Remote work has disrupted business operations and brought unexpected shifts in the way organizations work. The new way of work also demands exposure of applications outside the corporate network and access to critical data through VPN or directly over the web.
The impact of these activities on data privacy and compliance is huge. Expansion in the boundary of work, lesser supervision, and flexible workplace policies has also resulted in increased security risks. Insider risks are one such risk, which has witnessed an increase due to the sudden rise in the number of employees (close to 100%) working remotely, and this has opened a considerable amount of security issues.
Insider threat is the misuse of authorized access to an organization’s network or assets, either intentionally or unintentionally by a current or former employee, or any party doing business with the organization.
Types of insider threats
Based on the intent and the motivation of the person involved, insider threats get categorized into three types.
“Compromised” threat actors who have stolen a legitimate employee’s credential posing as authorized users, utilizing their accounts to exfiltrate sensitive data.
“Negligent” employees having no security awareness misusing or exposing confidential data. (E.g. Sharing data with wrong persons, inability to protect credentials)
“Malicious” current or former employees, third parties, or partners who use their privileged access to steal intellectual property. (E.g. Disgruntled employees or partners)
Insider threats can present a significant challenge for security teams and employees. The Ponemon Institute’s 2020 Cost of Insider Threats Report states that there are on average 3.3 insider incidents per company, and the average cost of an insider threat is around $11.45 million. The report also states it takes on an average 77 days to detect and resolve an insider threat. The numbers are scary and enough to make any CISO paranoid.
Moreover, from a behavioral perspective, the new normal has made the hacker and employee look the same since both are trying to access the corporate network from a remote location. It is indeed a challenge to distinguish user activities between good and bad users. The traditional tools we have been using so far aren’t helping us to identify and respond to various user behaviors across different time zones.
Monitoring User Behavior
User & Entity Behavior Analytics (UEBA) enables clients to identify various risk profiles of users through alerts on suspicious behavior. It is a good tool to detect insider threats, UEBA leverage machine learning to analyze various events from different logs (active director logs, application logs, server logs, device logs, etc.) to identity users performing risk behavior.
The two main advantages of UEBA is in risk profiling and unified user identities. Security use cases drive risk profiling; this includes checking for users browsing malicious phishing websites, malware downloads, login anomalies, user access during unusual times, modification of privileges, anonymous source accessing user accounts, risky downloads, large outbound data transfers, etc.
Unified user identities are achieved by importing data of various accounts of a user and analyzing risk and traffic of usernames used by the user. UEBA is augmented by traffic (user access, authentication, account changes), network user behaviors, and logs of endpoints and applications to enable more use cases related to profile risks.
UEBA is of immense help for security teams as it helps them in identifying and responding to threats which otherwise would have gone unnoticed, E.g. Flow based anomalies such as access to personal information and DNS anomalies (tunneling & exfiltration). If the risk score is more than the threshold for a user, security teams can quickly scan the assets used and monitor the possible attack vectors for such risky users.
They can also get a risk score, which can be changed as per business needs. The score rating can be increased or decreased based on the authority. User trails and past incidents can be analyzed to recognize any compromise by comparing logs/flows and behaviors. Other UBA benefits include, ML-driven time series analysis to detect anomalies & prevent compromises, and in-depth forensic analysis to retrace attacker actions on a malicious incident.
Leveraging UEBA To Address Insider Threats
Remote work has redefined the boundaries of the office environment. Risk scenarios have witnessed a paradigm shift, and the focus should also be on mitigating insider threats. Security visibility should expand to monitor user behavior, and this is possible only through intelligent security analytics solutions such as UEBA.
UEBA helps to establish a baseline for remote users, know how they interact, and identify any anomalous behaviors across different times zones and geographic locations. Organizations will be able to regularly track user sessions, reduce false positives, and simultaneously monitor different event sequences. UEBA must be a critical component of a security infrastructure and is the best possible investment to track any deviation or compromise in employee behaviors.
Mitigate the Insider Threats with Aujas MDR
Aujas MDR focuses strongly on the threat monitoring, detection, and response processes. It uses advanced security technologies like threat intelligence, behavior analysis, analytics, UEBA (user and entity behavior analytics) and ML driven real-time correlation as a part of threat detection techniques.
The unique differentiator for Aujas lies in its comprehensive MDR service offerings backed by improved threat hunting ability by use of next-gen technologies. In Aujas MDR, integrating UEBA to SIEM solutions enhances the collection, analysis, and response to threats originating from inside the network. The security analytics feature helps to track unusual user, host, network, and application behavior while detecting a threat.