SIEM Machine Learning AI and Behavior Analytics

Cybersecurity breaches caused by employees account for roughly 75% of all data breaches. Internal security threats are usually among the costliest attacks and remain the hardest to detect and solve. Even with the numerous security defenses and controls, user account compromises are still one of the most commonly used methods of attack. Employee awareness training will certainly help mitigate attacks, but good governance is not a fool proof defense. To successfully detect insider threats, companies should implement UBA User Behavioral Analytics and machine learning similar to what QRadar SIEM uses to identify and isolate incidents quickly. UBA is able to detect both inadvertent threats as well as malicious criminal offenses.

Studies show only about 5% of employees will be fooled by phishing scams after proper training, yet negligence still remains the highest ranked infiltration weakness. Oddly enough, there is another category known as employee errors that is also high on the list, but not considered negligence. The xForce cybersecurity analyses concluded 38% of attempted external attacks were using malicious link or an attachment, 35% of attempts were MitM man-in-the-middle attacks and 27% were attempting to exploit misconfigured systems.

The malicious insider threats are less common, and consists of both colluders, co-conspirators, orchestrators and DIY cybercriminals. Based on a study by CERT Community Emergency Response Team the frequency of these occurrences shows 37% of insider incidents involved fraud, 24% resulted in intellectual property theft and 6% was a combination of fraud and theft. CERT also says insider threats are among the costliest types of security breaches, and are the hardest to detect.

Identifying Insider Threats using UBA User Behavior Analytics and Machine Learning
There are no real-time safe guards for insider threats, as each instance has its own unique finger print and require analysis. However, each threat type can be broken down by identifiable patterns and provide predictive results based on different indicators and deviations. Good and bad user behavior patterns can be differentiated using behavior analytics, artificial intelligence and machine learning technology, and in turn to detect risky behavior as well as any type of insider threat. Security analysts can view alerts and reports to quickly assess and take action before an actual breach occurs. Once an insider threat or employ with a high risk score is discovered, security teams can initiate necessary controls or quarantine the user to prevent data loss.

How does UBA, AI and Machine Learning work?
Complex algorithms used to create rules which are made up of a combination factors, will find risky users based on suspicious and malicious activities related to applications/services/scripts used, website/domain/DNS analysis, corporate assets/data accessed, account credentials usage, login day of week and times, frequencies, circumvented or bypassed access controls/policies. User accounts are assigned scores over time that can be trigger an alert by themselves or be used in conjunction with other alerts that were triggered to expose a broader picture of an offense or insight for a forensics investigation.

Utilizing UBA does not negate the need for software patch management, regularly applying system security updates, network monitoring, ensuring device and RDP configurations are secure, and maintaining good security posture where vulnerabilities can exploit the infrastructure. UBA does provide a reliable and automated means to prevent insider threats from making the news and having to incur costly security breaches.