Cyber attacks today are increasingly complex and well targeted. Recent high-profile breaches such as TalkTalk or Ashley Madison, were carefully planned and went undetected for some time. However, many companies’ worst nightmare would be a malicious insider that is already within the corporate network and is moving freely inside the IT environment. They further have the advantage that most companies’ primary security tools protect against external threats, and not against trusted employees.
Currently, there is a huge imbalance between security tools – those that control, those monitoring the IT infrastructure. As many organisations’ security strategies mostly focus on prevention of threats, they build more and more layers of access controls, policies and walls, and use predefined patterns and rules to detect these threats. But even bigger walls and even more controls do not necessarily yield the expected result, as the recent data breaches have proved. On top of that, challenges such as outsourcing, cloud computing and mean that keeping up with change requires vast amounts of resources.
This means that today, users should be the new focus of security measures instead of the infrastructure. “User Behavior Analytics” (UBA) is an approach to protecting against threats from insiders by concentrating on what users are doing in the system, and by detecting deviations from normal behaviour, UBA can help companies focus their security resources on important security events, and also allow them to replace some controls, yielding greater business efficiency.
Users’ digital footprints
The premise for UBA is that all users leave their own digital footprints around the corporate network. Their actions appear in logs, audit trails, changelogs in business applications and in numerous other places such as SIEMS or PAM solutions. UBA solutions do not require predefined correlation rules any additional probes or agents to be deployed – they simply work with the existing data and by using this it is possible to build a baseline of what’s “normal” for any user. For example, when are they usually active, what services are they using, how are they are using those services and so on. UBA solutions use different machine learning algorithms to create this profile of users.
After this baseline is established, UBA tools are able to compare activities to the usual behaviour of users and identify unusual behaviour in real time. An attacker using a hijacked account or a malicious insider will interact differently with the system than a normal user would – for example he would access different servers, log in from other places at another times, download more and different types of data. By comparing these activities to the baseline, and by detecting suspicious activities in real-time, it becomes possible to react immediately. Automated responses can significantly reduce the time a malicious attacker has before any counter measure is taken
UBA is a sophisticated approach to help organizations to address some of the biggest IT security challenges, identifying either malicious actors attempting to compromise internal accounts or insiders using their normal credentials.
By Márton Illés, Product Evangelist, BalaBit