Insider Threats

UNDERSTANDING NORMAL BEHAVIOR

Detecting insider threats with UEBA

Over 90% of breaches involve compromised credentials. Fortunately, there’s a defense. Using AI to baseline normal behavior of users and devices allows defenders to detect, prioritize, and respond to anomalies based on risk and mitigate potential threats.

OUTCOMES-FOCUSED TDIR

A prescriptive approach to use cases

Exabeam Outcomes Navigator maps the feeds that come into the platform against common security use cases (such as insider threats) and MITRE ATT&CK^® and automatically suggests the source data and parsing configuration changes required to close any gaps.

Insider Threat Behaviors

When analyzing breaches, the IoCs change, but the behaviors (TTPs) stay the same. Relying on rules, statistics, and signatures alone isn’t enough.

Organizations need a reliable method to detect, investigate, and respond to insider threats. The AI in UEBA helps provide a baseline of normal that organizations can use to detect lateral movement, privilege escalation, account manipulation, data destruction, data exfiltration, and more.

Abnormal Authentication and Access

Exabeam helps organizations detect and respond to insider activities involving abnormal authentication and interactions that deviate from their typical usage or behavioral patterns, as well as those of their assigned role.

Lateral Movement

Exabeam enables analysts to detect risky insider access and attacker techniques, like pass-the-hash, pass-the-ticket. By using behavioral models, Exabeam contextualizes anomalous activities—such as first-time or failed access to hosts and assets—within users’ historical behavior and organizational norms, distinguishing attacker behavior from legitimate activity.

Privilege Escalation

Privilege escalation grants insiders or attackers unrestricted access to critical assets. Exabeam mitigates this risk by detecting techniques like credential enumeration and bloodhound execution, preventing unauthorized access to high-value assets.Mark as BacklogMore

Privileged Account Monitoring

Attackers target privileged accounts to bypass security controls, disrupt corporate operations, or exfiltrate sensitive data. Exabeam detects these malicious activities by analyzing user context and identifying abnormal behaviors.

Account Manipulation

Exabeam detects account manipulation by identifying abnormal user behavior, like unauthorized changes to an organization’s Active Directory (AD), including the creation, deletion, or modification of accounts and group memberships. It also identifies suspicious activity such as attempts to conceal actions by using system accounts or using non-service accounts.

Data Exfiltration

Exabeam contextualizes data loss prevention (DLP) alerts within a user’s typical behavior to better detect and identify compromised users. By aggregating user activity data from multiple sources, including DLP tools, Exabeam can effectively detect data exfiltration across various channels such as domain name system (DNS), email, or web uploads.

Attack Evasion

Exabeam detects anomalous activity associated with evasions, such as tampering with audit logs, file destruction or encryption, and the use of a Tor proxy to hide web activity.

Data Leakage

Detecting data leaks can be challenging because they often resemble normal activity. Exabeam combines DLP alerts, authentication, access, and contextual data sources into a comprehensive timeline of user or attacker activity. This holistic view allows analysts to determine whether an insider is acting with malicious intent.

Data Access Abuse

Malicious insiders often abuse their privileges to access sensitive corporate data. Exabeam identifies access abuse by baselining normal user activity to detect deviations from this normal behavior.

Audit Tampering

Insiders or attackers with knowledge of auditing and event logging may attempt to tamper with or clear logs to evade detection. Exabeam enriches flagged abnormal activity with user and business context, so analysts can identify potential tampering and malicious intent accurately.

Data Destruction

A malicious insider may intentionally destroy critical business information to disrupt operations or cause financial harm. Exabeam baselines user activity and flags abnormalities in the number of file deletions to detect potential malicious behavior.

Physical Security

Exabeam detects changes in user behavior, such as a user badging into a building for the first time or into two geographical locations within an impossible timeframe. These incidents may indicate an employee sharing or losing their badge, or a malicious insider attempting unauthorized access.

At-Risk Employees

Using rich-contextual information and specific activity patterns, Exabeam helps identify and monitor (At-Risk) users who are exhibiting signs of leaving an organization or communication with a competitor.

Explore Other Use Case Solutions

Exabeam delivers threat-focused security content that enables security teams to deliver faster, more accurate outcomes.

USE CASE

Compliance

Using manual processes and disparate products to meet regulatory requirements like GDPR, PCI DSS, and SOX exposes an organization to unnecessary risk. The stakes are high when considering audit failures, fines, and — worst case — disclosure reporting.

Explore Compliance

USE CASE

External Threats

Intentional and malicious efforts to breach an organization or individual for theft, financial gain, espionage, or sabotage. Examples include: phishing, malware, ransomware, DDoS, and password attacks.

Explore External Threats