Organizations are struggling to pinpoint threats that come from real user accounts. Take insider threats, as an example. In a 2020 report, 68% of IT and security experts felt their employers were somewhat or very at risk to insider attacks. Over half (53%) said it had become at least somewhat harder to detect an insider attack after migrating to the cloud. About the same proportion admitted that it was more difficult to detect insider threats than external attacks. When asked why, 59% said it was because insiders already had credential access to the network and services. User behavior analytics (UBA) presents one way to solve these problems.

Insiders aren’t the only ones using honest accounts to their advantage, either. Researchers saw a 300% increase in instances where external attackers conducted account takeover (ATO) fraud. Those incidents gave attackers the chance to spread out across their victims’ networks. In fact, 70% of digital attacks in 2020 involved attempts to move sideways across the network, per a study covered by Health IT Security. It’s not surprising, as lateral movement is crucial for targeting key assets and stealing sensitive information from the network.

Both insider threats and ATO fraud highlight the dangers of relying solely on security tech that faces outward to detect account misuse. Firewalls and similar tools focus on maintaining the perimeter, an outdated concept in the age of distributed systems, cloud computing and remote work. They aren’t equipped to defend against threats that are lurking in the network and using a trusted account for malicious purposes. So, you need to adjust the approach. But how?

Oh, Behave!

The key is to begin taking advantage of UBA. This solution collects information about each authorized user account and uses it to spot strange behavior. UBA tools perform this data collection, conduct their analysis and issue alerts with the help of artificial intelligence and machine learning.

A fictional example might be helpful. Say there’s an employee named ‘Alex’ at ‘ACME Tech,’ which uses UBA. Having just purchased and deployed a new UBA solution, ACME Tech sets up a baseline set of behaviors for Alex by itself. These include working standard business hours on the West Coast and downloading an average of 50 MB of data a day.

One weekend, the security team at ACME Tech receives an alert from the UBA solution about Alex. The alert shows that someone logged in to Alex’s work account at 2 a.m. local time. It also conveys that the account then attempted to download several gigabytes over the span of two hours. The UBA solution locks Alex’s account, giving the defenders time to look into what happened. Then they can trace the compromise back to a successful phishing attack and take further steps to solve the problem.

The Perks of UBA

The example provided above highlights speed as one of the central benefits of UBA. Security experts need to spot a potential incident as soon as possible in order to minimize its scope and impact. With UBA, security personnel can leverage automated visibility into user behavior to minimize certain threat categories confronting their employers.

The role of automation in UBA is also crucial. Sure, security teams could try on their own to establish a baseline into users’ behavior. But they’re human. They can’t monitor all user accounts equally and at once. Nor can they afford to just monitor user behavior on any given day.

With UBA, you can sidestep this step and spare security teams the tedious task of having to perform manual user behavior monitoring. This allows the teams to focus on other tasks that could have a more meaningful impact on the digital security posture.

How to Implement User Behavior Analytics

To implement UBA well, first invest in a robust UBA solution. Blockbird Ventures notes that this tool should consist of three components. First, it should have custom-built architecture that allows admins to answer queries relevant to them. Second, it needs to run in real time to query data almost instantly. Third, it must be scalable so that teams can continue to leverage the same platform as their business evolves.

At that point, organizations can then configure their UBA tools in such a way that directly contributes to their digital defense efforts. This should involve collecting all the information they can to construct user baselines. Doing so will provide them with more changes to spot odd behavior and to connect the dots in potential problems.

But UBA can only go so far on its own. Most solutions can’t fix deviant user behavior by themselves, for instance. With that said, security teams can pair their UBA tools with other tech to add context to their incident response and remediation processes. They should also look to integrate their UBA with a SIEM. By adding user activity to log data, threat intelligence, vulnerability scan data and other sources of information, you can gain even more complete insight into what’s going on in the network. This can help you to better see the attack chain and to mount an effective response.

Getting Realistic With User Behavior Analytics

UBA can help address the risks that come with insider attacks. That’s because UBA isn’t fixated on the edges of the network. It’s concerned with what’s going on with the users themselves.

As a result, you can benefit from putting UBA in place as part of a broader approach. This could include using UBA together with multi-factor authentication (MFA), micro-segmentation and other controls to build a zero trust network. Organizations need to ensure that authorized user accounts aren’t engaging in suspicious activity after each successful login. With UBA, you can track that.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read