The idea of bad actors stealing valuable assets brings to mind a picture of masked men breaking into a bank vault or museum and making a getaway with their illicit stash. But what if the enemy is one of us — someone who knows exactly where we keep our most valuable items, how we safeguard them and even the alarm code to disable the entire security system?

Distinguishing Malicious Insiders From Legitimate Users

Organizations hold patents, intellectual property, client data and other valuable information, and thousands of employees need access to those assets for legitimate reasons. With so much at stake, it is critical for security teams to be able to identify rogue staffers and determine whether their access credentials have been compromised by an external actor to get on the inside.

But how can security teams distinguish malicious insiders from legitimate users when suspicious activity closely resembles typical behavior? They must model the user’s normal behavior and measure this against subtle characteristic changes and anomalous activity using user behavior analytics (UBA).

Anomalous activity can include a user logging in from a different geographic location, logging in via a virtual private network (VPN) at odd hours, or transferring high volumes of data from the network to an external site or cloud storage account. Any one of these activities by itself does not necessarily indicate malicious intent, but the combination of several suspicious behaviors warrants investigation by a security operations center (SOC) analyst to determine whether the user has gone rogue or had credentials stolen. Each anomalous activity increases the user’s risk score. When it crosses a certain threshold, the user needs to be investigated or closely monitored.

Unlocking the Power of Machine Learning

Rules-based anomaly detection is a great way to identify illicit behaviors, but what if the clues are much more subtle? That’s where machine learning can help.

Let’s take a look at the activities of an employee in the marketing department, for example:

If this employee plans to quit his or her job and is looking to take proprietary data to a rival firm, he or she might exhibit the following behavior:

You’ll notice that the user does not change his or her routine drastically but exhibits certain subtle activity changes that indicate malicious intent.

A UBA solution powered by machine learning uses unsupervised learning to help model a user’s behavior in various categories, such as authentication, network access, firewall activity, application activity, port or network scans, denial-of-service events, malware or other malicious software activity. The user’s risk score is increased based on deviation from the baseline established by the model. The model also identifies deviation from normal activity versus frequency to give you a picture of the user’s risk posture.

Peer group analytics offer yet another lens into a user’s activities to help identify when a user deviates from the typical behavior of employees with similar roles and responsibilities.

Learn More

Learn more about QRadar User Behavior Analytics and try the free QRadar UBA app from the IBM Security App Exchange. You can also watch this video to learn how you can combine QRadar UBA and QRadar Advisor with Watson to investigate suspicious behavior.

If you are attending Think 2018 in Las Vegas, check out the Security and Resiliency Campus and attend these sessions on user behavior analytics:

Watch now! View the Think 2018 Security & Resiliency Sessions on-demand

More from Artificial Intelligence

Could a threat actor socially engineer ChatGPT?

3 min read - As the one-year anniversary of ChatGPT approaches, cybersecurity analysts are still exploring their options. One primary goal is to understand how generative AI can help solve security problems while also looking out for ways threat actors can use the technology. There is some thought that AI, specifically large language models (LLMs), will be the equalizer that cybersecurity teams have been looking for: the learning curve is similar for analysts and threat actors, and because generative AI relies on the data…

AI vs. human deceit: Unravelling the new age of phishing tactics

7 min read - Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential misuse by attackers is largely unknown. To better understand how attackers can capitalize on generative AI, we conducted a research project that sheds light on…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today