Detecting Insider Threats Using User and Entity Behavior Analytics
Hakonen, Petri (2022)
2022
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2022120226009
https://urn.fi/URN:NBN:fi:amk-2022120226009
Tiivistelmä
Information technology advancements made during the past decade have made detecting adversaries extremely hard and almost impossible, so detection mechanisms have also evolved from old signature-based systems to look at the behavior of users, entities, and software.
The purpose of this master’s thesis is to research and gather the basic knowledge of insider threat taxonomy, what are the common indicators in human behavior, how those indicators could be potentially detected via technical logs (machine data) with user and entity behavior analytics tools and what are the prioritized use cases. In my master’s thesis process I utilized a mixed method approach of research. Background information was gathered through literature review, interview and familiarizing myself with the use cases of User and Entity Behavior analytics tool developed by Splunk Inc.
The findings of my research indicate that traditional security methods relying on rules and known patterns are not going to disappear, but they will remain as a key part of the layered defense. The effectiveness of these solutions will be multiplied by adapting AI driven user behavior analytics on top of them. User behavior analytics tools are providing a different approach to anomaly detection and relying on a range of analytical approaches. These are usually a combination of basic analytics methods and advanced analytics. Basic analytics means simple statistics, signatures, and pattern matching. Advanced analytics are relying in AI capabilities, and this allows the tool to learn and adapt faster to changes and does not require a similar level of human intervention. The changes are seen as anomalies from usual behavior, whether it is based on learning from individual behavior over times or from predefined role-based baselines.
The purpose of this master’s thesis is to research and gather the basic knowledge of insider threat taxonomy, what are the common indicators in human behavior, how those indicators could be potentially detected via technical logs (machine data) with user and entity behavior analytics tools and what are the prioritized use cases. In my master’s thesis process I utilized a mixed method approach of research. Background information was gathered through literature review, interview and familiarizing myself with the use cases of User and Entity Behavior analytics tool developed by Splunk Inc.
The findings of my research indicate that traditional security methods relying on rules and known patterns are not going to disappear, but they will remain as a key part of the layered defense. The effectiveness of these solutions will be multiplied by adapting AI driven user behavior analytics on top of them. User behavior analytics tools are providing a different approach to anomaly detection and relying on a range of analytical approaches. These are usually a combination of basic analytics methods and advanced analytics. Basic analytics means simple statistics, signatures, and pattern matching. Advanced analytics are relying in AI capabilities, and this allows the tool to learn and adapt faster to changes and does not require a similar level of human intervention. The changes are seen as anomalies from usual behavior, whether it is based on learning from individual behavior over times or from predefined role-based baselines.