How UEBA Enhances Threat Detection in Financial Institutions

Threat detection in financial institutions has a unique set of challenges. These are often a result of mandates in the industry or legacy systems and processes. We recently wrote about how to prevent SWIFT fraud and will examine three unique financial sector use cases in a following post. This post is a quick refresher on threat detection and user and entity behavior and how they are linked.

In the old days, everything was simple. You knew where your assets lived—in the office building and in the on-premises data center. You had clear boundaries around your assets—a security guard for the building and a firewall and antivirus for the IT systems. Attacks could come from anywhere, but even if they could breach your perimeter you had other ways to combat the intrusion.

The problem with today’s security perimeter is it’s hard to determine where to set up your fortifications—where does your portion of cyberspace begin and end? Your assets are scattered between cloud and on-premises environments. Users can access your network from any location and any device. The boundaries are now blurred and attackers are exploiting these gaps in security to initiate attacks.

Threat detection is the branch of cybersecurity responsible for identifying potential threats such as malware, ransomware and phishing attack patterns. Traditional threat detection typically protects the security perimeter from external attacks, but modern attacks can manifest as insider threats, lateral movements, spoofing, brute force attacks and unknown attack vectors within the environment that needs to be protected. Modern threat detection involves analyzing the user and entity behavior patterns that are suspicious and it should be augmented with automatic response tools to contain the attack from spreading. 

What  is UEBA?

User and entity behavior analytics (UEBA) is an analytics-driven threat detection technology. UBA uses machine learning and data science to gain an understanding of how users (humans) within an environment typically behave, then find risky and anomalous activity that deviates from their normal behavior that may be indicative of a threat.

UEBA analyzes the behavior of the components that communicate with your network, such as:

• Users—the “insiders” or authorized people who use the software on a regular basis.
• Entities—third-party companies you integrate with, or any outsider you connect to your network, such as consultants, freelancers and visitors who need to temporarily use the company Wi-Fi.
• Endpoints—devices that connect to the frontend of your network, such as privately-owned smartphones, tablets, laptops and internet of things (IoT) devices.

Per Gartner in their “Market Guide for User and Entity Behavior Analytics” report,

UEBA solutions use packaged analytics to evaluate the activity of users and other entities (e.g., hosts, applications, network traffic and data repositories). They discover threats and potential incidents, commonly presented as an activity that is anomalous to the standard profiles and behaviors of users and entities across time and peer group horizons. The most common use cases sought by enterprises are threat detection and response, as well as insider threat detection and response (mainly compromised insiders; sometimes malicious insiders).

What is threat detection?

In cybersecurity, any event or activity that has the potential to damage your computing ecosystem is treated as a threat, whether it’s intentional or accidental. The term threat detection refers to the set of practices and technologies you put in place to detect threats. 

Threat detection uses a variety of technologies, such as machine learning (ML) and artificial intelligence (AI), and apply them in a variety of fields, such as endpoint detection and response (EDR) security and cloud access and security brokers (CASB). 

AI and ML capabilities enable EDR security solutions, which provide visibility into the endpoint components in the security perimeter and CASB systems, which adds a security layer between third-party cloud providers and their customers. This helps them detect, analyze, and respond to threats in a quick and efficient manner. 

Many cybersecurity vendors aim to protect customers from system attacks or breaches. There are often several points of entry for attackers that need to be protected and there is not just one technology that will completely protect enterprises. 

Threat detection systems can identify potential threats, including phishing schemes and ransomware attacks initiated by outsiders, or malware and Trojan horses introduced by a careless or disgruntled employee. 

UEBA for threat detection—how it works and WITFM?

Traditional cybersecurity perimeters had clearly defined boundaries. Devices were safeguarded inside the physical location of the organization, and all data was kept safe inside an on-premises data center. The company assets were confined to physical locations, kept secure by IT departments and security guards who ensured only authorized personnel gained access to company resources. These precautions, however, weren’t enough. Threat detection capabilities at the time relied heavily on correlation rules which were unable to prevent perimeter breaches.

New technologies have shattered the traditional concept of a cybersecurity perimeter. Cloud computing has made it possible for people to access the company network from any physical location and any connected device. When companies introduce bring your own device (BYOD) practices into their organization, they stretch the boundaries of the cybersecurity perimeter. As more users, third-party entities and endpoint devices connect to the network, they increase its attack surface making it more vulnerable to threats.

As organizations strengthen their cybersecurity efforts against malware, attackers lure unsuspecting and disgruntled employees into traps. Attackers trick users into revealing their company credentials by making them click on links that inject malware into the company network, or blackmail personnel into cooperating with the attack. 

How UEBA works for threat detection 

UEBA systems provide visibility into the user end of the network. Once the UEBA system identifies abnormal behavior, you can use the information to detect threats. For example, if your employee downloads 3 MB of files on a daily basis, but suddenly starts downloading terabytes—there is something unusual going on. The UEBA will flag such abnormal behaviors and alert you to the findings.

UEBA systems use algorithms, machine learning and statistical analysis technologies to study the patterns of normal behaviors. When it detects a deviation from an established pattern the UEBA system performs an analysis that determines whether the anomaly forms a real threat or not. Once an anomaly is classified as a threat, you will be notified via a detailed report.

Key benefits of UEBA for threat detection

While the capabilities of different UEBA systems may vary, most provide user visibility through the following detection features:

• Insider threats—for detecting anomalies in user behavior of your personnel. You can use this feature to prevent ex-employees from stealing trade secrets or causing outages. In cases of well-intentioned yet untrained personnel, you can identify which aspects of cybersecurity should be reinforced via training and education modules.
• Spoofing—for detecting anomalies in the usage behavior of your company accounts. You can use this feature to detect spoofed accounts, which impersonate legitimate company users with malicious intent. UEBA systems can help you identify compromised accounts before the attackers get the chance to exploit this vulnerability.
• Brute force attacks—for detecting anomalies in the usage behavior within third-party cloud environments. When automated bots generate a large number of fake credentials in an attempt to guess a valid user’s password, the UEBA systems identify the deviation from the pattern, flags it as unusual behavior, and then locks the account in time to prevent the breach. In UEBA, this would result in an unusual account behavior lockout. For example, usually when Bob locks his account, it is after three attempts but now we are seeing 400 attempts within 10 seconds. No human can type that fast!  
• Entity Analytics—this capability of UBA looks at an endpoint’s behavior. For example, ATM machines should have well-defined network zones they communicate with.  If one of them begins to communicate to a large number of zones or to a known command and control server, then we know that communication needs to be cut off.  

Detect threats—fast

UEBA systems enable rapid threat detection. These dedicated systems are tuned for analysis of user behavior with real-time and continuous monitoring into usage activities to ensure that you always know what’s going on within your network. Introducing UEBA into your environment expands your cybersecurity perimeter to include monitoring activity for closed systems, the users, the cloud provider, and the smart and connected endpoint devices.

Our next post will look at financial use cases and how to detect and prevent them with UEBA.