September 7, 2017 by Rodolfo Melgoza
Cybercrime is one of the biggest threats that companies face, and virtually every enterprise around the globe is vulnerable. According to Forbes, the world-wide economic impact of cybercrime is projected to reach $2 trillion USD by 2019, but in reality, the impact is probably much greater than that. This is because a significant number, if not most cyberattacks go undetected for months or even years. ZDNet reported that once a data breach occurs, it takes an average of 98 days for financial services companies to detect the intrusion and 197 days for retail establishments to discover the breach. When a cybercrime finally is detected, it’s often by a 3rd party and not the company that was breached.
Why Cyber Attacks Are Not Detected
But why do organizations fail to detect so many cybercrimes? On reason is because in the vast majority of cases, the cybercrimes are committed by someone who is using stolen, legitimate user IDs and login data. It is estimated that upwards of 70% of all cybercrime cases involve the use of stolen user IDs. Armed with legitimate user IDs and passwords, cybercriminals enjoy easy, authorized access that. To make matters worse, sometimes an actual rogue employee will abuse their privileges and perpetrate the crime. But whether by an outside criminal or a corrupt insider, the account used to conduct the cybercrime is registered to an authorized individual, an “insider”, which makes it very difficult to detect. The 2016 Cyber Security Intelligence Index report underscores this problem, stating that 60% of all attacks, are very difficult to spot.
To detect criminal activity, particularly when done using an insider’s account, some sort of abnormality needs to occur, and the security analyst needs enough data to see the entire context of that abnormal activity. Unfortunately, it is extremely hard to determine whether the activity of an insider is normal or malicious because the context is often missing. Typically, an alert on anomalous activity contains only basic information – ‘someone accessed x file,’ ‘a device just connected from x location,’ or ‘a file has just been downloaded to x’ – and the onus is on the security analyst to try to figure out what’s going on. It’s up to the analyst to sift through the gigabytes of fragmented security data generated by all the different devices in the organization’s infrastructure, such as data loss prevention (DLP), security information and event management (SIEM), endpoint detection and response, and firewall solutions, to find connections and piece together timelines that identify the intent and risk level of that activity.
It requires a lot of time and resources to complete the correlations and analysis required to put an activity in context and accurately understand its implications – time and resources that most organizations simply don’t have. The cybersecurity staffing shortage has been well documented, with 68% of organizations indicating they suffer from some sort of staffing impact. By 2022, cybersecurity faces a 1.8 million worker shortfall.
In the event an organization could hire and retain all the staff it needs, it turns out it’s not practical or cost-effective, given the sheer volume of alerts that organizations are receiving. The Ponemon Institute found the average large organization gets 17,000 alerts every week from their security infrastructure. Even worse, less than 1 in 5 of all those alerts (only 19%) are considered reliable, wasting a lot of time and productivity ($1.3 million per organization) that companies can’t afford. This is probably why almost a third of security professionals admit to ignoring alerts and why only 4% of alerts ever get fully investigated.
What all this means is that it’s highly likely that a lot of harmful activity is taking place in the organization completely unimpeded; worse yet, it is undetected.
The Need for User and Entity Behavior Analytics (UEBA)
It is with this backdrop of lots of undetected cybercrime activity that UEBA emerged as a potential remedy. Although behavior analytics has been around for some time, applying it to cybercrime is relatively new, particularly when combined with machine learning. But by using big data and machine learning techniques to process and analyze enormous amounts of data, UEBA compiles and generates the information necessary to provide a full context view of what otherwise would be isolated anomalous activity.
In upcoming blog posts, we will be taking a deeper look at behavior analytics and how it works to detect cybercrime. Perhaps more importantly, we will be looking at the various generations and technologies used in UEBA, and the flaws in some of the approaches. We’ll also discuss how behavior analytics is being redefined, with powerful new solutions that help detect and prevent cybercrime.
Learn more Download our White paper Redefining Behavioral Analytics