Protect Yourself Against User-Based Threats with UEBA

Understanding Suspicious User Types in Your Organization

Whether unintentional or malicious in nature, user-based threats can have devastating consequences on your organization. While your focus may be on protecting your organization from outside incidents, you also need to guard yourself from insider threats. Despite your best efforts to keep your organization safe — such as providing security training and company best practices — users are often the weakest link in your defenses.

Understanding user behavior is often difficult because there are many different types of users. Complicating matters, you don’t know if your users’ actions are unintentional or deliberate. That’s why you need to add an additional layer of analytics beyond your security information and event management (SIEM) platform with user and entity behavior analytics (UEBA).

Understanding User Types in Your Organization

It’s important to understand the types of users that exist in your organization and the threats they pose. Because you don’t know what types of users you have, you must scrutinize everyone, regardless of their position in the company. The volume of users in your organization, combined with the fact that incidents can be intentional and unintentional, are key reasons why user-based threats can be challenging to detect.

Let’s take a closer look at different types of users in your organization and how UEBA can help you respond more quickly and keep attacks from escalating.

Typically, users fall into one of four categories:

  • The Accidental User usually falls victim to a known–known attack. This means that tactics, techniques, and procedures (TTPs) of the vulnerability and the exploit or method used to target that vulnerability are known by the information security community. What’s more, these types of attacks are common. For instance, an employee may unintentionally open an email attachment that has clear indications of phishing.
  • The Careless User is the prime target for a known–known attack. This individual is someone who might disregard or ignore your company’s security best practices. For example, an employee might inadvertently post information about your company’s network on a public discussion, inviting infiltration attempts with commodity malware.
  • The Victimized User is often prone to a more sophisticated unknown–unknown attack, something that is difficult to detect and is fairly uncommon. Since the vulnerability and the exploits, in this case, are both unknown, they attacks are especially dangerous to your organization. For instance, an executive targeted by a spear phishing attack might click on a link that contains malware.
  • The Malicious User is usually involved or behind an unknown–unknown attack and may be carried out for revenge, or financial business gain. For example, an employee may deliberately exfiltrate data or provide credentials to an outsider to access sensitive company data.

The types of users in your organization Figure 1: The types of users in your organization

User Type and Intent to Cause Harm

The intent to cause harm varies with the types of users. While some users (particularly accidental or careless users) may have the best intentions to keep your data safe, these individuals can still cause risk to your organization.

User-based threats can occur from anyone who has access to your network or system. This includes current and former employees, contractors or temporary staff, partners, and third-party associates.

While this reality is scary, there is a bright side — you can uncover user-based threats by focusing on user data and changes behavior with UEBA.

Detecting User-Based Threats with LogRhythm UEBA

LogRhythm UEBA gives you the power to not only monitor for known threats and behavioral changes in your user data, but also uncover abnormal authentication behavior and user-based threats that might otherwise go undetected. It detects threats across the full spectrum of known and unknown threats, then qualifies them as security or operations relevant.

LogRhythm UEBA offers scenario- and behavior-based analytics as an integrated component of the LogRhythm NextGen SIEM Platform or as a standalone product. Our UEBA solution not only minimizes the time it takes to detect these threats, but it also helps you rapidly respond before they can result in a devastating breach.

For more about how you can detect user-based threats with UEBA, read our white paper on Defeating Threats Through User Data: Applying UEBA to Protect Your Environment.