Cybersecurity awareness programs can be like painting the Golden Gate Bridge: by the time you think you are done with the current job you practically have to start over. There’s a constant stream of new threats and the double whammy is that they are penetrating deeper into organizations making every employee and device or “thing” a potential risk.

Yet most users probably consider themselves security-minded. They would argue that they are not actively sending sensitive data to malicious recipients, knowingly clicking strange links or downloading attachments from unknown senders. But it happens all of the time. In fact, according to a recent study from Wandera, “15% of organizations had at least one device using an app that leaked password data.”

Another unintentional risk is that those same employees may be putting companies at risk by accessing company data on a personal device running an outdated version of an operating system while connected to the public Wi-Fi. They may also have installed risky applications, repeatedly attempted to visit blocked sites on the corporate browser or attempted to log in from multiple unexpected locations.

Register for the User Risk Management webinar

With proper unified endpoint management (UEM) policy and compliance rules in place, many of these risks can be proactively avoided. Most organizations enjoy a level of trust between the employees and the UEM administrator. In many cases, there’s no need to take drastic action until it becomes apparent there is a pattern of bad user behavior.

Keeping Good Security Hygiene 

So, what makes for good security hygiene? Understanding and continuously evaluating behavior — and adjusting security measures accordingly — is the best way to keep your organization secure. This way also prevents interrupting the productivity of those security-minded users.

You don’t have to look through dozens of reports to find users doing risky behaviors in an effort to identify the worst offenders. You need a way to quickly understand the most common risks to your company. It is most important to know whether a user is a repeat offender or an average employee making a mistake. Doing that manually in an organization with hundreds or thousands of devices simply is not feasible.

This is where user risk management can help.

What is User Risk Management?

At its most basic level, user risk management is a UEM capability that aggregates risky user behaviors. It logs malicious app installs, unsecured network connections, strange login locations, failed access attempts, unpatched or outdated operating systems and the like. From there, it assigns a user risk score based on defined parameters.

Not worried about login locations since your business thrives on remote work? Keep it out of the score. You only need to care about behaviors that have the most impact on your organization.

Once these scores are created, the system ranks users by which ones present the most imminent threat. That could be a malicious insider or an employee who clicks on every email link with reckless abandon.

After those threats are uncovered, actions can be taken, typically in the form of strong conditional access policies requiring tokens, biometrics or other factors to authenticate. In the case of the hypothetical malicious insider, though, access can be blocked outright while an investigation is conducted.

While user risk management lives within an organization’s UEM platform, its aim is to pull from data sources across the entire security stack. Security information and event management, identity-as-a-service and endpoint detection and response tools can have their logs consolidated within the user risk engine. This allows for a multi-dimensional picture of users as they go about their day interacting with corporate systems.

Is This Good for the User Experience?

Since user risk management is continuously evaluating the behavior of users on their devices, those users who are not presenting a risk to the business are not hindered by access obstacles like their riskier counterparts. Instead, employees who act responsibly can have as frictionless an experience as the UEM administrator chooses to provide.

The other side of the coin with continuous evaluation is that security becomes adaptive. The ‘clean-nosed’ employees can quickly fall into the trap of clicking on a phishing link or downloading a banned app on their personal device, moving them from green to red. At that point, they go from minimal friction to immediate quarantine.

Conversely, the employee who was previously in the red can shift back to green, gaining back permissions and privileges that had been suspended.

This is a great way to administer a Zero Trust security model. While user risk management isn’t the one-size-fits-all method typically used in Zero Trust’s ‘never trust, always verify’ philosophy, it can contribute to that approach. By continuously monitoring, an organization is never turning a blind eye and fully relying on trust. Rather, it is constantly verifying that the user can be trusted until the time comes when the trust is broken.

IBM Launches User Risk Management

IBM Security MaaS360 with Watson is announcing the general availability of user risk management. MaaS360’s risk management philosophy aligns with everything outlined above. It supports zero trust initiatives and is designed to ensure a satisfying user experience.

In a nutshell, MaaS360 user risk management can be defined by three major pillars:

  • Identify insights: Through its Watson integration, MaaS360 uses artificial intelligence analytics to help quickly uncover risks and trends as they pertain to enrolled users and devices.
  • Monitor security health: By providing individual risk scores based on UEM data — as well as data from third-party security sources — a holistic picture of a user’s security health can be developed.
  • Enforce compliance: Ensuring that highly risky users are dealt with swiftly and, in many cases, through automated actions, organizations can cut down on time spent resolving issues. That in turn lets them move on more quickly to the investigation and retrospective stage of the threat response.

Interested in learning more? Register for the webinar where you will hear directly from MaaS360 customers about their experience from the user risk management beta program as wells as from IBM Security product experts feature details and the roadmap for the future.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…