I previously wrote that threat detection in financial institutions has a unique set of challenges. Given the stringent guidelines and requirements specific to the finance industry, it is difficult to detect problematic activities. However, UEBA can enhance threat detection by using machine learning to provide insights into anomalous behavior and resulting potential threats.  

Take the case of the vacation policy implemented by the FDIC.  It is a recommended best practice for employees to take two consecutive weeks of vacation to prevent fraud. 

In 1995, the FDIC wrote 

“Vacation Policies Banks should have a policy that requires all officers and employees to be absent from their duties for an uninterrupted period of not less than two consecutive weeks. Absence can be in the form of vacation, rotation of duties, or a combination of both activities. Such policies are highly effective in preventing embezzlements, which usually require a perpetrator’s ongoing presence to manipulate records, respond to inquiries, and otherwise prevent detection. The benefits of such policies are substantially, if not totally, eroded if the duties normally performed by an individual are not assumed by someone else. Where a bank’s policies do not conform to the two-week recommended absence, examiners should discuss the benefits of this control with senior management and the board of directors and encourage them to annually review and approve the bank’s actual policy and any exceptions. In cases where a two-week absent-from-duty policy is not in place, the institution should establish appropriate compensating controls that are strictly enforced. Any significant deficiencies in an institution’s vacation policy or compensating controls should be discussed in the ROE and reflected in the Management component of the Uniform Financial Institutions Rating System (UFIRS).”

The policy was much easier to enforce at the time:  You could take a person’s laptop and keycard and send them on their way to a relaxing vacation. 

In 2019 this is much harder to verify and enforce because most organizations have several methods of remote access. I recently worked with a bank that had seven types of VPN.  Seven! How do you know if they are all being used?  In a situation like this, employees including those on vacation can check in easily. 

The question is why would employees on vacation need to check in? Are they conducting fraud or checking in on an on-going project? How can you make the experience for a dedicated employee to fulfill their duties easily and how do you protect the organization from malicious insiders?  

The answer is UEBA. 

Customers using Exabeam can add users (those on vacation) to a watchlist.  Since a timeline is built for every user every day based on their normal behavior, it is very simple to verify that badge cards weren’t swiped, VPNs weren’t logged into, nor was email sent via a smartphone over Office 365 or G Suite.   

Drive-by Compromise Technique
Figure 1: A watchlist tracks activity over the last 24 hours for staff who are technically on leave.
To enhance the watchlist, financial institutions can use Exabeam’s dormant user modeling and rule set to track additional behavior in the event of an investigation.  This feature automatically adds a risk score to a user after they have been dormant for 14 days or even less. So, if a user upon returning to work after a vacation does not have some risk or has not triggered that rule then it can be determined it is likely some activity has happened during their vacation. 

Financial institutions can leverage machine learning and AI that are built into UEBA solutions to analyze user activity and behavior and sort them into risky behavior or normal behavior. For more on how to use UEBA for your organization, read about the benefits of UEBA. 

Sr. Security Engineer

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog

Subscribe