Detect Insider Threats with User Behavior Analytics

Share this post:

A 2020 Ponemon Institute study reported a staggering 47% rise in insider threats over the past two years.

While, historically, insider threats have always accounted for majority of cyberattacks, you might ask what changed in the last two years to cause this massive spike?

The pandemic, which resulted in rise of remote work, and acceleration of workload migration to the cloud are the key factors.

With the average annual total cost of insider threats¹ rising to $11.45M, and more than 60% of those

threats coming from negligent users, not malicious ones, organization concerns remain high that massive data breaches will occur because of insider threat.

Additionally, even as majority of cyberattacks – up to 60% – are from insider threats, many organizations fail to address internal dangers because such risks are difficult to detect and often go unnoticed for months or years.

Why is that, you might ask.

The reason is that there are several challenges to existing cybersecurity approach:

• Insider threat detection is not about “known bad”: Existing intel is primarily limited to known bad actors, resulting in limited visibility into user behavior patterns across devices, systems, and data.
• Response is manual: Monitoring potentially malicious activity for individual users is manual and requires many disconnected tools. Manual and reactive response means security teams often get to do too little, too late.
• Static protection policies: Improvements made to enforcement layer are mostly manual and often there is little or no integration to improve protection policies based on insider behavior.

They key point to ponder over is that with insider threats being on the rise, is your security up to the task?

The current security posture of most enterprises is manual and reactive. As the scope and scale of insider threats continues to increase, static protection policies become less effective over time. There is, hence, a need to proactively manage these cybersecurity risks.

This is where a zero-trust based approach, by modernizing your security posture, could help remain a step ahead of insider threats across your organization.

Zero Trust approach for addressing Insider Threats

Security teams need the ability to quickly and accurately detect, investigate and respond to these insider threats. Zero Trust based approach gives them that ability.

A key aspect of the Zero Trust approach for addressing Insider Threats is identifying user behavior that deviates from the normal. This is particularly important for privileged users like network engineers, IT security pros, IT auditors, database and systems admins, developer, and data center managers.

Since these users can modify or delete data, including audit logs, access corporate resources and other sensitive information – even though that access is not needed to perform their job – they are often targeted by APT attacks.

In fact, 40% of insider incidents involved an employee with privileged access to company assets².

It thus becomes important to uncover anomalous behaviours to be able to quickly and effectively identify rogue insiders and cyber criminals using privileged credentials.

The question is how to do that.

Detects insider threats based on user behavioral anomalies

40% of insider incidents were detected through alerts generated via an internal monitoring tool².

Enterprises, hence, need to monitor user activity across assets to identify anomalous behavior and enable an automated response based on anomalous behavior across assets.

By adopting a user-focused view, zero-trust approach can help your security teams quickly detect user behavior anomalies and manage user risk from a centralized location.

User behavior analysis (UBA) and fine-grained machine learning algorithms can detect when users deviate from normal activity patterns or behave differently from their peers.

UBA creates a baseline of normal activity and detects significant deviations to expose both malicious insiders and users whose credentials have been compromised by cyber criminals.

UBA analyses user activity to detect malicious insiders and determine if a user’s credentials have been compromised. It helps security analysts see risky users, view their anomalous activities, and drill down into the underlying log and flow data that contributed to a user’s risk score.

To detect suspicious activity from any type of attacker, it is important to understand what type of activity is considered normal inside your network. Building a strong understanding of baseline activity makes it easier to detect and respond to anomalous behavior promptly and effectively.

A robust UBA solution can provide this functionality and adapt to changes in your environment over time.

As an integrated component of the IBM Security QRadar Security Intelligence Platform, QRadar UBA leverages out of the box behavioural rules and machine learning (ML) models to adds user context to network, log, vulnerability, and threat data to more quickly and accurately detect attacks.

Learn more about how QRadar UBA integrates seamlessly with IBM Security QRadar.

Read more here:

The Cost of Insider Threats 2020

2021 IBM Security X-Force Insider Threat Report