Anomaly detection in hybrid clouds: The role of UEBA in securing complex enterprise environments

With Gartner predicting that by 2027, 70% of enterprises will adopt industry cloud platforms to improve business efficiency, it's no wonder hybrid cloud adoption is on the rise. Hybrid cloud environments combine on-premises infrastructure with cloud platforms, offering flexibility and scalability; but they come with inherent security complexities. Organizations often struggle to gain visibility across on-premises and cloud platforms, increasing the risk of blind spots that attackers can exploit. Securing hybrid cloud environments requires addressing gaps in visibility, preventing misconfigurations, and ensuring data security and compliance. CISOs must bridge security gaps while ensuring compliance and operational resilience. UEBA is a critical tool in this effort, providing advanced analytics to help security teams identify and respond to anomalies across diverse infrastructures. A UEBA-integrated SIEM solution enhances cybersecurity and supports organizational resilience in the face of evolving cyberthreats.

What are the challenges with securing hybrid cloud environments?

While there are multiple hybrid cloud security challenges enterprises are likely to face, such as the difficulty in integrating various security tools and the gap between security and scalability, we'll only be discussing some of the key issues mentioned below:

Complexity and visibility: The complex nature of hybrid clouds, i.e., mixing on-premises infrastructure with multiple cloud services and applications, makes it difficult to achieve complete visibility and monitor activities across all platforms. Each platform has its own management console, APIs, and security protocols, making it challenging to obtain a unified view of the entire environment.

Insider threats: Insider threats, whether malicious or unintentional, can be particularly challenging to detect in hybrid cloud environments. Employees or contractors with legitimate access to both on-premises and cloud services can misuse their privileges to compromise data. Lack of proper visibility into employee actions can have a disastrous effect in this situation.

Data privacy, security, and compliance: The dynamic and distributed nature of cloud environments and data movement between on-premises and cloud environments or between cloud environments themselves makes it hard to monitor and safeguard access to sensitive data, increasing the risk of data breaches and privacy violations. According to IBM's Cost of a Data Breach Report 2024, 40% of data breaches in 2024 involved data stored across multiple environments, with public cloud breaches incurring the highest average breach cost at $5.17 million. Moreover, a distributed cloud setup necessitates maintaining compliance with various regulatory requirements across jurisdictions, adding to the complexity and increasing risk liability. This is evidenced by a 2024 Cybersecurity Insiders report, which states that 54% of survey respondents faced difficulty in ensuring compliance and cloud governance across hybrid cloud and multi-cloud environments.

Threat detection and response: Traditional security tools may struggle to detect and respond to sophisticated threats that span both on-premises and cloud environments. The gaps and inconsistencies—including cloud misconfigurations and a lack of uniform security policies across on-premises and cloud environments—increase the attack surface, exposing organizations to malicious threats such as phishing, credential theft, account hijacking, unauthorized access, DDoS attacks, and data breaches. A 2024 research article, Anomaly Detection in Cloud Network: A Review, mentions some of the most significant cloud security issues stated by NIST as shown in Figure 1.

Image source: Anomaly Detection in Cloud Network: A Review (2024)

Figure 1: Key cloud security issues.

The same article also emphasizes the importance of anomaly detection to mitigate the vulnerabilities mentioned above.

What is anomaly detection in a hybrid cloud?

Anomaly detection in a hybrid cloud refers to the process of leveraging machine learning algorithms to identify unusual or suspicious activities across both on-premises and cloud environments. It does this by establishing normal behavior; any deviations from expected behavior, such as unusual login attempts; excessive file permission changes; abnormal data transfer volumes; or unexpected changes in system, AWS, or Azure configurations, will be deemed anomalous, and a suitable risk score will be assigned and security teams will be alerted. However, owing to the fact that hybrid clouds integrate on-premises, private, and public cloud infrastructures, it's crucial to choose anomaly detection tools that take into account the complexities of monitoring across different architectures, data sources, security models, and traffic patterns. UEBA is the anomaly detection engine in SIEM solutions. The role of UEBA in hybrid cloud environments is to identify anomalous behavior exhibited by users and entities in on-premises and cloud environments indicative of internal threats and external attacks and improve the overall security posture of enterprises.

How UEBA helps resolve hybrid cloud security challenges

According to the Cybersecurity Insiders report, 91% of organizations are prioritizing AI adoption for improved threat detection and prevention. While adopting AI into their existing systems might be a necessary, albeit time-consuming task, enterprises will benefit by beginning their journey by adopting UEBA, which employs machine learning algorithms and confers the following benefits:

Enhanced visibility: UEBA offers a unified view of user and entity behaviors across on-premises and cloud environments, improving visibility and real-time monitoring of hybrid environments.

Regulatory compliance: Most compliance regulations mandate the monitoring and reporting of anomalous activities signaling attacks or policy violations. UEBA helps ensure compliance by continuously monitoring activities and detecting anomalies that may indicate non-compliance or data privacy breaches.

Advanced threat detection: UEBA uses machine learning and behavioral profiling techniques to detect sophisticated threats that traditional security tools might miss, providing real-time alerts for swift response. Moreover, UEBA tools can also seamlessly integrate with security solutions like SIEM tools, thus enhancing threat detection capabilities and the security posture of organizations adopting hybrid cloud environments.

Insider threat mitigation: Since UEBA establishes a baseline of expected behavior for every user in the network, it can identify when a user deviates from it, thus helping detect and mitigate insider threats and reducing the risk of data breaches and privilege abuse. Since IBM reported the average cost of a malicious insider attack to be $4.99 million, enterprises can save immensely by investing in a UEBA-integrated SIEM solution.

Scalability: Given their growing size and the dynamic and scalable nature of the cloud, enterprises need a security solution that can grow and evolve along with their hybrid cloud environments, and UEBA is one such tool. UEBA can adapt to growing volumes of data and users across diverse infrastructures.

A real-life example of UEBA in hybrid cloud anomaly detection

A large financial services company, FinEdge Enterprises, operates in a hybrid cloud environment, using both on-premises data centers and cloud services for various applications, including customer management, financial transactions, and regulatory compliance. Since it deals with sensitive financial data and is a prime target for cyberattacks, FinEdge decided to implement a UEBA solution to improve its hybrid cloud security. A month later, FinEdge witnessed how effective UEBA was in detecting anomalies in a hybrid cloud environment.

When an attacker attempted to infiltrate FinEdge and exfiltrate data, UEBA detected the attempt and helped the security team thwart the attack. The UEBA solution adopted by FinEdge accomplished this by identifying the following events as anomalous and alerting the security team about them:

1. A series of unusual login attempts from an employee account from two different geographic regions, not previously associated with the user.
2. The employee account attempting to gain admin access to the on-premises database while simultaneously initiating changes in cloud storage permissions.
3. The employee account attempting to access sensitive files never accessed before, and its subsequent attempts to transfer large files from a secure on-premises database to an unfamiliar external cloud storage provider.

With each of these events, FinEdge's UEBA solution increased the risk score accordingly and alerted the security team who swiftly responded to mitigate the incident. By doing so, FinEdge was able to reduce its MTTD and MTTR, avoid a breach, and keep its reputation and customer satisfaction intact.

Additional resources

To gain in-depth insights into how UEBA can help various industries, please read the following resources:

Data security in healthcare with UEBA

Cybersecurity in financial services

Cybersecurity in manufacturing

Cybersecurity in education: Why is it important and how can UEBA help?

To learn how UEBA improves threat detection and risk scoring accuracy, read this e-book.

Related solutions