Insider Threats and User Behavior Analytics

Cyber-attacks from employees and other insiders is a common problem for all organizations. Most of the times such attacks go unnoticed for many months to years and many a times it is never detected. Usually such attacks within private organizations are never reported outside unless it causes losses or impact to their customers. Snowden and WikiLeaks are famous examples of insider attacks known in public domain.

So, what is Insider Threat?

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.

Insiders pose a significant threat to organization because they have the knowledge and access to proprietary systems that allow them to bypass security measures through legitimate means.

What is motive of insider attackers?

Through analysis of various insider attack cases, motives of insider attackers fall in following main categories:

• IT sabotage – Direct specific harm at an organization or individual.
• Theft of intellectual property (IP) – Steal IP from an organization. This includes industrial espionage involving insiders
• Fraud – Includes all cases involving insiders who used IT for the unauthorized modification, addition, or deletion of data for personal gain or theft

Prevention, Detection and Responding to insider attacks is the responsibility and challenging task for Information Security team of every organization. While I don’t discuss about Security layers or architectures in this blog, I’ll like to mention that following most fundamental principles must be enforced at each security layer to tackle insider threats.

• Authorized access
• Acceptable use
• Continuous monitoring

Some Behavioral Indicators of Insider Threat Activity:

• Remotely accesses the network while on vacation, sick or at odd times
• Works odd hours without authorization
• Notable enthusiasm for overtime, weekend or unusual work schedules
• Unnecessarily copies material, especially if it is proprietary or classified
• Interest in matters outside of the scope of their duties
• Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health or hostile behavior, should trigger concern. Be on the lookout for warning signs among employees such as the acquisition of unexpected wealth, unusual foreign travel, irregular work hours or unexpected absences

User Behavior Analytics

A new approach called User Behavior Analytics (UBA), can be used to monitor and detect these insider attacks and attempts using big data and machine learning algorithms to assess the risk, in near-real time, of user activity.

While UBA won’t prevent hackers or insiders from getting into your system, it can quickly spot their work and minimize damage

UBA focuses on what the user is doing like apps launched, network activity, and, most critically files accessed, resources used, duration of sessions, connectivity and peer group activity etc. to compare anomalous behavior.

UBA technology searches for patterns of usage that indicate unusual or anomalous behavior — regardless of whether the activities are coming from a hacker, insider, or even malware or other processes.

UBA technologies analyze historical data logs including network and authentication logs collected and stored in log management and SIEM systems to identify patterns of traffic caused by user behaviors, both normal and malicious.

UBA tools first determine a baseline of normal activities specific to the organization and its individual users. Second, they identify deviations from normal. UBA uses big data and machine learning algorithms to assess these deviations in near-real time.