Cybersecurity awareness programs can be like painting the Golden Gate Bridge: by the time you think you are done with the current job you practically have to start over. There’s a constant stream of new threats and the double whammy is that they are penetrating deeper into organizations making every employee and device or “thing” a potential risk.

Yet most users probably consider themselves security-minded. They would argue that they are not actively sending sensitive data to malicious recipients, knowingly clicking strange links or downloading attachments from unknown senders. But it happens all of the time. In fact, according to a recent study from Wandera, “15% of organizations had at least one device using an app that leaked password data.”

Another unintentional risk is that those same employees may be putting companies at risk by accessing company data on a personal device running an outdated version of an operating system while connected to the public Wi-Fi. They may also have installed risky applications, repeatedly attempted to visit blocked sites on the corporate browser or attempted to log in from multiple unexpected locations.

Register for the User Risk Management webinar

With proper unified endpoint management (UEM) policy and compliance rules in place, many of these risks can be proactively avoided. Most organizations enjoy a level of trust between the employees and the UEM administrator. In many cases, there’s no need to take drastic action until it becomes apparent there is a pattern of bad user behavior.

Keeping Good Security Hygiene 

So, what makes for good security hygiene? Understanding and continuously evaluating behavior — and adjusting security measures accordingly — is the best way to keep your organization secure. This way also prevents interrupting the productivity of those security-minded users.

You don’t have to look through dozens of reports to find users doing risky behaviors in an effort to identify the worst offenders. You need a way to quickly understand the most common risks to your company. It is most important to know whether a user is a repeat offender or an average employee making a mistake. Doing that manually in an organization with hundreds or thousands of devices simply is not feasible.

This is where user risk management can help.

What is User Risk Management?

At its most basic level, user risk management is a UEM capability that aggregates risky user behaviors. It logs malicious app installs, unsecured network connections, strange login locations, failed access attempts, unpatched or outdated operating systems and the like. From there, it assigns a user risk score based on defined parameters.

Not worried about login locations since your business thrives on remote work? Keep it out of the score. You only need to care about behaviors that have the most impact on your organization.

Once these scores are created, the system ranks users by which ones present the most imminent threat. That could be a malicious insider or an employee who clicks on every email link with reckless abandon.

After those threats are uncovered, actions can be taken, typically in the form of strong conditional access policies requiring tokens, biometrics or other factors to authenticate. In the case of the hypothetical malicious insider, though, access can be blocked outright while an investigation is conducted.

While user risk management lives within an organization’s UEM platform, its aim is to pull from data sources across the entire security stack. Security information and event management, identity-as-a-service and endpoint detection and response tools can have their logs consolidated within the user risk engine. This allows for a multi-dimensional picture of users as they go about their day interacting with corporate systems.

Is This Good for the User Experience?

Since user risk management is continuously evaluating the behavior of users on their devices, those users who are not presenting a risk to the business are not hindered by access obstacles like their riskier counterparts. Instead, employees who act responsibly can have as frictionless an experience as the UEM administrator chooses to provide.

The other side of the coin with continuous evaluation is that security becomes adaptive. The ‘clean-nosed’ employees can quickly fall into the trap of clicking on a phishing link or downloading a banned app on their personal device, moving them from green to red. At that point, they go from minimal friction to immediate quarantine.

Conversely, the employee who was previously in the red can shift back to green, gaining back permissions and privileges that had been suspended.

This is a great way to administer a Zero Trust security model. While user risk management isn’t the one-size-fits-all method typically used in Zero Trust’s ‘never trust, always verify’ philosophy, it can contribute to that approach. By continuously monitoring, an organization is never turning a blind eye and fully relying on trust. Rather, it is constantly verifying that the user can be trusted until the time comes when the trust is broken.

IBM Launches User Risk Management

IBM Security MaaS360 with Watson is announcing the general availability of user risk management. MaaS360’s risk management philosophy aligns with everything outlined above. It supports zero trust initiatives and is designed to ensure a satisfying user experience.

In a nutshell, MaaS360 user risk management can be defined by three major pillars:

  • Identify insights: Through its Watson integration, MaaS360 uses artificial intelligence analytics to help quickly uncover risks and trends as they pertain to enrolled users and devices.
  • Monitor security health: By providing individual risk scores based on UEM data — as well as data from third-party security sources — a holistic picture of a user’s security health can be developed.
  • Enforce compliance: Ensuring that highly risky users are dealt with swiftly and, in many cases, through automated actions, organizations can cut down on time spent resolving issues. That in turn lets them move on more quickly to the investigation and retrospective stage of the threat response.

Interested in learning more? Register for the webinar where you will hear directly from MaaS360 customers about their experience from the user risk management beta program as wells as from IBM Security product experts feature details and the roadmap for the future.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…