One of the most common ways hackers penetrate networks is by stealing the credentials of users with legitimate access to those networks. Because the credentials are frequently used by authorized users for perfectly normal reasons, detecting security breaches caused by compromised logins can be difficult. But a new app from IBM will help businesses determine if the credentials or systems of their own employees have been compromised.
Called IBM QRadar User Behavior Analytics, the new feature is available as a free app via the IBM Security App Exchange. The app expands the capabilities of IBM’s QRadar platform by analyzing the usage patterns of insiders, including employees, contractors and partners, to determine if their credentials or systems have been compromised by cybercriminals, the company said.
Leveraging Existing Security Data
The biggest threat toenterprise security comes from businesses' own employees, with as many as 60 percent of data breaches stemming from insiders, according to IBM. But up to a quarter of insider data breaches happen because user credentials fall into the hands of hackers via employees, contractors or partners who are tricked by malware-laden phishing attacks or other techniques, IBM said.
“Organizations need a better way to protect themselves against insider threats -- whether they be from inadvertent actors or malicious cybercriminals with access to an organization’s inner workings and technology systems,” said Jason Corbin, vice president of strategy and offering management, IBM Security, in a statement.
The new app enables analysts to quickly pivot by using existing cybersecurity data to see the early warning signs often buried in suspicious user activities, ultimately helping them to more consistently address breaches before they occur, he said.
New Security Features
QRadar User Behavior Analytics leverages data from customers’ existing QRadar deployments, providing enterprises with a single platform to analyze and manage security events and data, according to IBM. The company said that the integration saves security analysts from having to reload and curate data from multiple platforms to identify and investigate user behavior side-by-side with other indicators of compromise that QRadar detects.
The new app provides three primary functions: risk analysis profiles; a prioritized behavioral analysis dashboard; and enhanced security data. The risk analysis profiles are created by analyzing risky user actions and applying a score to anomalous behaviors to help identify potential rogue insiders as well as suspected cybercriminals using compromised credentials.
The dashboards, meanwhile, provide analysts with better visibility and understanding of the actions that can lead users to open up malicious documents or how they gained escalated privileges. A single mouse click, or an attachment or link in a phishing email, for example, can add suspicious user activity to a watch list or permit a text-based annotation to explain the analyst’s observations.
The app also provides enhanced security data by pulling user information from an enterprise’s entire IT environment, allowing a security team to tap into the existing data set and threat intelligence in QRadar to detect threats across users and assets.