July 20, 2022
Most security technologies are ineffective against unauthorized users with stolen credentials.
Cybersecurity vendors spend a great deal of time and money warning against technical exploits and ransomware attacks. These are undoubtedly serious threats, but they are not nearly as complex or dangerous as compromised credential attacks.
In fact, although ransomware dominates headlines in the cybersecurity industry, Verizon’s 2022 Data Breach Investigations Report states that compromised credentials are behind half of all attacks. Stealing login credentials is quickly becoming the fastest, easiest way for hackers to gain access to victims’ networks.
Unlike technical exploits, credential compromise attacks often leave very few traces, if any. When hackers gain access to a legitimate user’s login credentials, they become invisible to most detection solutions. SIEM 1.0 platforms are designed to detect external threats, not internal ones. The same goes for many enterprise-level firewalls and endpoint solutions.
"Pay attention to those 'that’s odd' moments."
Tony Simone | Castra Co-Founder
Even among solutions that can detect insider threats, it is often a complex, time-consuming, and error-prone task. In a scenario where malicious insiders are rapidly gaining access to increasingly sensitive data sources in your organization, you can’t afford to waste time or resources this way.
User Entity and Behavioral Analytics (UEBA) Technology is Key
Modern SIEM platforms like Exabeam utilize UEBA technology to dive deeper into the actions of authenticated users. This provides a level of visibility that other detection technologies cannot match. Without this degree of visibility, tracing the activities of a compromised account requires running dozens of painstaking search queries manually – with no guarantee you’ll get accurate results.
Exabeam’s UEBA technology leverages machine learning to establish a baseline for each individual user in your network. Each user’s baseline accounts for the applications they access, the files they modify, the privileges they have, and more.
When an individual user starts to deviate from that established baseline, Exabeam takes notice and begins to rate their behavior against a pre-established threat threshold level. The more an individual user deviates from their established routine, the higher their score becomes. The SIEM assigns priority to each alert based on how severely the user is deviating from their established behavior.
This way, each alert represents a collection of suspicious behaviors instead of one single action. This dramatically decreases the number of false positives analysts encounter and streamlines incident investigation.
This capability is not limited strictly to users, either. As suggested in its name, UEBA technology also analyzes the behaviors of routers, servers, and endpoints throughout your network.
Preassembled User Activity Timelines Optimize Event Response
In a SIEM 1.0 environment, analysts conduct investigations by reviewing user activities using a complex sequence of search queries. This lets them assemble the data they need to understand the incident scenario they are facing. However, this process can take hours to complete and becomes more demanding as the environment grows in size and complexity.
One of the most practical benefits of the UEBA approach is that it enables the SIEM to automatically create a timeline of user activity. Analysts can drill down into the individual actions that contribute to a particular user’s risk score and make decisions based on that data. Instead of taking hours to build a narrative, the entire scenario is evident from the very beginning.
This means that incident response can happen in mere minutes. Analysts can immediately tell if malicious insiders are responsible for suspicious activities, or if benign organizational assignments – like job role or department changes – are at fault. There is no need for gathering evidence using the tedious point-click-and-pivot method, so analysts can respond quickly and decisively to security events.
Combine UEBA SIEM Technology with On-Demand Expertise
Highly automated UEBA technology provides accurate, curated data on security events, but it cannot mitigate those events on its own. Human expertise remains the cornerstone of effective information security. The experience and availability of analyst talent is a critical element of your overall security posture.
Castra provides managed detection and response services that cater to UEBA-enabled enterprises in need of scalable security expertise. By entrusting detection and response to our team of highly trained US-based security analysts, you gain both an in-depth visibility into the effectiveness of your security posture and a scalable solution for addressing security incidents even in high-volume environments.
These capabilities allow us to address credential compromise risks effectively and consistently.
Contact us to find out how your organization can leverage Castra MDR services to protect itself against these types of attacks.