For earlier posts in this series, see: part 1 and part 2

The deadline for all U.S. merchants to adopt EMV chip and PIN compatible payment terminals was October 1, 2015. While many merchants have not migrated to EMVC technology, those that have not faced increased liability for breaches. According to the 2016 Data Breach Industry Forecast by Experian, only 53% believe EMV cards will decrease the risk of a data breach, which raises a concern that despite the EMV liability shift, companies and consumers alike realize that these new payment technologies may not be a panacea for payment breaches and fraud, but in fact may bring about the next wave of attacks. What if attackers now shift their focus to online transactions which do not require a physical copy of the card? What if an employee in the payment gateway company has turned into a malicious insider? Every industry has concerns around data protection for their most sensitive information, whether it be intellectual property, customer data, employee data, payment data, or any combination of the aforementioned

In the previous two blogs of this series, we have introduced the concept of machine learning and User and Entity Behavior Analytics (UEBA) and specifically touched upon how Skyhigh leverages Cloud UEBA to detect advanced cloud security threats. In this blog, we will cover some of our most compelling success stories on how Cloud UEBA has effectively surfaced and stopped threats in real-world situations.

Uptick in competitive losses when account team move on

It was an open secret that this well-known Fortune 500 financial services company suffered huge competitive losses when their account teams decided to leave the company to join competitors. The final nail in the coffin was when their audit reports confirmed that their once highly profitable business venture had now turned into a money-losing business. While also focusing on recruiting top account personnel and keeping them motivated, the executives cautiously decided to experiment with UEBA and machine learning to monitor all the transactions within the company. With UEBA, they uncovered that the field or account teams were exfiltrating Salesforce data to personal accounts in the weeks before they quit. Using UEBA, not only were they able to identify the malicious insiders before an incident, but were also able to see the actual data, day of the month, duration and accounts to which the exfiltration had manifested.

Data Breach Response Checklist

Download this checklist to learn how to prepare an effective incident response plan before a breach occurs.

Download Now

Change staffing and high rollers decide to move on, too

Casinos’ use of analytics to track customers and hence provide market intelligence is very well known. While the focus is largely on increasing guest traffic – both new and returning guests – use of analytics also helps streamline operations, identify high rollers (or their most profitable guests), and gain better insight into the volumes of data generated by the many systems. High rollers get the “royal treatment” and by giving their most valued customers a unique and tailored experience, most of these guests keep returning, and in the best case scenario, talk to friends and peers about their positive experiences.

In one of the top 10 casinos worldwide with a major presence in Las Vegas, a pattern emerged where high rollers no longer visited their resort and this was correlated with changes in staffing of high-value guest concierges. This not only resulted in immense financial losses, but with stricter security measures and lower commissions on the floor, the morale of the existing staffers was at its lowest. A diligent investigation concluded that most of these high rollers were in fact following their recently departed staffers to their next place of work, which in this case was to their competition down the strip. The Casino immediately called on its security personnel and within a few days, began using Cloud UEBA to identify and staffers acting as malicious insiders. What they found confirmed their worst suspicions. Rogue staffers were actually leaking confidential information from their Salesforce accounts to competition prior to their departure.

Track activity patterns of employees when they travel

Government agencies are one of the major sponsors of research in machine learning and related subjects. Threat protection has emerged as a topic of great interest for a variety of government sponsored security applications. Recently, a government agency, due to the highly sensitive nature of its mission, integrated Cloud UEBA into its existing security applications. Their main objective was to track employee activity patterns locally and across international boundaries. They had enough intelligence reports to suspect that when some of its employees were travelling, they were accessing data which was irrelevant to the nature of their employment or travel. With UEBA and related security policies in place, the agency unearthed enough evidence to take criminal action against these rogue employees. Having no reason to access files which were completely unrelated to their nature of work and seeing this data being sent to personal email addresses let the agency to accurately state that these employees were not acting in the best interest of the agency or the nation in general.

Audit and report the geographies from where specific data was accessed

The 2015 Ponemon Institute’s Cost of Data Breach Study states that malicious or criminal attacks result in the most costly data breaches. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. The Ponemon study clearly highlights that organizations based in some countries are more likely to have a data breach. While organizations in Brazil and France are most likely to have a data breach involving a minimum of 10,000 records, their counterparts in Canada and Germany are least likely to have a data breach.

A Fortune 2000 technology company, as part of their best practice security measures, mandated that its IT team use Cloud UEBA to audit and report employee activities locally and from across geographies. Due to the nature of its research labs which developed highly sensitive intellectual property, the IT security team kept track of data being accessed by its employees both within the same geography and across geographical boundaries. Using Cloud UEBA they were able to identify and prevent instances of confidential data access outside of normal geographies.