How to leverage user behaviour analytics for insider threat profiles

According to a recent Crowd Research Partners Insider Threat Report that surveyed over 500 cybersecurity professionals, a majority of the respondents (62%) saw a rise in insider attacks over the last 12 months.

Respondents who were willing to admit they suffered an insider attack averaged 3.8 incidents per organisation per year. The survey also found an average remediation cost of $445,000 per insider attack, though it is safe to assume that this number is driven by larger organisations. Regardless, the bottom line up front is that insider attacks are real and costly.

These statistics highlight the increasing need for better security practices and solutions to reduce the risk of an insider attack. One effective new technology that’s being incorporated into security strategies today is User Behavior Analytics (UBA).

> See also: Why insider threats are still succeeding 

UBA enables enterprises to better detect insider threats, targeted attacks and financial fraud by looking at patterns of human behavior and then applying algorithms and statistical analysis to detect meaningful anomalies from those patterns – anomalies that indicate potential threats.

An August 2014 report, 'Market Guide for User Behavior Analytics,' by Gartner analysts Avivah Litan and Mark Nicolett states that 'user behavior analytics (UBA) is transforming security and fraud management practices because it makes it much easier for enterprises to gain visibility into user behavior patterns to find offending actors and intruders.'

Companies are waking up to the fact that they need to do more to protect their assets and reputation against insider attacks, and detecting deviations from normal behavior patterns of the users in their environments is a critical step. The UBA space is evolving rapidly, and there are some fairly significant differences in approaches from one solution provider to the next. But, the fact that user activity and behavior are being increasingly paid attention to is welcome.

UBA can detect malicious and unintentional insider threats

UBA has been gaining credibility in security circles for its ability to find both malicious and unintentional insider threats. In the case of malicious insiders, the technology is often used to identify employees who attempt to cause intentional harm to an organisation and/or its network as well as to detect compromised credential use.

UBA is also able to address the non-malicious insider – a legitimate user or employee who may unknowingly cause harm to an organisation by accidentally exposing sensitive data or disrupting production.

Behavior analysis is not a new concept

Analysing behavior is something the IT and Information Security community have been doing for a long time. For example, there are solutions that analyse the behavior of network traffic, looking at anomalies in traffic flows as a means of detecting data exfiltration activity that a DLP solution simply can't detect or prevent.

> See also: Twelve tips to combat insider threats

It's logical, and in some ways overdue, that we apply similar approaches to the behavior of insiders. No group has greater knowledge of, and access – often unfettered – to, the highly valuable data and systems within an organisation.

UBA quantifies what previously has been unquantifiable and empowers enterprises to protect themselves from insider threats that may have previously flown under the radar. And as UBA evolves, new solutions that incorporate the technology will carve out their own place in the security market, representing an increasingly bigger piece of a multi-layered security strategy.

It's the function of user behavior analytics to identify situations where the conditions are ripe for an insider incident. It's the function of the human operators that receive that information (whether it be inside of their SIEM or via direct alerts) to use it judiciously and wisely.

Organisations need the ability to detect for anomalies in user behavior to make sure they are aware of the threats that exist within their organizations. Because attackers, no matter how skilled they are, will cause deviations from normal behavior patterns.

Sourced from Mike Tierney, COO, SpectorSoft

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Big Data
Insider Threats