Weekly Blog

5 Ways UEBA Protects Against Insider Threats

Date 6 Jan 2022
BinaryFlux Team


The sad truth about today’s corporate security is that even if you monitor web gateways, deploy firewalls, intrusion prevention tools, and encrypt connection systems like VPNs, your data is still likely to get compromised- if not by outsiders, then insiders. 

According to the Verizon Data Breach Investigations Report, 30% of data breaches involve internal threats.

Insider threats/attacks are those malicious threats that hamper the security of an organization from within. The primary threat posers of such attacks are the users themselves who have legitimate access to your organization’s network, applications, or databases. Some of the most common threat posers within a corporate network include-

  • Current employees
  • Former employees
  • Contractors
  • Business partners
  • Temporary workers
  • Outsourcers
  • Suppliers
  • Service Providers

Although the term “Insider attacks/threats'' suggests such threats are deliberate attempts at exfiltrating data for personal gain, the reality is, insider threats can also be caused unintentionally. 


Types of insider threats

Negligent insiders

More than two out of three insider threat incidents are caused by negligence 

Negligent insider threat imposers are employees who despite having a laid down cybersecurity protocol, choose to ignore these healthy cyber practices. And, although they have no intent to harm the organization, their negligent actions end up causing a security breach.

An example of a prominent negligent insider attack is when in December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records - including email addresses, IP addresses, and location - were exposed on the open web. All because the relevant employees failed to secure the databases “properly”.

Malicious insiders

These threat imposers are employees or contractors who intentionally cause harm to an organization by exposing its sensitive business data to external threats or using it for personal gains like shifting careers, personal grudges with employers, etc.

For instance, in a recent insider case that made it to headlines, a former employee of a medical device packaging company hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records because he was laid off in early March 2020.

Jeopardized insider

These threat imposers are users that follow organizational rules, perform their daily tasks, have no malicious intent but unfortunately end up serving as a gateway to cyber invasion. The most common example is an employee whose computer has been infected with malware that can scan file shares, escalate privileges, infect other systems, and more.

In July 2020, one cybercrime group conducted one of the most high-profile hacks — knocking 4% off Twitter’s share price in the process. The cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam.

Whatever may the nature of the insider threat be, the amount and cost of data at risk is always massive. 

According to Harvard Business Review, at least 80 million insider attacks occur annually in the U.S. alone, costing tens of billions of dollars every year. 

The most common targets for insider attacks are sensitive resources such as financial reporting data (enabling illegal trading in a company’s stock), customer data (to benefit competitors), product or technical documents (valuable to competitors), employee data, and more. These datasets are usually used for different purposes and are hence stored in several places including backup, compliance, dev/test, and reporting. To tackle insider threats ultimately, it is important to identify all these places where sensitive data resides, identify who has access to it, where they copy it, and whether their actions are justified or unusual - all in real-time. Carrying out these activities together requires automation and machine learning to succeed at the job - this is where UEBA poses as the missing piece.


User and Entity Behaviour Analytics (UEBA)

User and Entity Behavior Analytics (UEBA) plays a pivotal role in detecting user behavior that has the capability to put your organization at risk. 

UEBA cybersecurity uses machine learning and deep learning to model the behavior of users on corporate networks. By doing so, it allows organizations to track, collect, and analyze data for anonymous behaviors that could potentially be insider attacks.

The best part about UEBA tools is that it enhances the performance of your existing monitoring security tools instead of replacing them. Its overarching strengths include-

  • Proactive approach
  • Anomalous behavior detection
  • Compromised account detection
  • Permission and policy alteration detection
  • Machine learning capabilities
  • Statistical analysis backup
  • Fewer false positives


How UEBA Predicts, Detects, and Stops Insider Threats

UEBA’s machine learning system takes proactive measures to predict, detect, and stop security breaches, policy violations, and privilege abuses made by internal actors. Here are 5 ways UEBA does that-

  1. Behavioral Analysis 
    As a part of modeling, the UEBA analytics engine creates the baseline behavior profiles for every user and entity in the system. It then runs in prediction mode to detect any different activities from this set baseline. This, along with threat intelligence feeds and alerts generated by other security systems presents a risk-prioritized score for every user and entity, which is further used to investigate incidents. 

