User Behavior Analytics

Bringing UEBA & Zero Trust Together Making Remote Work Safer

By Dr. Christine Izuakor

2020 is likely to go down in history as the year of two pandemics, COVID-19 and cybercrime. Certain types of cybersecurity threats have massively intensified this year. For example, the malware NetWiredRC saw a 200% spike in detection rates in March 2020.

COVID-19 has caused a sudden shift to remote working. More employees are now working from their homes than ever before. Remote work en masse exposes organizations to increased levels of threats.

Although remote working may have raised its head above the parapet because of Covid-19, experts believe this new work culture is here to stay. Predictions say that there will be 33-million remote workers in the EU and USA by 2025, a 65% increase over the current numbers. In addition to ensuring employee safety during a pandemic, remote work also offers more flexibility to the workforce. A recent poll on attitudes towards remote working found that 99% of employees want to work remotely at least part-time.

Consequently, companies find themselves in a quandary. How can they offer flexible work options to employees while maintaining the levels of control afforded within an office environment?

Remote working is changing the face of cybersecurity and how we manage and control access to sensitive data. Out of this intense period comes hope in the form of a symbiotic duo – UEBA (User and Entity Behavior Analytics) and Zero Trust Security.;

New headwinds expose new cybersecurity risks

Mass remote working has created a “perfect storm” of  ‘out of sight, out of mind’  allowing cybercriminals to launch new exploits. A Cisco survey on cybersecurity threats since the pandemic found that of those surveyed, 71% of security professionals reported an increase in security threats or attacks since the start of the pandemic.

Before fixing a problem, you need to understand the mechanics of the issue. Cybercriminals increasingly rely on sensitive data. While data has intrinsic value it can also be used to perpetrate cyber-crimes like identity theft and fraud.

Risk-Based Security found 15.1 billion records were exposed in 2019. In 2020 Q1 alone, 8.4 billion records have been exposed. Data exposure not only involves personally identifiable information (PII) but also company proprietary and sensitive data. Remote working has the potential to expose all kinds of data.

What Kind of Risks Comes with Remote Working?

Credential Theft

Credentials are the keys to the castle as the most common mechanism used to access data. Even if a cybercriminal steals credentials of a user who does not have privileged access, they can use them to escalate privileges to ultimately get access to more lucrative data.

Phishing and spear-phishing are common methods of stealing credentials. The ‘State of the Phish 2020’ report found:;

  • 65% of U.S. organizations were victims of a successful phishing attack in 2019
  • 60% of U.S. organizations had credentials stolen;

But how would you differentiate a legitimate credential use from a fraudster using stolen credentials or even an employee abusing access rights? Access control credentials are a way to prove you have the right to access something. This ‘proof’ is a goldmine in the wrong hands as it isn’t a foolproof mechanism to determine legitimate use.

Traditional methods of detecting intruders are plagued by false positives and false negatives. These methods use Data Loss Prevention tools and static rules to detect violations. This results in many false negatives that may cause security analysts to miss a threat and allow it to become a breach. New generation threat detection techniques use machine learning (ML) to actively monitor user and entity behavior. These next-gen tools proactively learn patterns of behavior to reliably spot threats early-on by minimizing false positives.

Security hygiene (accidental insiders)

The threat from remote working is not all down to cybercriminals. Our employees, finding themselves in untested waters, can be a cause for security concern. A 2020 Apricorn Survey, found that 57% of companies believe remote workers expose their organization to the risk of a data breach.

When working remotely, workers often end up using personal devices (with or without company permission) to access company resources. Shadow IT, where individuals use devices outside the permission of the organization is common. The Bring Your Own Device (BYOD) culture has been linked to many security breaches. Lost or misplaced devices are now the second biggest cause of a data breach. A recent report into mobile device theft and loss found that 69% of devices are simply misplaced, with 31% being stolen from home or cars.

Employees may also find themselves accidentally exposing company data or sensitive information. Even digital assistants such as Amazon Alexa can prove a threat. Researchers from Ruhr University Bochum and Max Planck Institute for Security and Privacy found that digital assistants such as Alexa and Siri, have not one, but potentially 1000 wake-up words. One misspoken word on a Zoom call and your company secret sauce may be out of the bag.

Malicious (remote) insiders

A major fallout of remote working is the ‘remote insider’. Malicious insiders are nothing new. However, the controlled office environment coupled with the onsite visibility aid to mitigate insider threats. Outside of this environment, those factors disappear. Remote access issues further add to the looming threat of remote insiders.

A report from Ponemon Institute on behalf of Proofpoint found that while malicious insider threats are lower than accidental ones, they are still significant at 23%. The Verizon Data Breach Investigations Report (DBIR) says the driver for malicious insiders is primarily financial. But other factors, such as grievances and retaliation also play a role in making a remote insider act maliciously.

Malicious remote insiders can be the most difficult to detect as they have legitimate credentials that they misuse. The use of machine learning for threat detection and employee monitoring is particularly useful to combat this looming threat.

Regardless of the threat vector, in most cyber-attacks, the human factor plays a major role. This human factor can be managed by employing special controls such as Zero Trust Security and UEBA.

Stretching Out the Long Arm of Identity

How can we have control over remote workers? Credential loss and malicious insiders are a serious threat to the effectiveness of traditional Identity and Access Management (IAM).  These issues are compounded by a lack of control over remote workers. Remote working is the Achilles heel of traditional IAM and impacts its effectiveness as a gatekeeper

Enterprises need to look at methods of taking the concept of identity management and access control and making it work in the new world of remote working.  The combination of UEBA and a Zero Trust Security model offers a way of taking IAM into a new world of remote and home working.

