User behaviour analytics: Combat the threat within

A malicious insider has the potential to be an organisation's worst nightmare. Márton Illés looks at how user behaviour analytics can be implemented to help close the gap on insider threats.

Márton Illés, product evangelist, BalaBit
Márton Illés, product evangelist, BalaBit

As if risks from external hackers wasn't enough to keep many a CIO awake at night, it seems that  the damage that someone on the inside can do – whether that is an ex employee with an axe to grind or intent on financial gain – is adding to the list of worries. In fact, the 2015 Verizon data breach investigation report states that more than half (55 precent of incidents) occurred as a result of users abusing the access they have been entrusted with. A malicious insider has the potential to be an organisation's worst nightmare as they have one major advantage – the element of surprise.

Incidents such as the Morrison's case, where malicious insiders not only accessed the staff payroll system and published data such as bank account details online but also sent the details to a newspaper on a disk, highlight the damage that can be done.  The fact is that traditional security perimeters that organisations have focused on have changed drastically, and today, it is no longer efficient to focus solely on an ‘outwards-in' approach to security by building the security ‘walls' higher. It is time for organisations to also turn their attention to new perimeter – their internal users, and have greater insight into what is happening on the corporate network. Unfortunately, spotting the internal threat has been notoriously difficult to achieve and there are many blind spots on the corporate network.

However, all is not lost as today, there are new approaches emerging – which harness the power of data which many organisation already collect, to provide new insights and intelligence to protect against malicious activity on the inside.  One such approach, known as user behaviour analytics (UBA), is gaining ground. It allows user activity to be analysed and provides an effective way of detecting meaningful security events, such as a compromised user account and rogue insiders³.

A UBA approach can enable an organisation to track any user's day-to-day activities. It's an approach which uses machine learning algorithms to create a profile of users, their normal activities and behavioural patterns, in order to track any abnormalities in their activity. By detecting deviations and suspicious activities from normal users' behaviour in real-time, it enables companies to react to threats immediately and rectify it as soon as possible in order to minimise risks such as financial loss or reputational damage.

How does it work?

As countless employees, contract workers and partners access the corporate network, they leave their digital fingerprints all over the system. There are logs and audit trails created for each action, and this valuable data can be utilised even further than for traditional SIEM applications.

UBA solutions do not require predefined correlation rules or agents to be deployed; rather it simply works with the existing log data. Neither does it mean adding new layers of monitoring; it simply collects and analyses the already existing data. As most of the UBA tools log exactly what kind of data was accessed by the security analyst, the users can be sure that the data was used only for security reasons.

Using the gathered data, it is then possible to build a baseline of what's “normal” for users, for instance when they are usually active, what services they are using, how they are using those services and so on, and then use machine learning algorithms to create a profile for each user and their credentials.

After this baseline is established, UBA tools are able to compare activities to the usual behaviour of users and as a result, will be able to identify any unusual behaviour. If an employee uses someone else's credentials, logs in from a different place or downloads “unusual” data, or in the event that an account has been high jacked, the system administrator will be alerted immediately. And because these activities can be compared to the baseline instantly, malevolent activities and insiders can be stopped in their tracks.

Why?

If we look at recent high profile cyber-attacks, we can assume that hackers took their time to investigate the target thoroughly before the attack occurred. We can further assume that the ability to detect and respond to the attack during this phase is critical to prevent anything happening further and to minimise the loss and damage. From the corporate point of view, reactions can range from a simple notification to the user, to the suspension of the account in question, and can be done automatically or by involving human intelligence for a more detailed assessment.

UBA tools are by no means the new silver bullet for the IT security industry, but are a sophisticated tool to address some of organisations biggest cyber-challenges: the ability to detect malevolent outsiders trying to come in from the outside through compromised accounts or to recognise malicious insiders abusing their normal credentials. This not only speeds up the investigation process of any suspicious activity but also means that users' day to day business activities aren't impeded. 

Contributed by Márton Illés, product evangelist, BalaBit