How User and Entity Behavioral Analytics Helps Detect Insider Threats

Traditional security tools are designed to identify and stop threats based upon policy-based criteria. For example, a mobile device management solution might block an attempted login from an unsecured device or suspicious location. Or a data loss prevention system might block a user from emailing data to a personal account.

Trouble is, bad actors know this and are constantly looking for ways to thwart these systems. They work slowly and persistently so that their activities stay under the radar and get lost in the “noise” of security events. In many cases, the bad actors are trusted insiders who use their authorized access to exfiltrate sensitive data and sabotage systems.

User and entity behavioral analytics (UEBA) can help detect threats that evade traditional security tools. UEBA collects data on the activities of users and the systems and applications they access, then analyzes that data to find anomalous behavior. Rather than focusing on outsiders attempting to get in, UEBA looks for insider threats and user accounts that may have been compromised. Statistical models and artificial intelligence make it possible to spot subtle changes in behavior and even predict malicious activity before its occurs.

Aruba IntroSpect is a network-agnostic UEBA solution that continuously monitors user activity and uses machine learning to detect changes in user and device behavior that can indicate an attack. Machine-learning algorithms generate a risk score based on the severity of the attack to help security teams prioritize incident investigations.

Aruba recently introduced an entry-level version of IntroSpect that allows organizations to implement UEBA with as few as three data sources. IntroSpect Standard is designed for basic monitoring and detection of anomalous behaviors on the network and across mobile, cloud, and IoT devices and applications. It can ingest data from LDAP authentication records and other identity sources, as well as firewall and monitoring logs.

In addition, Aruba has added new features to its flagship UEBA offering, IntroSpect Advanced. IntroSpect Advanced correlates data across a broader array of sources, aiding in faster incident investigation and improved threat detection. Included are more than 100 supervised and unsupervised machine learning models that analyze packets, flows, logs, alerts and endpoints as well as mobile, cloud and IoT traffic. The models can also be linked together to construct new detection scenarios and associated risk scores.

Aruba also introduced the Aruba 360 Secure Fabric, a security framework that provides 360 degrees of analytics-driven attack detection and response. It integrates IntroSpect and the Aruba ClearPass network access control and policy-management solution with Aruba Secure Core, which embeds essential security capabilities into Aruba’s Wi-Fi access points, wireless controllers and switches. Aruba Secure Core provides fundamental protections, including secure boot, embedded firewalls, centralized encryption, deep packet inspection and intrusion prevention. Aruba’s unique infrastructure design helps eliminate the danger of physical tampering while securing and monitoring network traffic.

Integrating IntroSpect and ClearPass into Secure Core provides a seamless path of protection from device discovery and access to attack detection and response. This gives security teams the ability to detect an attack and then take automated or analyst-initiated action, ranging from network reauthentication to quarantining to blacklisting users and devices.

Organizations face a real and serious threat from compromised accounts and malicious insiders who can avoid triggering a response from traditional security tools. The Aruba IntroSpect UEBA solution uses advanced analytics and machine learning to spot these activities and alert security teams.