Why UEBA is your best defence against insider threats

by Pavlo Poliakov

It’s no secret that employees are a critical vulnerability for any company when it comes to cybersecurity. In fact, the majority of cybersecurity breaches are caused by human errors made inside the corporate network—up to 95%, according to CISCO.

Clearly, insider threats present a significant risk to organisations. But how do these threats occur?

Insider threats come from individuals within an organiastion who have authorised access to sensitive data or systems, and who may intentionally or unintentionally cause significant damage to the company’s reputation, assets, or business through erroneous or malicious use of these systems.

Types of insider threats

There are a few common types of insider threats that companies should be aware of.

The first type of insider threat is the malicious insider. This person intentionally abuses their legitimate and authorised access in order to steal information for personal or financial gain.

For example, a disgruntled employee may leak sensitive company information or sell it to a competitor for profit. Since they have insider knowledge and an understanding of the organisation’s security procedures, this type of insider threat can be especially dangerous.

The second type of insider threat is the careless insider. This person unintentionally exposes the system to outside threats due to their mistakes, such as leaving a device unsecured or falling victim to a phishing scam.

An employee may click on a malicious link, for example, infecting the system with malware. This type of insider threat is the most common and can be mitigated through employee training and awareness programs.

Lastly, there’s the “mole”. A mole is an outsider who has managed to gain access to the privileged network by posing as an employee or partner. They can be especially challenging to detect since they appear to be a trusted insider.

Protecting against insider threats with UEBA

To protect against cyber threats, businesses need to implement a multi-layered approach to security that includes access controls, awareness training for employees, and monitoring and auditing of user activities. But for maximum protection against insider threats, it’s crucial that organisations go one step further.

That means developing a comprehensive security plan that takes into account the various types of insider threats, the potential risks that each one poses, and solutions to address each individual scenario. That’s where User and Entity Behaviour Analytics can help.

Looking to deploy UEBA? Click here to find out how we can help.

What is User and Entity Behaviour Analytics (UEBA)?

One of the most effective security approaches to detecting and preventing insider threats is User and Entity Behaviour Analytics (UEBA). Powered by machine learning and data analysis, UEBA is a cybersecurity technology that analyses how people, devices, and entities behave within a network environment in order to detect potential security threats.

UEBA monitors behaviour patterns, scanning for deviations from the norm. These deviations might include behaviour like a user accessing different systems or applications than usual, changes in activity time, or the use of new devices.

What kind of anomalies does UEBA detect?

One of the reasons that UEBA is so effective at detecting insider threats is that it learns from your environment.

After all, what qualifies as a red flag in one company’s system may be perfectly normal for another; it all comes down to the way your security is set up and how your users work.

That’s where UEBA’s machine learning and data analysis features come into play. UEBA solutions constantly monitor your systems to establish a baseline of user and entity behaviour. This allows it to establish a baseline of what’s ‘normal’ for your system. Once that baseline is in place, UEBA is uniquely positioned to detect any behaviour that seems out of the ordinary for your particular system.

To give you an idea of the kind of things UEBA can catch, here are some of the scenarios UEBA can detect and signpost to prevent insider threats.

Identifying anomalies in user behaviour

UEBA can detect whether a user is accessing data they shouldn’t be, attempting to log in outside of their normal working hours, or using unusual commands or queries. This helps to identify suspicious activities that could indicate an insider threat or a security breach.

Identifying compromised accounts

UEBA can tell you if a user’s credentials have been compromised or if their account is being used by an unauthorised person, allowing you to shut down access before any potential attacker can access sensitive data.

Detecting abuse of privileged accounts

UEBA can monitor privileged accounts in the same way that Privileged Access Manager (PAM) tools can. If a domain administrator connects to other employees’ computers and downloads files from them, for example, instead of performing usual day-to-day Active Directory management tasks, UEBA can use its advanced analytics to detect such activity.

Identifying cases of data exfiltration

UEBA can track how, when, and where data is accessed and moved. By alerting security teams if an employee is attempting to copy or transfer sensitive data outside of the organisation, UEBA can help get ahead of data theft or leakage, and prevent a potentially damaging and costly data breach.

Analysing network traffic

UEBA can monitor network traffic for patterns that could indicate an insider threat. This kind of behaviour might include large data transfers, unusual connections to external IP addresses, or a user scouring the contents of network drives a little too actively.

How does UEBA work?

We’ve covered what UEBA can do, but how exactly does the UEBA process work?

UEBA solutions are based on mathematical and statistical techniques, data analysis approaches, and algorithms that monitor and review user and entity behaviour in the IT environment.

