When you consider all the challenges facing IT security teams today, one of the most difficult is detecting threats that come from within their organisation. Most tools in place are designed to protect an infrastructure from outside dangers rather than monitoring what's going on within the firewall.
Insider threats fall into three broad groupings. The first are those carried out by employees with malicious intent. They might be looking to establish a new source of income by selling valuable data to a competitor or planning to take a copy of a customer database to a new employer.
The second group are termed 'compromised insiders'. These are people who may unwittingly have a device that has become infected with malware and use it to connect to the corporate IT infrastructure. Some may do nothing more than plug a stray USB key into their corporate PC.
The third group is known as the 'accidental insiders'. These are staff who inadvertently release sensitive data to a third party via email or perhaps leave an unsecured laptop in the back of a taxi. They don't intend to cause harm to their organisation but their actions end up doing just that.
The role of UEBA
To guard against insider threats, increasing numbers of organisations are turning to User and Entity-Based Analytics (UEBA) tools. These tools make use of the rapid advances being made in artificial intelligence and machine learning to assist security teams in overcoming the challenge.
There are a range of UEBA tools available to organisations, however the most effective need to be able to detect and respond to three key things: insider threats before fraud is perpetrated, compromised accounts before more systems are taken over, and privileged account abuse before sensitive data is accessed or operations are affected.
When considering the most appropriate UEBA tool for deployment, a security team should evaluate four key criteria. They are:
- 1 -The ability to prepare data and associate it with an identity
Data used for security monitoring and responses can come from a wide variety of sources. These include access control systems and content inspection filters, network management platforms and firewalls. This data needs to be analysed to understand its relevance and whether it contains signals of unauthorised activity.
This data also needs to be associated back to a specific user. Account identifiers such as Active Directory, cloud and email log ins should all be held in a single location so that, if a user logs into a finance application and then logs into Dropbox to upload a large data file, this can be flagged for investigation. AI and machine learning capabilities can be used to create behaviour base lines but these won't be useful unless they can be associated with a particular user.
- 2 - Use real-time analytics to detect threats
An effective UEBA tool will also be able to assist a security team by using its analytics capabilities to analyse the large volume of collected data to identify threatening user behaviour in real time.
The tool must be able to reliably spot threats using statistical analysis and learned trends. This helps to enhance the way risks are prioritised and helps minimise false positives by adjusting results against factors such as risk and context.
- 3 - AI / ML to enable hunting and user monitoring
The chosen UEBA tool should also be able to assist an organisation stay one step ahead of unauthorised use behaviour and automatically flag the most significant threats for deeper analysis. In this way, it will shield security teams from high numbers of low-level alerts and allow them to focus their time and effort on the most serious threats.
Here, using a cloud-based AI / ML tool can provide an organisation with significant additional benefits. It can reduce the cost of adoption compared with an on-premise deployment as it will require much less configuration before being put to work.
Using a cloud-based delivery model also accelerates innovation as experience and knowledge gleaned in one place can be put to work in others
- 4 - Strong integration with the underlying data platform
The fourth requirement for an effective UEBA tool is the ability to differentiate between simple anomalies and real threats. This is achieved by using the context made available through analysis of all available data and is aided when the tool is deeply integrated with the data store.
Such integration also provides the ability for security teams to have a single pane of glass for centralised forensic visibility of the entire IT infrastructure. This can lead to accelerated incident responses and more effective protection for the organisation.
By taking into account these requirements, a security team can be sure the best UEBA tool is being selected for deployment. Once in place, it will provide effective protection against one of the most challenging sources of threats - insiders.