Aveneu Park, Starling, Australia

Why commands thru a DBA’s account during

Why the focus is on User & Entity Behavior
Analytics?

Gone are those days when
organizations were just focused on monitoring for external
attacks that can breach organization’s defenses and can potentially compromise
their security posture. Lately, the emphasis is on detection and prevention of
malicious insiders that increases the risk to an organization through
unauthorized or illegal activities.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Considering the spate of
ransomware attacks globally, there is huge focus not only on the dynamic
external threat environment but also increasing attention on the
“trusted” insider. Recent attacks have proved that hackers have
figured out how to bypass prevention-based security controls, without being
detected before they compromise and take complete control with devastating
effects.

Does it mean that organizations were
not adequately considering the risk from their trusted users?, Not necessarily,
but the current landscape and the evolving threat vectors are forcing the
change.

Earlier organizations were primarily
focused on SIEM to address external attackers attempting
to breach an organization through the monitoring, detection and response to
security threats mechanisms. Now the concerns and focus seems to be more on who
is accessing what, and when, especially the privileged users. The scrutiny is
on the activity monitoring, resources being accessed and their usage etc.

Enterprises today are looking at
enhancing their security monitoring and operations capability that can help
them detect and respond to security threats 24/7.  Debate is on, how and who can help pinpoint
threats and improve the signal-to-noise ratio originating from multiple
toolsets operating in silos, so that they can keep pace with the complexity, volume
and variety of security events.

From an insider threats
perspective, enterprises are looking at identity analytics, privileged user & activity monitoring, data access and
movements and resource usage etc which needs to be addressed. Thereby, the
focus on user and entity behavior analytics to improve their
organization’s threat detection capabilities.

Today, there are technologies
available to evaluate the activity of users and other
entities (hosts, applications, network traffic and data repositories) to
discover potential incidents and anomalies based on the standard profiles and
behaviors of users and entities.

Some of
the sample use cases where EUBA tools come handy

The
anomalies for example could be unusual access to systems and data by trusted
insiders or third parties or breaches by external attackers evading
preventative security controls.Abnormal
access to sensitive information from terminated user accounts, or dormant
accountsAudit
trails run randomly shows account activity on a specific day when the concerned
employee was on leave and had not logged in. A
script running commands thru a DBA’s account during unearthly hours

Some of
the UEBA tools focus on creating the risk scores of the entities and users
which can be exported to SIEM & DLP solutions, allowing SOC analysts to
focus on the high-risk identities and the associated anomalies. This
facilitates quick identification of anomalous activity,
thereby maximizing timely incident management and automated risk response

These
technologies leverage multiple analytics methods which could be based on
pattern matching, signature based and also advanced analytics through machine
learning.

In
essence, the buy-in for “User & Entity Behavior Analytics” stems from the
requirement of improving the insider threat detection capabilities and
augmenting their SIEM solutions which is more focused on improving their
external threat detection capabilities.

x

Hi!
I'm Simon!

Would you like to get a custom essay? How about receiving a customized one?

Check it out