The human element is considered the weakest element in the security “onion.” How do we understand what our users may or may not be doing to create some level of risk to our cyber environments? Organizations need a way to detect anomalies that arise intentionally or unintentionally.
I recently hosted a webinar called Only Human: Everyday Behaviors and Cyber Risk where other panelists and I discuss the impact of human factor failures within the third-party risk management ecosystem. In the session, fellow panelists offered ways you can ensure appropriate controls are applied to all who have access to sensitive data inside and outside of the company.
The full recording and slide deck for Only Human: Everyday Behaviors and Cyber Risk is here.
Speakers in our recent session included myself (Ron Bradley, Vice President, Shared Assessments), Husnain Bajwa (Vice President Field Engineering, Beyond Identity), and Nasser Fattah (Senior Advisor, Shared Assessments).
What is UEBA?
Our session began with a discussion of UEBA. UEBA stands for “User and Entity Behavioral Analysis” which allows for your organization to have a high level of security while detecting users and entities that might be a threat to your system.
Be cognizant that cyber risk does not always originate from a malicious, deliberate entity trying to do harm. It can be someone inadvertently doing something that poses a threat to your organization. (For example, someone accidentally sends an email with sensitive information to the wrong recipient.)
Big B in UEBA = Behavioral
How do we get valuable contextual data from a user perspective as well as from the entity? The behavioral aspect should measure “What am I capturing now?” and “What have I seen you do on the network?”
Imagine you’re working with a contractor who tries to access an area of your data that they are not authorized to access. Is it the user that is looking to do that or is it their system? Being able to get visibility and quickly identify where you are seeing some anomalies is extremely helpful because these are capabilities that an organization can take advantage of to make sure that something is not out of order.
How do I detect and prevent cyberattacks?
As an organization begins to collect related data points from different parts of its network environment (Security Controls, Firewalls, IDS, IPS), these various pieces need to be puzzled together.
It is important to identify security incidents in a timely manner – and then take appropriate measures to contain and eradicate them.
Living in a work-from-home present (and future), threat actors are aware and beginning to leverage distributed attacks that aim at the heart of individuals. Individuals – the ordinary user – are not equipped for this kind of IT warfare. To combat advanced attacks, looking at identity providers and coming up with techniques that are fundamentally unfishable and fundamentally resistant to social engineering is key.
The behavioral element needs to build on top of Multifactor Authentication (MFA) tools to proactively restrict access and “shut the front door” on a number of attacks. Then, organizations need to also use MFA in the forensic chain and to evaluate a “kill chain” for unknown threats.
Where do I start?
The size of the company and the importance of the data you are trying to protect indicate the types of security controls you need to put into place. Identify your company’s “crown jewels.” You cannot protect everything the same way, so determine what is most important to your organization.
Understand how to access data. Who has the authority to access specific data and why? By knowing access and authorization, you can start building an expected profile as to what should be the normal behavior around this data.
How does behavior threat analysis apply to the supply chain?
Organizations can be vulnerable to disruption in the supply chain itself (or disruptions from third and fourth parties associated with the organization). Third parties have access to specific data that you protect from your own staff internally and this factor should be reflected in your relationship with your outside vendors.
Your security capabilities should not be shied away from – even if you view third parties as an extension of your staff. The way your organization shields itself from cybersecurity vulnerabilities may not be the same as your third or fourth parties’ methods of shielding.
Continuously challenging people with rigorous security questionnaires, adopting more signing operations for logs, and implementing lessons of blockchain technologies are some ways to better get a sense of security across the supply chain.
Conclusion
As a risk manager, it is imperative that you set and understand the access and authority permissions allowed to your data within your own company and your vendors. Knowing the behavioral component behind human security errors allows you to quickly eradicate these errors and identify them again in the future.
