy to set up (rather than simply looking for those that know how to get more app reviews).

Does your organization need UEBA?

UEBA is a powerful tool with a variety of use-cases. In determining whether it’s worth the investment from a financial perspective, you must first consider what it can bring to your organization:

1. Expose malicious insiders

The primary use-case for UEBA is the protection of data from internal threats. Malicious insider activity has traditionally been difficult for security teams to detect. Employees will have experience using systems and likely have a basic idea of how to avoid detection from the IT security team.

UEBA goes one step further than rule-based detection systems by determining behavior that is unusual or suspicious. Even subtle changes in behavior, such as installing a new app, accessing the same document many times, or logging on at strange times, will be detected and flagged.

Some UEBA tools will also provide analytics on employee productivity, which will surely be useful to your organization’s HR team. Make sure to look for B2B loyalty programs that offer data-driven insights in addition to the security aspect of UEBA.

2. Detect compromised accounts

UEBA is the perfect tool for detecting hacked employee accounts, as it is almost impossible for hackers to emulate the usual behavior of the account owner. As such, once a regular ‘model’ of behavior has been created, UEBA can easily spot compromised accounts acting differently than usual.

3. Detect compromised systems/devices

Hackers will often attempt to hide their activity by conducting exploits through machines or entities with no single owner. Where UBA systems have overlooked critical parts of a network, UEBA has expanded to cover all bases. As such, UEBA software will detect strange activity on any device connected to the network. This protects systems from hackers exploiting tools like MapReduce to coordinate distributed attacks from multiple sources.

4. Automate risk management

Risk management is an important aspect of cybersecurity. Where security analysts will have been manually keeping track of threats previously, most UEBA systems will now automatically assign a threat level to anomalous activities. This significantly streamlines the process for security teams to look at the most relevant information and action it.

5. Speed up response to threats

For all the reasons outlined above, UEBA will result in faster response times to threats across a network. The automatic detection of severe security breaches means that IT teams can respond quickly to the most pressing threats while leaving low-risk incidents for later.

Conclusion

To conclude, UEBA is a security solution that is increasingly becoming part and parcel of standard cybersecurity practice. It works very well in conjunction with other security tools, such as SIEM, to build a comprehensive threat detection system. Additionally, the data collected from UEBA tools can aid incident investigations to prevent future attacks. For this reason, UEBA is a valuable tool for organizations that seek to protect sensitive data, despite the high upfront costs.

The post Explaining User and Entity Behavior Analytics: Enhanced Cybersecurity Through UEBA appeared first on Cybersecurity Insiders.