Cyberattacks are a growing menace, with yet another hacking attempt every 39 seconds. The Identity Theft Resource Center (ITRC) reported a 17% increase in data breaches as of September 30, 2021 when compared to the total number of breaches in 2020. And these were only the reported cases! There is a major lack of transparency with respect to breach notices both at the governmental as well as the organizational level, according to the ITRC.
Moreover, the sophistication of the attacks is also increasing. Cybercriminals are developing new techniques of attack and evolving older ones. In fact, according to a report by Verizon, phishing attacks have increased by 11%, and incidents of ransomware have doubled since 2020.
However, the more troubling aspect is that it is not just external attacks that organizations have to worry about; cyberattacks from internal threats are increasing day by day. Various sources suggest that:
As if facing these threats is not hard enough, organizations that do not have a suitable cybersecurity solution in place find it onerous to detect and investigate these threats, and the hybrid working conditions owing to the pandemic don't make things any easier. As a matter of fact, IBM's 2021 data breach report states that in 2021, the average time taken to identify an attack was 212 days, and the average time to contain the attack was 75 days.
So, now the question arises, "If insider threats are so rampant, and damaging, what can an organization do to identify and protect itself against them?" Well, the answer is simple: Organizations have to equip themselves with a security information and event management (SIEM) solution integrated with user and entity behavior analytics (UEBA) capabilities.
A SIEM tool is a cybersecurity solution that collects and aggregates log data from various sources in your organization's network and analyzes the log data to detect vulnerabilities and threats. It also provides the added advantage of alerting you to those threats in real time. SIEM does this by making use of predefined and custom correlation rules, alerts, response workflows, and threat intelligence feeds. So, if a SIEM solution is able to do all that, why would you need UEBA? Because, simply put, SIEM without UEBA is like a surgeon without scalpels and sutures, or SWAT personnel without a Kevlar jacket. A SIEM tool without UEBA is not a comprehensive solution for data security or threat detection. In other words, a SIEM solution with UEBA capabilities helps detect, investigate, and respond to threats to your organization promptly. So, without any further ado, let me explain what UEBA is and how it can benefit your organization.
UEBA, a.k.a. anomaly detection, is a cybersecurity process that monitors and analyzes the behavior of every user and entity, such as the routers, servers, and endpoints in an organization's network, to detect anomalies. Based on its analysis, UEBA determines the normal pattern of work and creates a baseline of expected activity for every user and entity. However, for establishing this behavioral baseline, you need to provide UEBA with at least two weeks of historical data.
To establish the baseline, your UEBA solution will use the log data aggregated in your SIEM tool and employ machine learning (ML) algorithms, which use probability and statistical models, to continuously learn and identify the normal behavior for every user and entity. So, you can say that the ML capability of UEBA is responsible for anomaly detection.
Every current action is compared against the behavioral baseline generated from historical data, to identify whether the action is normal or an anomaly. Depending on the extent of the deviation, UEBA assigns a suitable risk score to indicate the criticality of the event, and alerts your security analysts to prevent the attack or stop it in its tracks.
To understand how UEBA creates a behavioral profile for every user, let's go over an example and understand how humans do it first. John is a newly hired marketing intern. On his first day of work, the security guard recognizes him as someone new and pays close attention to ensure that all his credentials check out. The guard also keeps track of the time John enters and exits the organization. He monitors John’s activity for a few days and gets to know his expected time pattern—arrival at 10am and exit at 6pm. Any deviation from this, such as John's arrival at 5am, will raise the guard's suspicion. This is how humans detect an anomaly.
Similarly, the ML algorithm in a UEBA solution will monitor the log data to establish patterns in your network. For instance, a user's logon and logoff times and the actions the user performs on particular devices will tell the UEBA solution of the activities that are expected from that user. Once it monitors for a few days, the UEBA solution will know the user's expected behavior; any deviation from that, and the user's risk score will increase to indicate the severity of the threat, and the UEBA solution will flag an alert to the security analysts. “But if a human can already do that, why do you need UEBA?” Because it is not humanly possible for your security team to constantly observe and analyze the behavior of the thousands of employees who work at your organization; generate reports on anomalous activities at different parts of the network; and take appropriate action immediately.
Now the question arises—what are the different types of threats that UEBA can identify? Let's take a look at them.
In all the above cases, irrespective of whether the user or employee attacks the system or network, or whether the attacker uses that employee's credentials to attack, that user's risk score will increase. The increase in the risk score is how your UEBA solution will alert the analyst of an anomaly. The analyst will then investigate the genuineness of the event and take action accordingly.
Now, you must be wondering, "What is a risk score, and on what basis does UEBA assign it anyway?" A risk score is a value between 0 to 100 that is assigned to each user and entity depending on the frequency and severity of deviations from the established baseline. The greater the deviation, the greater the risk. The deviations or anomalies can be a time anomaly, count anomaly, or pattern anomaly. Let's take a look at what each of these means.
Now that you know how UEBA works, let's take a look at some scenarios where a UEBA solution can make a world of difference to an organization.
Scenario 1: The DEA does not have a UEBA solution
Dylan isn’t the only one in trouble. The information regarding the undercover agents and the confidential informants falls into the hands of a drug cartel, threatening the lives of the agents and the informants.
Scenario 2: The DEA has a UEBA solution
The UEBA solution identifies the series of unusual activities as a pattern anomaly, increases Dylan's risk score, and alerts the security analysts immediately so they can mitigate the threat.
Scenario 1: Grace Hospital does not have a UEBA solution
The attackers gain access to the network, target systems with weak passwords, move laterally, encrypt files, and demand a huge ransom, effectively bringing the entire hospital to a standstill. Unless the ransom is paid, the diagnostic equipment and surgical devices won't work, and the doctors won't be able to access their patients' medical history or make appropriate treatment plans.
Scenario 2: Grace Hospital has a UEBA solution
The ransomware attack is prevented because the UEBA solution identifies the file renames, file accesses, and the execution of unusual processes, and alerts the analysts to the breach in the hospital’s systems so they can quarantine the affected systems and effectively mitigate the attack.
Now that you know you need a SIEM solution with UEBA, you must be wondering which one to choose. Well, I will be glad to help you with that. ManageEngine Log360 is a comprehensive solution for protecting your organization against cyberattacks. Log360 is a SIEM solution that has a correlation engine, threat intelligence, and UEBA functionality for analyzing data and detecting threats and vulnerabilities to your organization. It also has the added benefit of security orchestration, automation, and response (SOAR), which allows for faster threat detection and automated incident response. The other benefits are:
So, before things get tricky, secure your organization with Log360, and safeguard against cyberattacks swiftly. Thanks for reading, folks!
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.