How User Behavior Analytics (UBA) can Improve Cloud Security

Jason Coggins | 7 min read| Updated On - June 22, 2020

How User Behavior Analytics (UBA) can Improve Cloud Security

The need for enterprises to manage and maintain their own IT infrastructure is slowly, but surely, fading. This is hardly surprising given that many cloud service providers offer unlimited bandwidth and storage space at affordable rates, which enterprises can utilize, as and when required.

Cloud services provide reliable disaster recovery, which can help to minimize website downtime, as the data they store is replicated across multiple data centers.

Cloud platforms are generally easy-to-use, provide automatic software updates, and allow users to access their data anywhere in the world.

Additionally, many service providers offer 24/7 support, something which would be practically infeasible for most organizations to provide to their own staff.

Of course, using a cloud-based solution is not without its problems.

The Issues with Cloud Services

The main problem with using a cloud service, is the loss of control. Whichever way you look at it, you are trusting a third-party to look after your data. You are trusting them to maintain their servers, even-though many outsource the maintenance of their servers to third parties, making it difficult for businesses to know exactly where their data is stored. You are trusting them to implement the necessary technical and physical safeguards and comply with the relevant data protection laws.

Many cloud service providers are not as secure as they claim to be, and it’s hard for businesses to assess the security of their infrastructure prior to adoption. Additionally, you are not involved in their on-boarding/off-boarding process, which cause for concern is given that the majority of data breaches are caused by regular employees.

The Cloud Security Conundrum

All being said, in some ways there is an even greater incentive for cloud service providers to keep their systems and data secure. After all, data security is a core component of their business model, and a serious data breach would result in a huge loss of revenue. However, this would not necessarily be the case for the businesses who use their service.

Naturally, businesses should avoid storing sensitive data in the cloud, and if they do, they should ensure that the data has been encrypted beforehand. They should back-up their data locally and keep their own devices free from malware – as to minimize the chance of credential theft. They will need to ensure that the cloud service is using robust authentication protocols (strong passwords, security questions, 2FA), and if possible, rigorously assess the security measures they claim to have in place.

The above measures will no doubt help, but they’re still not addressing the fundamental problem when it comes to keeping sensitive data secure. As mentioned, most data breaches are caused by regular employees, regardless of whether they are our own employees, or those employed by the service provider. In which case, a more data-eccentric approach is required. One of the newest and most effective IT security strategies for data-eccentric security is called User Behavior Analytics (UBA).

What is User Behavior Analytics (UBA)?

UBA, as you may have already guessed, is a strategy that is used to monitor user behavior. A UBA solution uses advanced machine learning techniques to learn typical patterns of behavior. Should a user act in a way that deviates from this pattern, a real-time alert will be sent to the administrator, or an automated response will be initiated. A UBA solution will aggregate and correlate event data from multiple sources, and store the events in an immutable, centralized database. All relevant events will be presented via an intuitive dashboard, where they can be searched and filtered in just a few clicks.

How can UBA help with cloud security?

These days, most advanced UBA solutions are able to aggregate data from a wide range of cloud platforms, through either REST API or Syslog from most well-known platforms such as Dropbox, Office 365, Azure, AWS, G-Suite, and many more. By analyzing this data, the UBA solution can:

Flag unusual login attempts

A UBA solution can detect and respond to multiple failed login attempts, as well as login attempts that occur outside of normal business hours. Likewise, it can identify login attempts from unusual IP addresses or physical locations. A sophisticated UBA solution will be able to calculate the time between login attempts and correlate this time with the distance between the login locations, to determine whether the login attempts were from a legitimate user.

Detect suspicious file and folder activity

A UBA solution can detect, alert and respond to change made to the files and folders stored in the cloud. It can detect when files are accessed, modified, moved or deleted. If, for example, there was an unexpected increase in the number files that are being downloaded, and alert can be raised and sent to the administrator. In addition to being able to detect behavioural patterns which deviate from typical usage patterns, most UBA solutions are able to detect and respond to events that match a pre-defined threshold condition. For example, if x number of files have been downloaded within a given time-frame, an alert can be raised, or custom script can be executed which may disable a user account, or launch some other process to stop the potential threat.

Detect configuration changes

In recent years, we’ve seen a number of data breaches caused by misconfigured Amazon S3 buckets, where the default security settings left them open to the public. It is clearly important that we keep a close eye on any security settings that could potentially leave our sensitive data exposed. In addition to carefully reviewing the security settings before uploading sensitive data to the cloud, we must also be able to detect and respond to configuration changes, as and when they occur. A UBA solution will provide this visibility, by keeping track of critical configuration changes, across all platforms.

What’s wrong with native cloud auditing?

Don’t get me wrong, the native auditing features on the most popular cloud platforms have improved a lot in recent years, however, there are still some serious limitations that need to be addressed. Firstly, the log retention period on most platforms is still far too short. For example, Office 365 will retain event logs for a maximum of 90 days, while Azure AD will only retain log data for 30 days. The short retention period will cause problems when it comes to complying with certain regulations, such as PCI DSS and HIPAA.

PCI-DSS requires a log retention period of one year, while HIPAA requires a log retention period of six years. Not only that, but the average time it takes to detect a breach is 206 days, according to the Ponemon Institute’s 2017 Cost of a Data Breach Study. As such, in order to comply with the most prominent data protection regulations, and to ensure that you have the visibility you need to identify the cause of all security incidents, a longer retention period is required.

Secondly, cloud platforms provide limited sorting, searching and reporting functionality, when compared to commercial auditing solutions. Finally, if you are using multiple platforms, you would need to login and monitor changes on each platform independently, which would be a cumbersome process.

Not only that, but you would also need to learn how to use their solution, which is likely to be less intuitive than a dedicated solution.

If you would like to see how Lepide can help keep your data secure in the cloud, check our Data Security Platform or schedule a demo today.

Jason Coggins
Jason Coggins

Jason Coggins came to Lepide directly from the UK government security services, and now leads the UK & EU sales team at Lepide. Based in Lepide’s UK office, Jason has a practical and ‘hands-on’ approach to introducing Lepide to customers and channel partners globally.

Popular Blog Posts