IBM Security QRadar

 View Only

Pandemics – When UBA is more important than AI in the health sector

By Salman Khan posted Sun April 26, 2020 04:47 AM



I have been working with cyber security for a few years now and have been a strong advocate of QRadar Advisor with Watson being one of the leading innovations in health sector and how it will shape the sector’s future. But I feel in the era of a pandemic, like coronavirus, when people are forced to work from home, and traffic is now routed from outside the corporate network choke-points (IPS, IDS, Firewalls, WAF etc), it is even more important to focus on QRadar's UBA (anomalies) than Watson (predictions). This is especially true when the rules are relaxed to help fight pandemics in public interest.

UBA Dashboard

Threat surface of the Health Sector:

The health sector is characterized by its extremely sensitive personal data, which patients can never decouple themselves from, as well as a wide variety of IoT devices, which in many cases are mobile and not designed with security by default. In addition to the personal data (the rules around which can be relaxed in the public interest to get situations under control), the health care industry also has intellectual properties (IP) like information about vaccines under development. One of the most attractive threat vectors here would be injecting a malware for data exfiltration or manipulation, etc.

Mobile Personal Computers and VPN:

When it comes to using VPN connections for personal computers, many organizations choose to use split-tunneling, which allows mobile users to access internet directly from the device’s interface, rather than going through corporate VPN. There are a few reasons why organizations would choose to do it this way, including:

  • Offloading VPN devices from handling process-intensive traffic that is not directed to corporate network
  • The traffic (like streaming videos etc) can consume high bandwidth, downgrading speed of connections for everyone using VPN.

In times like the present, everyone is working from home, including our employees, customers and third-party vendors. And connecting everyone to VPN and re-routing all their traffic through it, would put a lot of pressure on the VPN-device, because the number of users connecting to it have now grown from a few to “everyone.” Likewise, when everyone is connecting from outside the office network, it is a bit challenging to keep an eye on who actually is trying to connect to VPN.

In addition to this, when connections to VPN are allowed without zero-trust implementation, it realizes the possibility of pivoting to other devices inside the corporate network. Once inside the network, an attacker will try to pivot in most of the cases to find interesting information.

Exploiting the human factor:

Endpoint detection systems that are based on signatures look for malwares which they already know of. This is why they need continuous updates. But as the research shows, since January 2020 thousands of new domains were registered on a global note in the name of offering advice, services, information, and products related to coronavirus. Many of these domains are malicious.

So, the potential of landing on a website and getting infected has now increased multiple times, especially when people are buying most of their stuff online to follow the rules of social distancing and avoid crowded places. People are now also expecting an increased number of emails coming from online shops and their partners in a bid to up-sell and cross-sell.

The vulnerability I am pointing to, in this article, is the insider threat, exploiting the human factor. Both in terms of phishing emails, and endpoint infections.

So, UBA which checks for anomalies, can help detect and mitigate threats in pandemics like Coronavirus. UBA in QRadar does this by generating alarms when something unusual happens by:

  • Focusing on accounts and access, to check for account and access deviations
  • Highlighting abnormal user behaviors like transferring large file to a malicious IP-address (CnC)
  • Detecting users from deviating from self or from peer groups.


To summarize, in order to avoid employees coming back to office with infected machines after this pandemic is over, UBA should be a greater focus of cyber security personnel during such pandemics. This must be done in addition to making end users at least slightly more security-aware by encouraging them to use free available DNS security layer when surfing internet at home (like Cisco umbrella or Quad9, etc), and reminding them to be more cautious of potentially malicious emails they may find in their inboxes.




Tue April 28, 2020 04:56 PM

Great point "to avoid employees coming back to office with infected machines after this pandemic is over".  I think a lot of companies will be wound up in the logistics of bringing employees back safely, they could easily overlook the health of the devices that have been in a less controlled environment for a period of time. 

Mon April 27, 2020 10:58 AM

Thank you, Salman for sharing this great insight into QRadar Advisor with Watson. It is much appreciated having this kind of content coming from one of our community members. Stay safe.