Every CSO needs to vigilantly guard against the growth and sophistication of external cyber-threats, but the biggest cyber-risk may be what is lurking within their own network. Negligent employees, malicious insiders, and compromised users and hosts often have the benefit of legitimate credentials to exploit weaknesses in traditional security infrastructure.\n\nTraditional perimeter defenses give free rein to those credentials. But to determine if those \u201cusers\u201d are part of an attack, enterprises really need to focus security on the behavior of who or what is using authorized credentials.\n\nIn a recent discussion on Verizon\u2019s 2017 Data Breach Investigation Report, the company\u2019s senior security specialist and RISK Team leader, John Grim, told Computer Business Review that \u201c[in] 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen.\u201d\n\nOne in five employees in a recent survey indicate they keep passwords in plain sight. Another survey finds that 23% of workers would share sensitive, confidential, or regulated company information if they believed the risk was low and the potential benefit high.\n\nGuest access\n\nOther risks come from authorized guests. Guest networks may not be necessarily well-protected, allowing those guests to move into places they shouldn\u2019t be allowed to go and to access data that should be restricted.\n\nTrusted partners represent yet another threat vector. As CSO pointed out recently, \u201cThe use of third-party providers is widespread, as are breaches associated with them.\u201d\n\nThe breach of Target\u2019s point-of-sale systems in 2013 was traced to a heating and air conditioning vendor whose legitimate credentials had been stolen, according to KrebsOnSecurity.\n\nA bad actor with legitimate credentials, whether an insider or outsider, can probe for weaknesses once on the network. In that type of situation, the only way to defend the enterprise is by finding the changes in the actor\u2019s behavior that would indicate an attack is under way.\n\nDetecting anomalies\n\nWith the benefit of machine learning, user and entity behavior analytics (UEBA) can detect anomalous actions that may indicate unauthorized activity and attacks. Niara, recently acquired by Aruba, an HPE company, for example, utilizes supervised and unsupervised machine learning models to ensure that the system is self-learning, continually adapting, and accurately identifying anomalies and confirming malicious activity before attacks inflict damage.\n\nBad behaviors on the network can be detected if you know what to look for and have the capabilities to do so. For example, when users access systems, how long do they stay on an application? What amount of data do they access? From where and with what devices are they doing so?\n\nAll those activities can be used to build baselines, or profiles, of what is normal behavior; anomalies can then be detected individually and correlated over time, alerting security professionals to take appropriate action when certain threshold conditions are met. With UEBA, baselines can be built around the activities of peer groups, so that if, for example, a member of the finance group is behaving differently from his or her peers, it can be quickly detected.\n\nKnowing what is going on in your network is as important as knowing who is on it.\n\nTo learn more, visit Aruba.