In most cases, insiders -- which include employees and third party vendors -- want to do the right thing. They don’t want to put their company at risk of a breach. After monitoring and analyzing the behaviors of more than a million users, our Bay Dynamics experts discovered that in approximately 90 percent of data loss prevention incidents -- meaning when employees leak sensitive data outside an organization -- the employees are legitimate users who innocently send out data for business purposes.
Without even realizing it, insiders are putting their organizations at risk of a breach -- using weak passwords, sending out private information they should not be accessing, clicking on any link that comes into their inbox, etc. They do not understand the potential repercussions of their actions and as a result, we keep seeing more breaches.
Businesses need to get a better grasp on what their insiders are doing on a daily basis -- what kind of information do they access? How do they access it? Which websites do they typically visit? Who do they typically email? By collecting information about how their insiders are regularly behaving, businesses can more easily identify behaviors that are out of the norm and take action to nip that behavior in the bud before it’s too late.
We are increasingly seeing more businesses taking this approach, called User and Entity Behavior Analytics (UEBA), where instead of solely focusing on attacks coming from the outside, in-house IT and security teams are looking at the inside -- who is doing what, what their entities are doing (devices they use like laptops), and are any of them posing a security risk. In the Market Guide for User and Entity Behavior Analytics, by Avivah Litan, published September 22, 2015, industry analyst firm Gartner says it "expects the UEBA market revenue will climb to almost $200 million by the end of 2017, up from less than $50 million today".
To give an example of UEBA in action... our UEBA software was collecting and analyzing information about the behaviors and actions of individual employees within a large enterprise business. We noticed a subset of individuals who were slowly leaking private corporate information outside of the network. It wasn’t typical behavior of those individuals, their peers or the individuals who work with their team. We sent the findings to the in-house security team, providing names and other information so that they could take action immediately. Sure enough, the group of employees was planning to leave the company and use the leaked information to help start a new business.
UEBA helps change risky insider behaviors early on to minimize businesses’ risk of a breach and also helps stop breaches in progress. However, it’s important to note, that UEBA works best when it’s the glue that ties together businesses’ security tools. In-house IT and security teams face challenges sifting through the abundance of information coming from their various security tools already in place. They don’t know which alerts to address first, if they are real threats and oftentimes overlook important alerts because they did not have the time to get to them or they were not flagged as imminent. UEBA helps overcome that challenge by wrapping up and correlating all of that data so that it tells one story about each individual user. IT and security teams receive a complete picture of what their users are doing, who they need to take immediate action on first, who they need to keep their eye on and why.
Based on the numerous breaches we continue to see, the "defense-in-depth" strategy is not working. Criminals are finding ways to circumvent the various controls, oftentimes posing as legitimate employees to move about freely within businesses’ environments and steal data. Businesses need to shift from an "outside-in" to an “inside-out” approach when it comes to security. Even if criminals use a legitimate employee’s login credentials to move around the corporate network, they cannot 100 percent walk in that employee’s shoes. They cannot mimic everything that employee does on a day to day basis. The second they slip, UEBA will catch them.
Image credit: Jakub Zak/Shutterstock
Ryan Stolte is Co-Founder and CTO at Bay Dynamics. He has directed the strategy, architecture, and implementation of IT and Information Security solutions for over 15 years. Since its founding in 2001, Ryan has grown Bay Dynamics into a leading solution provider with a diverse portfolio of products and services. His breadth of experience in improving information security processes and deep knowledge of Business Intelligence provide the foundation for the patented technology behind IT Analytics™ and Risk Fabric.