Five Step UEBA to Detect and Stop Insider Attacks

"Every year, more than 34% of businesses worldwide are affected by insider threats."

Sisa Infosec

Despite various investments in security, most organizations are still susceptible to data breaches due to bad actors. The losses from an insider attack can be financial, reputational, or unrecoverable. However, if recoverable, the process is a long one for any organization. Statistics from the Ponemon Institute show that all types of insider threats are increasing, with the average number of incidents involving employee or contractor negligence rising by 28% per organization.

‍

What has history taught us?

Few insider attacks as those listed below show that basic precautionary measures are not enough to prevent bad actors from breaching an organization.

1. In 2013, Edward Snowden, a security operative and subcontractor for the CIA at the time, exposed some classified documents. This resulted in exposing both the National Security Agency (NSA), and the Five Eyes (FVEY), comprising the US, UK, Canada, New Zealand, and Australia. Snowden used his CIA authorization and easy access to classified information. His actions brought to light the mass surveillance of US, UK citizens, and citizens of other nations being carried out by both the NSA and FVEY.
2. One woman was able to hack her employer, the Capital One Company, and many others using her skill set as a former Amazon web service employee. Insider threat facts reveal that this lady was able to obtain the social security number of 140,000 citizens, 1 million Canadian Insurance Numbers, personal information of 100 million customers, and 80,000 bank account numbers of customers. Watch this webinar to know more.
3. A structural engineer and contractor to the US government was able to exfiltrate hundreds of boxes worth of documents about the military and spacecraft programs of the US government from 1979-2006. This also shows how much an insider threat can go under the radar unnoticed.
4. The Punjab National Bank attack happens to be one of the costliest insider attacks ever recorded in history. An employee was able to transfer funds worth £1.5 billion (about $1.84 billion) through letters of undertaking and foreign letters of credit using the Swift interbank communications system to authorize the transfer.

‍

How to stop an insider attack?

Constant vigilance. While organizations invest substantially into security solutions, one thing most often overlooked is the communication between the galaxy of apps and devices across locations in the cloud-mobile environment. Enterprise perimeters are no longer effective in 2020. With data flowing from different devices, locations, and clouds, it is important to understand the bigger picture and track each data route to prevent an insider attack from happening. Built on deep machine learning (ML) algorithms with behavior profiling and peer group analysis, User Entity Behavior Analytics (UEBA) maps normal user and entity behaviour to track anomalies if they occur and  focus on insider threats, such as employees with malicious intent, devices which are already compromised, or third party entities that access your system to carry out targeted attacks. UEBA monitors users across the enterprise clouds and stays with the user throughout the user journey even after a valid login.

‍

A five-step approach to curb malicious users through UEBA

As the famous Benjamin Franklin quote goes, “An ounce of prevention is worth a pound of cure,” UEBA provides a way to catch abnormal insider behavior and stop insider attacks:.

1. Definition

The first step to preventing an insider attack is being aware. Through UEBA, create risk profiles for all users in your organization and assign a risk score based on their attributes such as their role, access rights, nature of business, years of experience, location, performance, and more.

2. Analysis

After the user risk profiles are mapped, the UEBA engine sets up a baseline of ‘normal’ activities and deviations are logged as anomalies. UEBA enforces behavioral analysis to connect the dots between “unrelated” activities and detects anomalies before they turn into breaches.

3. Monitoring

Right from accessing a sensitive document that is not required for a specific user role to the user logging in from a different geographical location that has never happened before, the UEBA engine monitors multiple threat vectors and feeds anomalous data to behavioral and risk statistical models to churn probable outcomes.

4. Alerting

Depending on anomalous behavior of a user or entity, the UEBA engine can trigger automated protection workflows to alert relevant response teams to take immediate action. Real-time dashboards, detailed charts and granular reports enable a new layer of governance after an alert is triggered.

5. Automated Policy Enforcement

As UEBA triggers an alert of anomalous behaviour, mapped Data Loss Prevention (DLP) policies are activated as part of the automated workflow. Even if data is downloaded and sent outside the organization, it will be encrypted and a malicious user will be locked out from viewing the content.