Learning Library

← Back to Library

AI-Powered User Behavior Analytics for Insider Threats

7mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • AI and automation can cut the average data‑breach containment time by about 108 days, a key benefit highlighted in IBM’s 2023 Cost of a Data Breach report.
  • Insider threats remain the costliest attack vector, averaging a $4.9 million loss per organization, making rapid detection and response essential.
  • User‑Behavior Analytics (UBA) leverages machine‑learning to model normal user activities and flag anomalous, potentially malicious behavior, enhancing insider‑threat detection.
  • Integrated into IBM Security’s SIEM (Curate), the UBA app provides dashboards that prioritize risky users, enable watch‑lists for privileged accounts, and display alerts, offenses, and risk trends.
  • After a minimum learning period of about seven days, UBA can reliably identify suspicious anomalies and help analysts quickly isolate compromised or high‑risk employees.

Sections

Full Transcript

# AI-Powered User Behavior Analytics for Insider Threats **Source:** [https://www.youtube.com/watch?v=aXMPqfZt1gk](https://www.youtube.com/watch?v=aXMPqfZt1gk) **Duration:** 00:07:17 ## Summary - AI and automation can cut the average data‑breach containment time by about 108 days, a key benefit highlighted in IBM’s 2023 Cost of a Data Breach report. - Insider threats remain the costliest attack vector, averaging a $4.9 million loss per organization, making rapid detection and response essential. - User‑Behavior Analytics (UBA) leverages machine‑learning to model normal user activities and flag anomalous, potentially malicious behavior, enhancing insider‑threat detection. - Integrated into IBM Security’s SIEM (Curate), the UBA app provides dashboards that prioritize risky users, enable watch‑lists for privileged accounts, and display alerts, offenses, and risk trends. - After a minimum learning period of about seven days, UBA can reliably identify suspicious anomalies and help analysts quickly isolate compromised or high‑risk employees. ## Sections - [00:00:00](https://www.youtube.com/watch?v=aXMPqfZt1gk&t=0s) **Untitled Section** - ## Full Transcript
0:00if you're like most Security 0:02Professionals you're constantly looking 0:04for ways to stay ahead of emerging 0:05threats and improve your organization 0:07security posture this is where AI has 0:10the potential to make a big difference 0:13think what it would mean if it took 108 0:15fewer days on average to identify and 0:18contain a data breach this faster 0:20containment was a key finding for those 0:22that extensively used Ai and automation 0:25versus those that didn't according to 0:27IBM's cost of a data breach report 2023 0:31that was based on a survey of over 500 0:34organizations today we're going to 0:36explore how user Behavior analytics or 0:39uba with AI and machine learning can 0:42help you detect and respond to Insider 0:44threats quickly and 0:46precisely but before we show you how it 0:49works let's step into the shoes of those 0:51on a security team as you know Insider 0:54threats are a major concern for 0:56organizations of all sizes according to 0:59the cost of a data breach report the 1:01average cost of an Insider threat for an 1:03organization was $4.9 Million us the 1:07costliest of all reported initial attack 1:09vectors so it's absolutely critical that 1:12you have a solution that will help you 1:14identify and contain these threats 1:17faster that's where uba comes in uba 1:20uses machine learning which is a subset 1:22of AI that focuses on analyzing user 1:25Behavior to identify anomalies and 1:27potential threats when integrated with a 1:30Sim solution uba can assist Security 1:33Professionals and help them detect and 1:35respond to Insider threats more 1:38effectively now let's take a look at how 1:40uba Works in action as part of a leading 1:42Sim solution here we're using curate our 1:45SIM from IBM security with its built-in 1:48uba app to demonstrate how we can help 1:50you quickly and easily identify and 1:53contain Insider threats in this scenario 1:56I'll be playing the role of a security 1:58analyst tasked with locating Insider 2:00threats or compromised employees I'll 2:03use the uba app to quickly review the 2:06numerous alerts I see every day on 2:08employee Behavior to help effectively 2:10identify those employees who pose a real 2:13threat uba uses a combination of use 2:16cases or rules and machine learning to 2:19determine the normal daily behavior of a 2:21user on a network and their Associated 2:24peer group it takes a minimum of 7 days 2:27for uba to learn user patterns and 2:29detect suspicious 2:30anomalies okay so let's get 2:33started here the user Behavior analytics 2:35dashboard provides several ways