Ross Brewer, pictured, vice president and managing director EMEA, LogRhythm, covers how organisations can use User and Entity Behaviour Analytics (UEBA) to detect threats.
The threat landscape looks very different than it did ten, or even five years ago. Hackers have become much more technically sophisticated; they are researching, targeting and exploiting organisations’ vulnerabilities by any means, and via a number of attack vectors. Cyber-attacks are now inevitable and pose an increasingly serious risk to organisations – particularly as they become increasingly connected. While most companies have invested in detection and investigation technologies, today’s constant stream of threats create an overwhelming amount of noise, making it difficult to determine/assess/analyse the actual risk and know how to better predict future threats. This is where big data analytics, such as security intelligence and User and Entity Behaviour Analytics (UEBA), comes into play.
Investigating a breach results in a lot of data, which can contain valuable information about how and why the breach occurred. Security intelligence can provide security teams with the ability to investigate events in real time, and delve into historical data to discern patterns and find evidence related to events or breaches that have occurred. For businesses that have good post-breach processes in place, this data can be repurposed to help detect and prevent future attacks and breaches.
Threat from within
However, an increasing number of attacks originate from within the organisation. Insider threats can take many forms. Indeed, company credentials can be compromised and used by an external agent, a disgruntled employee or a rogue insider. Privileged accounts are particularly at risk from being targeted as they give attackers access to more of the network than normal credentials. Unsurprisingly, recent research we conducted revealed that 88 percent of IT decision makers in the US, UK and Asia view insider threats as a dangerous and growing concern in defending their organisations. This is subsequently a growing problem for security teams who are responsible for monitoring hundreds, if not thousands, of user accounts. Organisations are under siege by an ecosystem of threat actors, yet security teams are faced with significant obstacles when securing qualified personnel to combat these threats. These challenges are often heightened by organisational pressure to relax controls and unlock business productivity. The fact is that security teams increasingly need to be able to protect company data without time and money on their side. Implementing extensive manual threat-hunting exercises is no longer realistic.
A growing need for UEBA
As user accounts become critical attack vectors for cybercriminals intent on data theft or simply damaging systems, UEBA is fast becoming a powerful tool for the security team. UEBA lets organisations detect insider threats, targeted attacks, and financial fraud in real-time, allowing SecOps to see at a glance if something out of the ordinary is happening on the network.
UEBA technology essentially gathers large amounts of data on user activity and behaviour from disparate data sources. The system then learns the behaviour of users and entities (in other words, devices, servers and other endpoints) by applying scenario-based algorithms that use machine learning, statistical analysis, peer group analytics and other techniques. Once the system has established a baseline of what ‘normal’ user or entity behaviour looks like it can detect and report anomalies and unusual activities far quicker than manual checks.
For example, if ‘User A’ typically logs in at 09:00, fires up Outlook and glances at Internet Explorer over lunch, then all is well. However, if one morning User A logs in at 03:00 from an overseas location, exports a large amount of data from a company database and logs on to a cloud storage website, some alarm bells will (quite rightly) start to ring. The technology can help organisations build much more secure and resilient systems. Algorithms can adapt, risk tolerances can be changed and baselines reset. In other words, the system learns over time and becomes more effective at detecting – and predicting – insider threats. UEBA can also help organisations improve security by identifying weak links in any chain.
The proliferation and innovation of business-enabling technology, combined with the speed of today’s advanced hackers to adopt and adapt to the latest technology, is making it increasingly difficult – if not impossible – for security teams to evolve their rapid threat detection and response capabilities as quickly as their adversaries. By having the ability to automatically spot deviations from normal behaviour and monitor the creation, deletion and permission of privileged accounts, organisations are able to recognise established patterns and identify both internal and external threats as soon as they appear. Furthermore, having the ability to do this automatically enables IT teams to rely less on the human eye, thus minimising false positives, and allowing them to spend time on more productive tasks. Ultimately, we still need to guard the organisation perimeter, or what remains of it, but security professionals need to adapt to the increase in the number of attacks and respond to the increasingly sophisticated ways in which systems can be breached. The fact is that UEBA is now a potent weapon in the cybersecurity arsenal.
