According to a 2015 report by Mandiant, the average targeted malware compromise was present for 205 days before detection, the longest presence was 2,982 days, and 69% were discovered by external parties, not internal IT security functions. Until now it has been challenging to defend against the increasing velocity and sophistication of external attacks and subtlety of internal threats. In response, companies are shifting their focus to rapidly detecting and separating the normal user from the malicious or compromised user. As part of this effort they are using technology, referred to as user and entity behavior analytics (UEBA), that emphasizes behavioral analysis and machine learning to radically reduce false positive alerts and pinpoint threats.
How IT security teams use UEBA
UEBA has been a game-changer for a large retailer, which was effectively able to detect and stop fraudulent attacks against its sweepstakes game and e-commerce platform by using UEBA tools. Likewise, UEBA was used to detect and block cyber attackers from logging into a major travel booking company, using stolen credentials, which were obtained as a result of an earlier hack into its enterprise servers through an affiliate network on Amazon Web Services. The travel company experienced 5,000 login attempts per day using stolen credentials that were successfully blocked because of UEBA.
UEBA again effectively thwarted fraudsters from re-selling stolen gift cards for in-game currencies at a popular gaming site with 2,115 stolen credit cards. They created 563 new user accounts for the attack to buy and store the stolen currency, and they spread the endpoints used to conduct the attack across 501 different IP addresses to hide from geo-location and velocity sensors. However, UEBA detected their activity, and alerted the IT security team in time to prevent a major breach. UEBA can also detect internal threats. A telecommunications company used UEBA to discover an employee downloading and selling customer payment and contact information from an internal system of record.
How UEBA works
Gartner’s market definition states that UEBA is bringing profiling and anomaly detection based on machine learning to security. UEBA essentially maps what legitimate processes look like when they take place in an enterprise and learns how to distinguish and stop threats. UEBA has three main components as detailed below:
A growing number of security solutions incorporate UEBA
Gartner’s latest research predicts that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013. UEBA capabilities are beginning to make their way into existing security solutions, which can use UEBA to take action on threats. By 2018, Gartner expects 80% of endpoint protection platforms will include user activity monitoring and forensic capabilities, up from less than 5% in 2013. Taken together, the introduction of UEBA into these solutions will lead more breaches to be discovered using this technology. Gartner predicts that by 2018, at least 25% of self-discovered enterprise breaches will be found using UEBA.
Cloud access security brokers (CASB) are one of the security solutions that incorporate UEBA. CASBs provide a single point of control over multiple cloud services concurrently, for any user or device. They primarily address security gaps across these cloud services or mobile devices. Gartner has outlined four core capabilities of a CASB including visibility, compliance, data security and threat protection. The threat protection capabilities of CASBs leverage UEBA to detect and stop rogue users or devices from accessing cloud services. However, unlike a standalone UEBA solution, the CASB can take action to revoke access or require additional authentication when it detects a threat.
The Skyhigh UEBA solution
Skyhigh is the leading cloud access security broker (CASB) trusted by over 500 enterprises to securely enable over 17,000 cloud services, including shadow IT and sanctioned IT. With Skyhigh, organizations leverage a single cross-cloud platform to gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and detect and respond to potential threats.
Evaluating user activities beyond an initial login to include user movements, access to organizational assets and the context with which that access occurs, is what helps us lead the CASB vendor space, by protecting corporate data in cloud systems, from compromised accounts and insider threats.
Over the last two years the Skyhigh Access Cloud Security Broker has helped enterprises detect anomalous behavior indicative of security breaches or insider threats, thereby protecting corporate data in on premises applications from exfiltration to the cloud. Specifically, the Skyhigh platform delivers actionable intelligence around a wide range of internal and external threats that can lead to data loss including:
- Employees downloading sensitive corporate data with the intention of taking that data with them when they leave to join a competitor
- Malicious administrators accessing data out of policy or data not related to their role, intentionally degrading security settings, or creating dummy accounts for unauthorized third party access
- High-risk user behavior such as downloading data from company-sanctioned cloud services and uploading it to high-risk shadow IT services
- Third parties logging into cloud service accounts using stolen or guessed login credentials in order to steal sensitive data