How UEBA and Zero Trust Build Stronger IAM

The problems of remote working and cybersecurity can be solved. But it takes an intersection of a new approach and tools that are smart enough to recognize anomalous behavior and patterns. This comes in the form of the cybersecurity model, Zero Trust Security, and the application of UEBA.

What is UEBA?

As discussed, the human element of cybersecurity is a pivot upon which most cybersecurity attacks turn. A Proofpoint survey evidences this point, finding that 99% of cyberattacks are initiated by a human being (either accidentally or maliciously).

Employee monitoring and data analytics tools such as UEBA provide a way of seeing into network events to spot anomalous behaviors. UEBA uses intelligent methodologies to recognize patterns of behavior as humans, devices, and networks interact. The software forms a baseline pattern to use as a reference point. Using this baseline, the software can spot anomalies in these patterns and detect changes in behavior. Collectively, these could signal an imminent threat. UEBA tools are particularly suited to insidious and difficult to detect threats, such as those from insiders.

One of the downfalls of traditional Identity and Access Management (IAM) systems is that they are designed to implicitly trust users. A company sets up a directory of users, gives the user a set of credentials to log into company resources, and then leaves them to get on with it. Certain controls such as multi-factor credentials can be overlaid to add increased levels of security. Insider threats create a challenge for traditional IAM. If an insider has access privileges and decides to misuse them, they do so under the consent of the IAM system. Traditional IAM cannot differentiate between good actors and good-turned-bad actors.

UEBA offers a way to tease out the weeds of legitimate access control that has less than noble intentions.

What is Zero Trust Security?

The concept of Zero Trust Security is attributed to the analyst firm Forrester. The company has honed the model of Zero Trust in recent years and today it is known as The Zero Trust eXtended Ecosystem. The model is based on the principle of “Never Trust Always Verify”. This extends the model to data, people, devices, and networks.

In Zero Trust environments, data is ‘zoned’ into ‘micro-perimeter’, and access control is enacted within (and between) those zones. There are five basic steps to achieving a Zero Trust architecture by categorizing data and mapping data flows. One of the fundamental steps is to “Monitor Your Zero Trust Ecosystem with Security Analytics”. Forrester suggests the use of logs and data analytics to look for malicious activity across the micro-perimeter ecosystem.

Zero Trust architectures are seeing success. One example is from a Google company ‘BeyondCorp’. They found that using this approach and including monitoring meant that remote workers could “work from untrusted networks without the use of a VPN”.

The NIST Special Publication 800-207 on how to implement a Zero Trust Architecture (ZTA) states:

“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach.”

On the subject of remote employees NIST says:

Remote enterprise subjects and assets cannot fully trust their local network connection. Remote subjects should assume that the local (i.e., non-enterprise-owned) network is hostile. Assets should assume that all traffic is being monitored and potentially modified.”

How Can UEBA and Zero Trust Together Prevent Remote Data Breaches?

UEBA provides the checks and balances needed to use a Zero Trust Security model effectively. The data analysis and alerts offered by applying machine learning-based UEBA tools augment the measures that a Zero Trust environment demands in a remote setting.

In terms of remote working and security threat detection and control, the whole is greater than the sum of the parts. The application of machine learning to complex modern IT architectures is a vital piece of this puzzle. IT infrastructures must change to accommodate this ‘new normal’ of remote working. However, complicating factors such as BYOD, shadow IT, and increasing cyber-threats add to the challenge. Traditional IAM tools and static Data Loss Prevention (DLP) techniques are no longer fit-for-purpose.

The mix of a Zero Trust approach augmented with proactive user and entity behavior monitoring and analysis is the dynamic duo needed to mitigate modern cyber-threats. The ability to dynamically assess an access event is a key capability in a complex and often obfuscated technology ecosystem.

Remote working has created an environment that challenges the old way. A new vanguard of dynamic identity event monitoring is the way forward to detect even the most difficult of cybersecurity threats from malicious insiders before the data is exposed.

Conclusion

Remote working is demanding great things of the modern enterprise. One of these is the urgent need to control access by remote workers. To fix this, a multi-pronged approach is required where best-of-breed approaches and tools come together. The use of UEBA within a Zero Trust model is versatile and smart enough to handle the many different and complex environments that remote working presents.  Credentials alone are not enough to control access to precious resources. There are just too many ways to pick the lock. The enterprise needs a more dynamic and on-the-fly approach to access control. The way to do this is through the application of UEBA as the mechanism to make Zero Trust effective.

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Insider Risk & Employee Monitoring Resources

Why User Activity Monitoring (UAM) is a Must for SMBs

Why User Activity Monitoring (UAM) is a Must for SMBs

Key Takeaways: Productivity Drives Growth: Understanding workforce behavior helps SMBs eliminate inefficiencies, boost productivity, and fuel organizational success. Remote and Hybrid Work is Still Common: With 28% of workers operating remotely weekly, SMBs need tools...

Smart Year-End IT Investments- A Trifecta for ROI

Smart Year-End IT Investments- A Trifecta for ROI

Drive Productivity, Reduce Insider Risk, Enforce Compliance As the year wraps up, many IT, security, compliance, and HR teams have unspent budgets that won't roll over. Rather than scrambling for last-minute, low-value purchases, why not make smart, strategic...