Mazen Dohaji, Regional Director for Middle East, Turkey & Africa, LogRhythm
Your organisation’s biggest asset could also be its biggest risk: its people.
In fact, according to a recent study of employees in the Middle East, Turkey and Africa, only 18% of respondents were fully aware of the IT security policies and rules in the organisations for which they work.
Most security products set up checkpoints at your network’s perimeter to prevent external threats from slipping in undetected. But few are designed to detect and respond to threats brewing within the bounds of your firewall. Compromised accounts, administrator abuse and misuse, negligent users and employees with malicious intent are just some of the insider threats that could jeopardise your brand, its reputation and its finances.
Because most organisations don’t monitor their internal network traffic, once inside, an attacker can conduct reconnaissance and collect data over time. The target information can then be packaged and moved out of the network all at once; by the time the alarm bells start going off it is too late, and the data is gone.
In such cases early detection is key. The first thing an organisation needs to catch insider threats is network visibility. Internal network traffic, access logs and policy violations need to be monitored closely for suspicious activity.
Your analysts need to know what a regular day looks like on your network. They need to know how much traffic to expect, who is expected to access sensitive information and what applications are used in the day-to-day business operations. Anything that falls outside of these norms should be investigated.
But considering the sheer volume of information and alerts security systems serve up, this could prove a needle-in-a-haystack scenario for analysts; how can they tell when something is happening within the environment that shouldn’t be?
UEBA and cyber security
The use of data analytics has now graduated to the forefront of securing IT infrastructure. Organisations are now deploying big data techniques to baseline the performance of an environment and detect anomalies that indicate attacks.
User Entity Behaviour Analytics (UEBA) platforms first determine ‘normal’ activities specific to the organisation and its users. Then these UEBA tools quickly discern deviations from that norm that require further exploration. That is, they spotlight cases in which abnormal behaviour is underway.
UEBA tools can keep a track of where people usually log in from, what applications or file servers they use, what is their degree of access and other such information. These tools then gauge if a certain activity performed by a user is different from their daily tasks. If something doesn’t comply with the baseline, UEBA detects it and sends out alerts.
So far, UEBA has proved itself to be an indispensable asset in the world of cyber security. The UEBA market has doubled each year, with Gartner estimating its growth from USD 50 million in 2015 to USD 100 million in 2016, to USD 200 million by the end of last year.
How machine learning helps
Artificial intelligence (AI) and machine learning (ML) models build baselines of normal behaviour for each user by looking at historical activity and comparisons within peer groups. Users at high risk are surfaced to analysts to enable them to quickly investigate the user’s behaviour in the context of their role and responsibility within the organisation.
Such solutions can quickly process huge unstructured and hybrid datasets, as well as reduce the time for investigating attacks and produce fewer false
positives. Machine learning algorithms can make security systems self-learning and augment human decision-making.
Incidentally, using a cloud-based ML tool can provide an organisation with significant additional benefits: it can reduce the cost of adoption compared with an on-premise deployment as it will require much less configuration before being put to work. Using a cloud-based delivery model also allows experience and knowledge gleaned in one place to be put to work in others.
These techniques not only throw up genuine alerts with a greater degree of accuracy, but most solutions have also automated the shutdown of malicious activity so that the problem is nipped in the bud in near real-time.
By working effectively together, AI and a skilled security team can be the most important tools in the war on cybercrime. UEBA frees up resources to concentrate on doing the things that humans need to do, such as working on the security strategy, applying patches, fixing vulnerabilities, responding to threats and more.
Subscribe to our monthly newsletter
Keep a pulse on the latest business news in the Middle East. Subscribe now.