Insider threats are the unwelcomed gift that keeps on giving.  A recent Forrester report revealed that insiders are responsible for more than half of companies’ data breaches. A Gartner study revealed what malicious insiders intended to do with their companies’ data, with 62 percent looking to establish a second stream of income, 29 percent stealing information on the way out the door to help future endeavors, and 9 percent seeking to sabotage.

Whether it’s malicious insiders trying to cause harm, non-malicious insiders who click on a dangerous link, repeat offenders who keep clicking on bad links, or compromised users whose login credentials were stolen by external bad actors, organizations struggle to detect these threats before it’s too late.

Enter User and Entity Behavior Analytics (UEBA). While UEBA is relatively new to cyber security, companies in other industries have used behavior analytics for decades to make sense of and leverage the avalanche of data being collected in their environment. For example, eCommerce companies applied behavior analytics to make better product recommendations to their customers. They collected data on which webpages customers visited and put products in front of those buyers based on their behavior patterns.

The cyber industry took note of this success, and applied behavior analytics (with analyst firm Gartner coining the term “UEBA”) to achieve a different goal – to detect user and entity behavior that’s normal, abnormal but okay, and abnormal and dangerous.  Symantec’s new Information Centric Analytics (ICA) solution, powered by Bay Dynamics, integrates UEBA with Symantec solutions such as data loss prevention, to prioritize the most imminent threats facing enterprises and government agencies. ICA enables organizations to make the most of their limited resources by paring down the avalanche of alerts into a prioritized list of which users need investigating each day.

Symantec has published a new infographic that details seven types of insider threat attacks Symantec ICA detects. The types include the following:

1. Slow and Low: Many organizations already have traditional cyber security tools in place to detect for example, an employee emailing a batch of customer credit card numbers to their private email account a certain number of times. Traditional tools work on basic thresholds meaning if an insider does the same thing more than “X” amount of times, it will raise a red flag.Malicious insiders know this and act in a way to fly under the radar. Using the credit card example, they send small pieces of credit card numbers once a day to their private email account over an extended period. UEBA can detect that reoccurring behavioral pattern.
2. Collusion: Let’s say a group of employees is planning on leaving a company to start a competing one. To get off the ground running, they plan to steal their current employer’s customer list. To stay under the radar, each employee sends a small batch of customer names and contact information to their personal email account. UEBA can flag each employee’s abnormal behavior and point out that several are doing the same thing which may be collusion.
3. Hiding in the Noise: In mortgage banking, for example, a group of employees is assigned to print mortgages, which contain sensitive customer information such as social security numbers. Big banks particularly hire thousands of employees handling sensitive mortgage documents with personally identifiable information on them.  A malicious insider may use those thousands of employees to their advantage. Aiming to steal troves of social security numbers, they print mortgages alongside the mortgage banking unit, hoping their actions are buried in the business-as-usual activities. UEBA can catch that one person who normally does not print mortgages and alert investigators.
4. “Door Jigglers”: The typical workplace consists of cubicles in the middle and office doors along the perimeter. If you are sitting in your cubicle and see someone walking along the perimeter jiggling doorknobs, you would most likely call human resources. After all, jiggling doorknobs is not a normal behavior for most employees.In the digital world, no one sees door jigglers, who are often non-malicious insiders. They are the employees who try visiting a website, only to get blocked because it’s against policy, but then try visiting another website that’s also against policy. These are the insiders who repeatedly click on suspicious links that launch ransomware attacks. UEBA combined with targeted security awareness training detects and mitigates these behaviors.
5. Persistent Exfiltration Attempts: These kinds of insider attacks are like door jigglers however they are typically executed by malicious insiders. For example, an outside criminal steals an employee’s login credentials and breaks into a company, pretending to be the employee. The criminal is looking for intellectual property, such as the company’s new product plans. They steal the designs and are now trying to send them to their partner on the outside.First, they try emailing the data, but they’re blocked. They then try uploading the data to cloud storage on their personal site but again are blocked. They try to save the data on a USB stick, but again are blocked. UEBA can piece these abnormal behaviors together, verify the employee is actually a bad actor, and stop them at the door.
6. Checking Out: When employees quit, it elevates the risk of insider threats – malicious and non-malicious. In some cases, an employee may try to take corporate data to start their own competing business. In other cases, employees may mentally check out prior to physically leaving, not thinking or caring about best security practices. UEBA identifies behavior changes that are consistent with others who are/were preparing to leave the company before sensitive data slips out the door.
7. Prospectors: Employees who are burned out or disgruntled, may start sniffing around looking for whatever “gold” they can find. They try logging into various applications and databases, seeing which data they can get their hands on. UEBA can detect these insiders by identifying their behavior is abnormal compared to themselves, their peers and their overall business unit.

Threats continue to evolve. Organizations have more data to protect than ever before. And, users are accessing that data from all over the world, using an ever-growing variety of technologies. Building cyber programs to protect data residing inside the four walls is no longer effective. Using Symantec ICA, no matter where their data resides, who is accessing it and from which device, organizations can quickly identify, prioritize and mitigate the most critical threats, those that if successful, would impact the mission the most.

To learn more about Symantec ICA and the value it’s providing to public and private sector organizations, watch these videos:

https://www.youtube.com/watch?v=nqxETYOH5i8

https://www.youtube.com/watch?v=KeIzi_sHg5Q&t=1s

https://www.youtube.com/watch?v=lTDxXVKIZxQ&t=6s