Cybersecurity incidents are not only increasing, but they are also becoming more destructive and targeting a broader array of institutes and information. At the core of all the malicious activities occurring in your network lies a user. Generally referred to as insiders, users may be employees, contractors or even legitimate users with exploitable compromised credentials.

Security operations center (SOC) analysts need to implement behavior analytics solutions to observe and understand these insiders’ activities, behavior, asset usage and access to intellectual property. They need to find the regularities and patterns hidden in user behavior to unlock potential threats and risks to the intellectual property they hope to protect.

To date, organizations have focused on protecting their IT environments from external threats and have thus invested heavily in perimeter defense. But the tools designed to protect the perimeter are largely ineffective in detecting and deterring insider threats.

Understanding Insider Threats

Attacks from within have become a critical concern for most organizations, with studies indicating that insiders are responsible for up to 60 percent of security offenses.

Attacks involving internal users are a unique challenge for organizations. According to the Harvard Business Review, “insiders can do much more serious harm than external hackers can, because they have much easier access to systems and a much greater window of opportunity. The damage they cause may include suspension of operations, loss of intellectual property, reputational harm, plummeting investor and customer confidence, and leaks of sensitive information to third parties, including the media.”

Regardless of whether malicious employees, dishonest contractors or unintentional actions are responsible for these attacks, insider threats must be addressed rapidly and effectively.

Detecting Malicious Behavior

Privileged users and high-priority assets need to be monitored to identify irregular activities since these actions could be signs of an insider threat. Risky behaviors must be noted, and then those users assessed, prioritized and monitored on an ongoing basis. Finally, corrective action must be taken to address the threat.

Security teams today are hampered with too many tools from too many vendors, as well as overly complex processes. This makes for a daunting challenge for the SOC analyst, who must pull the data together and get the right visibility into the users’ activities, behaviors and the assets they access. Much of this work has to be done manually. This creates a delay that allows perpetrators to do plenty of damage before analysts are able to detect pernicious activity.

Keeping the constraints and realities of today’s security operations in mind, security teams should look for user behavior analytics (UBA) capabilities designed to simplify overly complex security operations. For example, you should be able to leverage the logs and flow data that are already curated and loaded in your security intelligence and event management (SIEM) platform to deliver rapid insights and actions. This helps SOC analysts maintain consistent visibility into users, assets and threats.

Simplifying Behavior Analytics

IBM integrates UBA into its SIEM platform and delivers the capability via an app on the App Exchange. SOC analysts do not have to learn a new tool; the UBA app leverages the curated log and flow data already in the SIEM platform, speeding time to insights.

The app’s purpose-built, out-of-the box anomaly detection, behavioral rules and analytics detect changes in user behavior and deliver continued visibility into anomalous activities. By streamlining monitoring, detection and investigation, the app helps security analysts become more productive and manage insider threats more efficiently. With just a few clicks of the mouse, they can analyze behavior patterns, score users’ risk and focus on specific insiders to investigate or add to a watch list.

This helps SOC analysts uncover malicious behavior easily. Integrating UBA into the SIEM platform improves overall security operations, investigation and response — and makes SIEM a much better security operations platform.

Read the solution brief: Beat insider threats with integrated user behavior analytics

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…