I recently read an article in Infosecurity about a presentation at the Infosecurity North America conference related to combatting insider threats. The presenter mentioned that user behavior analytics (UBA) is key for mitigating insider threats.
While I cannot disagree (after all, my company plays in the UBA space), it’s important to highlight a critical distinction – UBA alone, as most organizations use it today, will not solve the insider threat problem.
UBA is most commonly used today as an anomaly detection tool. It detects unusual behavior and alerts investigators. A misconception exists in the marketplace that UBA, as a detection tool, is the be-all-end-all for combatting insider threats, which is far from the truth. It takes an army to win a war, not one soldier. Similarly, it takes technologies, data and people working in concert to detect and mitigate insider threats before it’s too late.
Two frequent types of insider threats are those that enable sensitive data to leave the organization and those that enable bad actors to break into valuable assets to steal sensitive data.
For the first one, UBA working in concert with data loss prevention (DLP) technologies significantly minimizes the risk of valuable data walking out the door. When integrated with DLP, UBA adds detailed contextual user data to DLP investigations to prioritize response. DLP analysts, who are working with limited resources, are flooded with alerts. The workload is so significant they may turn off policies to minimize the flow of alerts coming in, which elevates risk.
By integrating with UBA, DLP analysts only see the threat alerts that increase risk the most, and can automatically route those alerts through various remediation options. DLP and UBA together accelerate the process of detection and prevention so the threats that could cause the most damage to the organization don’t slip through the cracks.
For the second scenario - preventing bad actors from breaking into valuable assets to steal sensitive data - UBA must go beyond just anomaly detection. Security Operations Centers are flooded with false positives and noise. When UBA solely detects anomalies, it just adds more alerts to the mountain.
To find the “needle in the haystack” UBA must also factor in the value of the asset under attack, the impact to the organization if that asset were compromised, and associated vulnerabilities that would enable the threat to succeed.
For example, Jane, who works in marketing, logs into her company’s billing system multiple times within a week, something Jane does not normally do. A UBA tool should detect the behavior and prioritize it since the billing system contains information that, if compromised, would measurably cause significant impact to the company.
To simplify, combatting insider threats using UBA boils down to two things: firstly that UBA should be integrated with additional security tools such as DLP; and secondly that UBA must incorporate much more than just detecting unusual behavior.
Insider threats come in so many flavors it takes integration and collaboration to prioritize what’s most important. Analysts and investigators are much more effective when they know which top five threats to mitigate each day vs. the top one thousand.