Organizations are struggling to pinpoint threats that come from real user accounts. Take insider threats, as an example. In a 2020 report, 68% of IT and security experts felt their employers were somewhat or very at risk to insider attacks. Over half (53%) said it had become at least somewhat harder to detect an insider attack after migrating to the cloud. About the same proportion admitted that it was more difficult to detect insider threats than external attacks. When asked why, 59% said it was because insiders already had credential access to the network and services. User behavior analytics (UBA) presents one way to solve these problems.

Insiders aren’t the only ones using honest accounts to their advantage, either. Researchers saw a 300% increase in instances where external attackers conducted account takeover (ATO) fraud. Those incidents gave attackers the chance to spread out across their victims’ networks. In fact, 70% of digital attacks in 2020 involved attempts to move sideways across the network, per a study covered by Health IT Security. It’s not surprising, as lateral movement is crucial for targeting key assets and stealing sensitive information from the network.

Both insider threats and ATO fraud highlight the dangers of relying solely on security tech that faces outward to detect account misuse. Firewalls and similar tools focus on maintaining the perimeter, an outdated concept in the age of distributed systems, cloud computing and remote work. They aren’t equipped to defend against threats that are lurking in the network and using a trusted account for malicious purposes. So, you need to adjust the approach. But how?

Oh, Behave!

The key is to begin taking advantage of UBA. This solution collects information about each authorized user account and uses it to spot strange behavior. UBA tools perform this data collection, conduct their analysis and issue alerts with the help of artificial intelligence and machine learning.

A fictional example might be helpful. Say there’s an employee named ‘Alex’ at ‘ACME Tech,’ which uses UBA. Having just purchased and deployed a new UBA solution, ACME Tech sets up a baseline set of behaviors for Alex by itself. These include working standard business hours on the West Coast and downloading an average of 50 MB of data a day.

One weekend, the security team at ACME Tech receives an alert from the UBA solution about Alex. The alert shows that someone logged in to Alex’s work account at 2 a.m. local time. It also conveys that the account then attempted to download several gigabytes over the span of two hours. The UBA solution locks Alex’s account, giving the defenders time to look into what happened. Then they can trace the compromise back to a successful phishing attack and take further steps to solve the problem.

The Perks of UBA

The example provided above highlights speed as one of the central benefits of UBA. Security experts need to spot a potential incident as soon as possible in order to minimize its scope and impact. With UBA, security personnel can leverage automated visibility into user behavior to minimize certain threat categories confronting their employers.

The role of automation in UBA is also crucial. Sure, security teams could try on their own to establish a baseline into users’ behavior. But they’re human. They can’t monitor all user accounts equally and at once. Nor can they afford to just monitor user behavior on any given day.

With UBA, you can sidestep this step and spare security teams the tedious task of having to perform manual user behavior monitoring. This allows the teams to focus on other tasks that could have a more meaningful impact on the digital security posture.

How to Implement User Behavior Analytics

To implement UBA well, first invest in a robust UBA solution. Blockbird Ventures notes that this tool should consist of three components. First, it should have custom-built architecture that allows admins to answer queries relevant to them. Second, it needs to run in real time to query data almost instantly. Third, it must be scalable so that teams can continue to leverage the same platform as their business evolves.

At that point, organizations can then configure their UBA tools in such a way that directly contributes to their digital defense efforts. This should involve collecting all the information they can to construct user baselines. Doing so will provide them with more changes to spot odd behavior and to connect the dots in potential problems.

But UBA can only go so far on its own. Most solutions can’t fix deviant user behavior by themselves, for instance. With that said, security teams can pair their UBA tools with other tech to add context to their incident response and remediation processes. They should also look to integrate their UBA with a SIEM. By adding user activity to log data, threat intelligence, vulnerability scan data and other sources of information, you can gain even more complete insight into what’s going on in the network. This can help you to better see the attack chain and to mount an effective response.

Getting Realistic With User Behavior Analytics

UBA can help address the risks that come with insider attacks. That’s because UBA isn’t fixated on the edges of the network. It’s concerned with what’s going on with the users themselves.

As a result, you can benefit from putting UBA in place as part of a broader approach. This could include using UBA together with multi-factor authentication (MFA), micro-segmentation and other controls to build a zero trust network. Organizations need to ensure that authorized user accounts aren’t engaging in suspicious activity after each successful login. With UBA, you can track that.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…