Some of the most common machine learning algorithms used in UEBA are clustering, classification, decision trees, random forest, and neural networks. Because of its reliance on data to detect patterns, it’s important to implement a UEBA tool with relevant datasets for your company’s security use cases, so it can best put its machine learning algorithms into action.

Here’s how UEBA works.

Step 1: Data collection

According to best practices, your UEBA tool should be integrated with SIEM platforms to allow it to collect data. Some data sources are considered mandatory for UEBA to effectively function, including firewall logs, DHCP and DNS logs, and user account data (for instance, from Active Directory).

But the more data you can feed into your UEBA tool, the better it will be at detecting anomalies. Data you could also use in your UEBA process include:

  • Logs: UEBA tools can ingest and analyse log files from various devices, servers, and applications. These logs provide a record of user activity, system events, and other important information that can be used to detect anomalous behaviour.
  • Network traffic: UEBA tools can monitor network traffic to identify potential security threats, such as attempts to access restricted resources, suspicious network connections, or data exfiltration.
  • Endpoint data: UEBA tools can collect data from endpoint devices, such as laptops, desktops, and mobile devices, to monitor user activity, application usage, and system performance. This data can help identify anomalous behaviour and potential security threats.
  • Cloud services: UEBA tools can monitor user activity within cloud services, such as SaaS applications and IaaS platforms, to detect potentially malicious behaviours such as unauthorised access or data exfiltration.
  • Identity and access management systems: UEBA tools can integrate with IAM systems to monitor user authentication and authorisation activity, such as failed login attempts, privilege escalations, and changes to user permissions.
  • Contextual data: Contextual data provides additional information about user and entity behaviour like location, time of day, and device type. This data can help identify anomalies that may be indicative of a security threat.
  • Threat intelligence: Threat intelligence data provides information about known security threats, including malware and attack techniques, helping you prioritise security alerts when threats are detected.
  • Human resources data: Human resources data provides information about employees, including their job functions, performance, and disciplinary history. This data can be used to identify employees who may be more likely to pose an insider threat.

Step 2: Data processing

UEBA tools process then process this information to identify and isolate user and entity data. For example, the tool may home in on specific IP addresses, MAC addresses, or privileged accounts associated with a particular user or entity.

Step 3: User and entity profiling

With this data, the tool will create a profile for each user and entity in the organisation based on their historical behaviour. The profile includes information such as the user’s job role, devices and applications they typically use, and the times of day they typically log in.

Step 4: Behaviour modelling

Machine learning algorithms are then applied to build a model of normal behaviour for each user and entity based on their historical activities. The model takes into account factors such as the user’s access patterns, the frequency and duration of their activity, and the resources they typically access.

Step 5: Anomaly detection                                                                

UEBA tools then monitor ongoing behaviour, constantly comparing each user and entity’s current actions to their baseline. Any deviation from the baseline is flagged as an anomaly and may indicate a potential security threat.

Step 6: Risk scoring

When an anomaly is detected, it’s assigned a risk score based on factors including potential severity and the context of the behaviour. These risk scores help security teams prioritise alerts and determine which threats require immediate action.

Step 7: Alerting and response

UEBA tools generate and send alerts to security analysts whenever anomalous behaviour is detected, providing information including the risk score to enable them to investigate and respond to potential threats quickly.

UEBA can also be configured to map specific attack patterns that correspond to tactics and techniques described in the MITRE ATT&CK Matrix. For example, UEBA can identify when a user account is compromised, which tallies with the ‘Credential Access’ tactic in the MITRE ATT&CK Matrix. UEBA can also identify when a user is attempting to move laterally across a network, which corresponds to the ‘Lateral Movement’ tactic.

Ongoing: Continuous learning

As security teams respond to threats and user behaviour evolves, UEBA tools will continuously learn from new data, adjusting the normal behaviour model for each user and entity. This allows the tool to adapt to changes in the IT environment and provide more accurate threat detection over time.

If you’re looking to boost your protection against potentially devastating (and increasingly common) insider threats, UEBA is a great option. Providing a fuller picture of user and entity behaviour and enabling more accurate threat detection, the continuous monitoring and analysis delivered by UEBA can help organisations proactively identify and tackle security threats, hugely reducing the risk of data breaches or insider threat incidents.

At RiverSafe we can design and implement UEBA as well as integrate directly into your enterprise’s infrastructure in order to maximise your security operations, investigation and response capabilities.

Find out more here

By Pavlo Poliakov