Industry Trends

Leveraging UEBA to Address Insider Threats

By John Maddison | March 06, 2019

The rapid adoption of new digital networking strategies has utterly transformed how and where we conduct business. Digital Transformation (DX) is expanding the attack surface, and one of the biggest challenges is extending security to all the places and devices where applications, workflows, and critical data need to travel to protect digital assets. The other challenge is that even though this change is happening at unprecedented speeds, the CEO and board are impatient with the time it takes to bring DX business opportunities to market. And of course, this requires top notch security for DX initiatives.

DX is non-negotiable—but so is security. They are tied at the hip. The trick is to enable DX business initiatives without overwhelming the limited resources available to the security team. Because high-profile breaches are almost constantly in the news, those limited resources tend to be focused on keeping the bad guys out. Which is why job number one for most organizations involves deploying and managing security solutions across their expanding attack surface, including IoT, multi-cloud solutions, and SD-WAN deployments.

But as more users with more devices have more access to more resources than ever before, we cannot ignore the reality that many of our risks originate from inside the network. The 2018 Verizon Data Breach Investigations Report has documented that a full 30% of breaches experienced by organizations involve insiders.

Part of that challenge is the result of the amount of implicit trust we extend to users and devices. Inevitably, insider threats always involve abuse of that trust of some sort—whether intentionally or unintentionally. But whether the loss of data or digital resources is malicious or due to negligence, the results are the same and need to be guarded against. And that starts by updating that adage, "trust, but verify," to read: "only trust when you have to, and then, make sure you monitor, track, and verify everything." It's maybe not as elegant to say, but it is certainly a darn sight more useful.

Addressing Insider Threats with UEBA

Watching for insider threats requires inverting a lot of security thinking. It starts with the assumption that a breach has already occurred. Implementing things like a zero-trust security strategy, intent-based segmentation, and comprehensive network access control ensure that any violation that occurs is limited in scope. But the real challenge lies in discovering any attack in its very earliest stages, long before any damaging compromise can happen. And that requires implementing User and Entity-Based Behavioral Analytics (UEBA).

Initially, UBA (or User Behavioral Analytics) simply provided granular visibility into user behavior, whether on or off the corporate network to identify potentially malicious anomalous behavior and activities. Adding Entities to the solution, making it UEBA, acknowledged that truly effective security requires a range of entities to be observed and profiled and that those behaviors then need to be correlated with those of the user. This more holistic approach allows the security team to access much more granular information, allowing them to respond more efficiently before a risk can escalate to an incident or breach.

Span of Control

When correctly chosen and deployed, UEBA solutions can cover a wide range of insider threats, including:

  • Endpoint monitoring, whether on or off the network, to not only provide deep visibility into devices and user behavior, but also track resource access and data movement to better identify aberrant or malicious behaviors.
  • Data exfiltration attempts, including moving data to web and cloud services or onto removable storage media such as USB drives.
  • The instantaneous detection of policy violations, including the full range of regulatory compliance requirements.
  • The prevention of escalating, compromising, or taking over accounts using such techniques as credential stuffing.

Rules-Based and Machine Learning Engines

The most effective UEBA solutions can accurately identify anomalous user and device behavior, policy violations, unauthorized data access, improper data movement and exfiltration, and compromised accounts. They do this by leveraging a combination of two key components: an advanced rules-based engine and behavioral analytics enhanced by Machine Learning. 

Rule-based engines help simplify policy adherence and strengthen security controls by immediately detecting policy violations, identifying risky behaviors or activities that could lead to a regulatory breach, and detecting and responding to compliance violations that put IP, PII, and other critical resources at risk. They can also alert on non-compliant user activities such as unauthorized data access; the sharing or distribution of PII; the use of Shadow IT; the installation of unapproved, unlicensed software; and the access or consumption of inappropriate content.

At the same time, the UEBA’s Machine-Learning engine automatically learns user behaviors across peer groups, enabling it to detect behavioral anomalies. As a result, it can, for example, rapidly spot when unauthorized users are accessing a compromised user account. 

Adding UEBA to Existing Strategies

While UEBA solutions can function as a stand-alone solution to secure endpoints, prevent data loss, or identify unusual behavior, they work best when incorporated as part of an integrated security strategy. Tying UEBA to SIEM solutions, for example, enhances the collection, analysis, and response to threats originating from inside the network. It can also be used to improve more traditional endpoint security applications, support the monitoring for and management of Shadow IT, and can be fully and seamlessly integrated into a larger security fabric framework.

One of the most common outcomes of an aggressive DX strategy is fractured visibility and inconsistent controls for security across the distributed network landscape—especially when it comes to the behavior of trusted employees and devices. UEBA is a critical tool that can help unify the detection of and response to insider threats, helping close the gap on one of the most serious—and most often overlooked—threats to your business.

Learn more about Fortinet's Security Fabric and AI Predictive Intelligence solutions.

Read more about machine learning-based threat detection for insider threat protection.

Read more about how UEBA solutions can cover a wide range of insider threats.