Detect and Track Threats Through UEBA and Incident Governance

By Ishani Sircar, Product Marketing Manager at CipherCloud

The Rise of the Unmanaged Devices

Most organizations are predicting an increased remote workforce and adoption of SaaS apps in the coming years. Remote work environments have led to a rapid adoption of data sharing and collaboration apps, BYOD devices on unsecured networks. This has introduced new risks that are compounded by the lack of visibility in the SaaS-Mobile environment. The math is simple, little visibility exposes organizations to a greater risk and inevitable data breach. An organization's ability to detect, respond, and prevent a data breach in the remote environment begins with bringing this new norm back into the fold.

Traditional security alert and incident investigation tools are not designed for the SaaS- Mobile environment. Furthermore, alerts typically consist of obscure data in raw log files that resist full understanding, even for experienced security analysts. An incident investigation itself demands scripting, manual correlation of various log files, interpreting meaning, manually removing secondary data sources for clues, and spending considerable time trying to determine the root cause of an alert incident. To glean deeper insights, incident correlation needs to be backed by advanced machine learning. This blog will explore 4 use cases driven by UEBA for Incident investigation and response that can save organizations before an incident develops into a full-blown breach.

Incident Governance

Incident Governance provides a rich set of tools for incident management enabling administrators to view incidents that involve policy violations, assign a level of severity to an incident, and specify the appropriate action. In addition, administrators can view information about incidents and their sources from several perspectives, and obtain additional details about each incident or source.

User and Entity Behavior Analytics (UEBA)

The UEBA engine performs continuous monitoring of users, devices and application activities, allowing IT security teams to identify anomalous behavior of users in real-time across multiple clouds and preventing accounts from getting compromised by malicious insiders and external threats. UEBA can dramatically improve the productivity of security analysts’ teams in conjunction with a modern security information and event management solution.

Key Use Cases Solved when Insights Investigate Meets UEBA

1.Incident identification for compromised User Credentials

User account credentials are keys to legitimate access, and compromised credentials are the number one vector for data breaches. While most organizations track unauthorized access, legacy security tools track user behavior and stop monitoring once the user is successfully authenticated. UEBA detects any such compromised users and lock related credentials for blocking security threat as well as report it as an incident for further remediation.

2.Incident Investigation for Anomalous Behavior and Insider Access Abuse

UEBA monitors several vectors, including user accounts; servers; network devices, non-trusted communication sources, insecure protocols, and other signs of malicious behavior; and anti-virus/malware monitoring to detect protection disablement or removal, or status of threat updates. UEBA solution detects when a user (privileged or not) is performing risky activities that are outside of their normal baseline and enforces behavioral analysis of the incident to connect the dots between “unrelated” activities and ends these attacks before loss occurs.

3.Incident Remediation for data exfiltration involving novel channels

Data exfiltration occurs when sensitive data is unwarrantedly transferred outside an organization. Exfiltration can be manual- when a user transfers data outside the premises or can be automatic as a result of malware infecting local systems. UEBA detects network traffic to control centers and identifies infected systems transmitting data to unauthorized parties raising a priority incident for remediation.

4.Incident Investigation and Automatic Remediation for Account Lockouts

Account lockouts aim to protect an account from anyone or anything trying to guess the username and password. Responding to each account lockout request can consume hours of time for administrative research. UEBA automates risk profiling, assessment process and expedites the process of decision making on account risk expediting response to incidents and eliminating falsely reported incidents. At a large organization, this could effectively save up to a significant man-hours efforts annually.

UEBA and Incident Governance are two concepts that work well in conjunction and provide the much needed holistic cloud security controls that secure the SaaS-mobile environment of an organization’s remote workforce.