Identifying the Insider Threat

Users have established patterns of behavior within a network. They log in at a certain time, log out at a certain time, visit the same systems within the network, and generally communicate to the same places. But sometimes those patterns change. The pattern might be a one-time thing, such as someone who jumps in to help accounting toward the end of the quarter, or it might be a permanent change because of new job responsibilities. Of course, sometimes that change in behavior is because the user is accessing systems they shouldn’t for malicious purposes. This is what is known as an insider threat, and it is a real challenge for security teams to deal with.

How can your security team examine millions of lines of logs and network traffic flow data to look for patterns that indicate whether a change in behavior is malicious or part of the regular workflow? There is a framework created around this type of analysis called user and entity behavior analytics (UEBA) that tracks the behavior of users and systems within an organization. UEBA looks at traffic flows, as well as roles and responsibilities, and alerts on any behavior outside the norm.

For example, a human resources ...