    This feature helps deal with both negligent and malicious insiders. With behavioral analysis, UEBA can detect unusual behavior falling under the category of wanderer or network or file crawling in real-time. Such activities need immediate attention as they can lead to multiple resource breaches and invasions of the organization’s IP, customer data, sensitive information, etc. 
  2. Account-based analysis:
    UEBA automatically tackles compromised/jeopardized account scenarios like brute-force attacks or cryptographic hacks where multiple combinations of passwords are attempted to breach into accounts, along with suspicious password resets, account sharing, account usage from an unusual device or location, etc.

    UEBA also monitors account lockouts for insider threat analysis like users that have attempted to log in to new accounts or accounts from previous job roles. It identifies and alerts on these unusual activities around the lockout, allowing SOC analysts to pay special attention to a potential insider breach.

    Furthermore, it keeps a check on unauthorized access attempts at accounts containing sensitive PII (Personally Identifiable Information) or PCI (Payment Card Industry) data.
  3. Risk scoring
    Risk identification and prioritization are at the heart of UEBA security. UEBA identifies and quantifies risky insider behavior by correlating each user or entity’s activities against their set baselines. The risk is scored or quantified based on 
    - Significance of this action from a security standpoint, 
    - The extent of the deviation from the baseline, 
    - The frequency of deviation, and 
    - Time elapsed since the deviation.

    For example, an unusual (excessive) data download, as well as an exfiltration attempt (via print, email, cloud storage, or USB devices), will both be accounted as risky behaviors. However, exfiltration will rank higher than the latter and have more serious consequences.

    UEBA tools allow these scores and weights to be defined at the model level and further authorize teams to tweak them based on organizations’ risk exposure and prioritizations.
  4. Extraction and enrichment of data 
    UEBA uses innovative data processing techniques to draw a broad range of data feeds from both structured and unstructured security sources. This includes various logs such as active directory logs, application logs, server logs, device logs, etc. UEBA automatically enriches and scales this collected data with identity and contextual information. This multidimensional data is then used to draw insights and responds to risky incidents in real-time. 

    Some common data feed assessed by UEBA for insider threat evaluation -

    Local and Remote Access Logs: VPN, Domain controller, and Wi-Fi access point logs
    Identity Services: Active Directory, LDAP, Okta, and other services
    DLP Scans
    Endpoint Feeds: PC/laptop security solutions
    Network Feeds 
    Database Activity: database logs directly, or via database firewalls like Imperva
    Application Activity
    Cloud Activity
    USB Thumb drive Access
    Print Servers
    Physical Security
  5. Automation 
    Manual efforts have proven inefficient when dealing with massive amounts of data and repeated security tasks to direct and remediate real-time insider threats. Therefore, UEBA comes to the rescue to automate most behavioral analysis tasks such as collecting and analyzing data, enriching it, detecting risky behavior, and predicting possible insider threats all in real-time while also cutting down on the budget for cybersecurity. 

    Furthermore, with UEBA, organizations can also automate their routine checkups at regular intervals by entering some fixed parameters and triggering the algorithm. This way, UEBA security not only reduces the number of security analysts that organizations need to employ and train but also covers the skill gap.

    The most valuable feature of a UEBA solution is its ability to detect not only known threats but unknown threats as well. Modern UEBA tools unfold threats that go undetected in traditional detection and prevention systems with their advanced analytical capabilities. UEBA leverages various models using supervised, unsupervised, and semi-supervised algorithms. It also performs sentiment analysis to detect insider threats by deploying deep learning and text mining.


Outsmart the odds with Binaryflux intelligence 

Preventative measures are no longer enough to keep your data secure. Hackers will find a way to get into your systems, and it’s important to detect them as and when it happens.

Binaryflux UEBA solution - Doppler - helps SOCs to automatically detect, investigate and respond to insider threats in real-time. With Binaryflux Doppler, insider threats are acted upon before they can cause a deliberate or accidental loss/damage to your company. Not only does Doppler save your company from the loss of priceless intellectual property, but it also allows your SOC to predict any forthcoming insider threats through scenario-based and behavioral analytics techniques.  

With Binaryflux’s advanced neural brain and out-of-the-box integrations, you can solve security use cases such as account compromise, privileged account abuse, and misuse, data exfiltration, employee security monitoring, and identity & access management with almost no manual assistance.

In addition, Binaryflux’s security orchestration and automation (SOAR) and UEBA integrated solution further empower your analysts to build a case, seamlessly collaborate, and rapidly execute countermeasures - all one step ahead of the malicious or unintentional insider.

Outsmart the odds with Binaryflux intelligence and book your demo today! - link


22 Jan 2022 • BinaryFlux Team