July 6, 2023
With UEBA-powered platforms like Exabeam, you can catch threat actors who already work within your network.
External threats aren’t the only kind of threat security leaders need to prepare for. Insider threats often pose an even greater risk.
Malicious insiders are harder to detect because they are already authorized to perform actions on the network. They may already have privileged permissions. They may even invent plausible reasons why they need to escalate their privileges and access even more sensitive material.
Traditional security technologies are not designed to detect this kind of malicious activity. Static, rules-based SIEM platforms can’t analyze users’ intentions.
This situation requires a different approach. It’s especially important now that internal threat actors are involved in more than one-third of all data breaches. But the threat landscape is changing faster for some industries than others.
Healthcare Organizations Are Struggling to Keep Up Against Insider Threats
Healthcare organizations are responsible for ensuring the confidentiality, integrity, and availability of patient data. But even small healthcare clinics regularly entrust patient information to a long list of data custodians.
This list includes healthcare providers like doctors and nurses, administrative employees responsible for back-office functions, and a wide range of third-party partners. In a hospital setting, the number of people who can access this data grows exponentially.
In just one example from June 2023, Yakima Valley Memorial Hospital paid a $240,000 settlement after two dozen security guards improperly accessed more than 400 patient records. The breached information included patient names, dates of birth, home addresses, medical records, and insurance data.
Similar events occurred at an Arizona medical facility when an employee accessed nearly 500 medical intake forms and used the data to steal patients’ identities. The operation involved three co-conspirators who accessed victims’ bank accounts and opened new lines of credit in their names.
Alarmingly, 82% of organizations that face an insider attack can’t determine the actual damage caused by the attack. It falls on the courts to calculate the combination of data loss, business disruption, brand damage, legal liabilities, remediation costs, and competitive losses – and to determine who pays.
All organizations must build trust with their security partners. For healthcare organizations, the potential for abuse is higher than it is for most. Trust must be verified before it is earned.
User Entity and Behavioral Analytics (UEBA) Drives Insight into User Intention
UEBA-enhanced SIEM platforms like Exabeam enable organizations to detect authorized, validated users engaging in malicious activity. This allows information security teams to monitor user behaviors and gain valuable insight into their intentions.
Gauging user intention is one of the only ways to mitigate data breach risks from threat actors who already have privileged permissions. UEBA technology lets analysts tell the difference between users who access data as part of their day-to-day routine and users who may not have a job-related reason to access sensitive records.
Exabeam does this by establishing a baseline risk score for every user and asset on the network. It observes how users and assets interact over time, and triggers alerts when their activity deviates from that established routine. It assigns higher priority to actions that deviate strongly from the baseline, enabling analysts to investigate critical risks first.
Custom Rules Enhance Security Performance and Deepen Visibility
UEBA technology is one of the most powerful tools security teams can use against insider threats. However, it isn’t a plug-and-play solution. Sophisticated platforms like Exabeam use machine learning to continuously enhance threat modeling and risk-scoring activity. But that doesn’t automatically mean that Exabeam knows what type of risky behavior to look out for. It doesn’t guarantee visibility into every insider threat.
To achieve those goals, healthcare organizations need to optimize their Exabeam configuration to match their unique security risk profile. That means developing and updating custom rules that expand Exabeam’s reach while granting more comprehensive visibility into user and asset activities.
Castra has years of experience developing context-specific custom rules for Exabeam. We have created 1800+ custom rules for customers who rely on Exabeam to deliver fast, accurate insight into malicious insider behaviors. Learn more about how Castra’s product experts can help you secure your healthcare organization against insider threats that other security solutions overlook.