Glass Class - Insider Threats: The Risks Within
Hi, guys. Welcome to another exciting episode of Glass Class. Today, we are talking about insider threats and UEBA. Insider threats, as the name suggests, is a threat arising from within the organization. So, these could be employees, contractors, or subcontractors. As security professionals, you might well be aware that insider threats are one of the leading causes of breaches. Let's start with what are the types of insider threats.
The first type is a malicious insider. As the name suggests, he's a rogue employee who's trying to do harm. This could be an employee who is trying to steal your intellectual property or it could be that an employee, like a sales guy, is downloading a bunch of sales information, which is sensitive customer information, from Salesforce a day before he leaves.
The second type is a careless insider. He's not a rogue employee, but he doesn't quite understand the ramifications of his own actions. This could be an admin who, all of a sudden, misconfigures your AWS instance and now all your S3 buckets are out there in public for people to access. Or, it can be an employee who has sensitive information in Google Drive, which is PCI or PII information, and now he's sharing this information to external collaborators.
In both of these cases, the commonality is a change in behavior. This is where UEBA comes into play. UEBA is user and entity behavior analytics. What it does is it looks at a user's behavior and it creates a baseline of their activity. At any time, if there is a deviation from the norm, it is going to generate an alert and it's going to let the admin know that there has been a change in behavior. For example, let's say an employee logs into Salesforce from the United States and, five minutes later, the same employee logs in to Google Drive halfway around the world, maybe through Asia. It is practically impossible – then it is going to generate a suspicious login activity and UEBA is going to alert the admin to enforce actions. At that point, an admin can step up authentication to make sure that the user is who he says he is; or, he might outright decide to block the user.
Thanks for watching Glass Class.