for the 2:38analyst to understand current risks on 2:41the left is a list of employees 2:43prioritized by risk analysts can also 2:46create watch lists to monitor select 2:48groups such as highly privileged 2:50employees in the middle the uba app 2:53provides a view of the alerts or 2:54offenses as they're called in Q radar 2:57finally on the right you can see the 2:59risks over time 3:00and the risk category breakdown by 3:02resource now let's look at a risky 3:04employee in this view the analyst can 3:07see the relevant information about an 3:09employes behavior for example here's how 3:12many identities the person has on the 3:15lower left are all the offenses related 3:17to this person the upper right panel 3:20shows the timeline of user events 3:23finally the lower right shows the events 3:25grouped by session and Associated 3:27indicators of compromise or ioc's for 3:29each one now let's go back to the 3:32dashboard and check out the recent 3:33offenses that were generated based on 3:35the information obtained from the uba 3:38app at the top of this offenses page we 3:41can see highlevel information related to 3:43this potential security threat this 3:45information includes key attributes such 3:48as the correlated events that triggered 3:49the anomalous activity alert along with 3:52the source and destination IP addresses 3:55below this information we can see the 3:57miter attack mappings these map mapping 3:59show the tactics and techniques 4:01identified by Q radar during its 4:03automated 4:04investigation we can see more results at 4:06the bottom where we can quickly identify 4:08key information that's relevant to this 4:10particular Insider Threat by integrating 4:14AI to gain valuable insights from 4:16structured and unstructured data into 4:19security operations Q radar help 4:21security analysts significantly 4:23accelerate their investigations to take 4:25only minutes instead of hours or days 4:28this means sock te can shift their focus 4:30to more proactive defense efforts 4:32instead of struggling to react to alerts 4:34all day so for this particular alert we 4:38can look at the key observables 4:39identified by Q radar during its 4:41investigation we can see how many are 4:43critical as well as the number of threat 4:45actors malware families high value 4:48assets and high value users that exist 4:51within the current environment we can 4:53compare the investigation results to 4:55other investigations from a month ago we 4:58can even see if these ioc's are found 4:59locally or if they're just exist within 5:01the overall environment and we can view 5:03the trend for these ioc's over time we 5:06can quickly see an overview of the 5:08different miter attack tactics and 5:10techniques that we've identified in this 5:12particular investigation we can see the 5:14confidence level associated with this 5:17tactic and technique which was generated 5:19by Q 5:20radar Security Professionals can help Q 5:22radar improve its analysis and future 5:25responses by providing human feedback 5:27that specifies whether they agree 5:29disagree ree or uncertain about the 5:31findings of Q radar Q radar also has 5:34natural language insights that allow 5:36security analysts to quickly view what 5:38ioc's or other observed events are 5:41identified in its 5:42investigation in addition we can look at 5:44related investigations that curator 5:46identified along with the offense 5:48summary if we want to look at the 5:50visualized relationships within this 5:52alert we can click on the offense 5:54relationship graph button in this view 5:57we can quickly visualize the key ioc for 5:59this 6:00alert on the left side we can toggle 6:03which relationships we want to see 6:04including relationships found from the 6:07analysis of internal event and flow data 6:09as well as the relationships that curar 6:11uncovered using AI to conduct external 6:14research again we can give some feedback 6:17to provide human reinforcement learning 6:19to Q 6:20radar once we've completed our 6:22investigation we can head back into the 6:24offenses summary to quickly start 6:26looking at other Insider threats ioc's 6:29or or ingested correlated information 6:31that has been conducted by Q radar in 6:34conclusion Q radar Sim represents a 6:36significant step forward in harnessing 6:38Ai and automation for security 6:40operations by streamlining processes 6:43enhancing skills and providing 6:45actionable insights Q radar helps 6:47security analysts stay ahead of emerging 6:49threats by worrying less about tedious 6:51manual tasks and allowing them to focus 6:54on fortifying their organization's 6:56defenses thank you for watching if you 6:58would like to learn more visit the Q 7:00radar Sim webpage to view the full demo 7:02video online or request a live 7:14demo