Protecting your data assets from insider security threats with UEBA
Despite depictions of hackers frantically typing to crack into a company’s mainframe, most data breaches stem from internal actors. UEBA’s ability to track user behaviour helps IT security teams identify these cyberthreats faster
When Tesla employee Martin Tripp got passed over for promotion recently he sought revenge by writing code that exported gigabytes of Tesla’s sensitive data, including dozens of confidential photographs and a video of Tesla’s manufacturing systems. If Tesla CEO Elon Musk was under any illusion that the insider threat was not something to be concerned about before, no doubt he’ll have changed his mind by now.
This is a classic example of an employee abusing their position to cause problems for his or her employer. And it’s much more common than you might think: according to Crowd Research Partners’ 2018 Insider Threat Report, 53 percent of organisations will suffer from an insider threat. This is an attack vector that businesses cannot afford to ignore.
UEBA defined
To help minimise the risk of falling victim to the insider threat, many organisations are now deploying user entity and behaviour analytics (UEBA). UEBA utilises machine learning to study the typical behaviour of each employee, creating a baseline of ‘normal’ user behaviour. This baseline is grounded on criteria such as the files typically accessed by a user, the frequency and time of that access, and the actions they take with the files, among others.
An additional benefit that UEBA brings is the ability to track how the data is accessed and used by employees over a specific period of time – flagging any suspicious activity in the process. For example, in a non-UEBA scenario, if a systems engineer copied a portion of code to work with independently, this would unlikely be flagged as suspicious.
UEBA utilises machine learning to study the typical behaviour of each employee, creating a baseline of ‘normal’ user behaviour
However, with UEBA, it is possible to track activity around this file more closely. Has the user accessed that particular file before? Is the access request from a different location than usual? Has the user accessed the file on a device that has recently copied other sensitive files?
This ability to compare activity against a user’s individual baseline helps the security team focus their time and resources on threats that are more likely to be ‘real’, significantly reducing the number of false positives.
Tackling the insider threat
There are two insider threat attack vectors that UEBA helps prevent. The first concerns ‘the malicious insider’. This is an employee who wilfully breaches their duty and exploits the technology, assets and intellectual property of their employer. This can be to harm the company, steal data to take to their next employer or to sell data to competitors – all the while remaining a ‘trusted’ employee.
The other kind of attack involves ‘the reluctant insider’. Unlike the malicious insider, the reluctant insider accidently grants criminals access to the network. More often than not, this is a result of an employee’s credentials being phished or compromised in a data breach. With access to an employee’s username and password, hackers can bypass most security measures.
Fortunately, UEBA is extremely proficient at identifying the reluctant insider threat. Criminals may be able to access privileged accounts, but behaving in the same manner as the compromised employee is difficult to achieve. This makes it relatively simple for UEBA to identify imposters on the network.
In a world of time-poor, resource-stretched IT security teams, having a tool that minimises the number of false alerts, yet quickly identifies areas of real concern, is a must. And when it comes to the insider threat, time is of the essence, as it is likely the perpetrator will already have access to your sensitive data or be in a position to write and deploy code that could cause significant damage.
We all know there is no cybersecurity silver bullet, but UEBA is an important tool in a security team’s armoury, producing real-time, priority alerts that analysts know must be addressed immediately.