How analytics is helping predict future internal threats

Balck and neon blue mockup of a padlock against a backdrop of data depicting cyber security
(Image credit: Shutterstock)

The cyber threat landscape has evolved tremendously in the last five years. Hackers have become much more technically sophisticated; they are researching, targeting and exploiting organisations' vulnerabilities by any means possible.

Organisations are becoming more and more connected, increasing the attack surface area substantially. The combination of these factors mean cyber attacks are now inevitable and pose an increasingly serious risk to businesses.

While most companies have invested in detection and investigation technologies, today's constant stream of threats creates an overwhelming amount of noise, making it difficult to determine, assess and analyse the actual risk. The channel industry is under growing pressure to help businesses cut through the noise and find solutions that will not only help protect their infrastructure, but also help predict future threats.

This is why big data analytics, such as security intelligence and User and Entity Behaviour Analytics (UEBA), is quickly gaining momentum.

Investigating a breach results in a lot of data, which can contain valuable information about how and why the breach occurred. Security intelligence can provide security teams with the ability to investigate events in real time and delve into historical data to discern patterns and find evidence related to events or breaches that have occurred.

For businesses that have good post-breach processes in place, this data can be investigated to help detect and prevent future attacks and breaches.

Combatting the insider threat

It's also worth noting that an increasing number of attacks originate from within the organisation. Insider threats can take many forms. Company credentials can be compromised and used by an external agent, a disgruntled employee could steal and share confidential data, or an unwitting insider could reveal secure log-in details to a cybercriminal.

This is subsequently a growing problem for security teams who are responsible for monitoring hundreds and thousands, if not millions, of user accounts. They are therefore increasingly relying on the channel for their guidance and support.

Organisations are under siege by an ecosystem of threat actors, yet security teams are faced with significant obstacles when securing qualified personnel to combat these threats. These challenges are often heightened by organisational pressure to relax controls and unlock business productivity. The truth is that security teams increasingly need to be able to protect company data without time and money on their side.

As these challenges become more prominent, the role of the channel is evolving. Not only do channel participants need to be fully aware of the cyber security landscape, including what new threats and trends businesses need to be protecting themselves from, but they need to be taking into account the escalating internal company pressures that impact how businesses invest in cyber defence.

Why UEBA is key

As organisations attempt to combat the insider threat problem, the channel is advocating UEBA as the modern-day tool for the security team – and for a very good reason. UEBA lets organisations detect insider threats, targeted attacks, and financial fraud in real-time, allowing SecOps to see at a glance if something out of the ordinary is happening on the network.

UEBA technology essentially gathers large amounts of data on user activity and behaviour from disparate data sources. The system then learns the behaviour of users and entities (in other words, devices, servers and other endpoints) by applying scenario-based algorithms that use machine learning, statistical analysis, peer group analytics and other techniques.

Once the system has established a baseline of what 'normal' user or entity behaviour looks like it can detect and report anomalies and unusual activities far quicker than manual checks.

The technology can help organisations build much more secure and resilient systems. Algorithms can adapt, risk tolerances can be changed and baselines reset. In other words, the system learns over time and becomes more effective at detecting – and predicting – insider threats. UEBA can also help organisations improve security by identifying weak links in any chain.

The proliferation and innovation of business-enabling technology, combined with the speed of today's advanced hackers to adopt and adapt to the latest technology, is making it increasingly difficult – if not impossible – for security teams to evolve their rapid threat detection and response capabilities as quickly as their adversaries.

By encouraging organisations to have the ability to automatically spot deviations from normal behaviour, the channel is helping businesses recognise established patterns so they can identify both internal and external threats as soon as they appear.

What's more, the ability to do this automatically enables IT teams to rely less on the human eye, thus minimising false positives, and allowing them to spend time on more productive tasks.

Ross Brewer is vice president and managing director EMEA at LogRhythm