User and entity behavior analytics (UEBA) has quickly become a crowded space. CISOs are overwhelmed by vendors promising UEBA as the key to combatting insider threats when in reality it’s “a” key not “the” key.
UEBA software detects insiders or technologies behaving in a risky or unusual way that may indicate a breach in progress or lead to one – an important element of reducing cyber risk from insider threats but it’s only one element. UEBA is a means to an end, with the end being protecting a company’s most treasured assets.
UEBA only identifies potentially unusual behavior but requires greater context to establish whether the identified person is really a threat. For example, if a security operations center (SOC) investigator receives an alert about the human resources manager accessing an application that contains proprietary information, something they would not typically access, it would take investigators multiple steps to figure out if it’s an actual threat.
UEBA software would alert the SOC about the manager’s actions however the alert would lack context such as if there is a business reason for the access, or if the information they are actually accessing is proprietary and would cause severe damage if compromised. If yes, investigators would need to determine if the manager has legitimate access privileges to that information and if the laptop was compromised, which could indicate a compromised account. They would then need to make an educated guess regarding if the manager was an actual threat which could also end up being a false positive.
An inside-out approach to security includes identifying unusual insider behavior but takes a more comprehensive approach that begins with three key questions – what are our most valuable assets that will cause the greatest loss from a compromise? What threats are targeting those assets? What vulnerabilities do those assets have to those threats? UEBA plays an important part in answering only one of those questions when valuable data is potentially threatened by malicious or careless insiders as well as outsiders coming in through a compromised account. A few threats among many.
However, to truly manage enterprise cyber risk, everybody in the organization from the SOC to the board needs to be working from the same playbook that is prioritized based on real risks to assets that are most critical to the business. To be effective at investigating insider threats and compromised accounts, the SOC requires the greater context of the user, their activities, the environment and the assets at risk, which may come from the people closest to those assets such as the application owners who intuitively understand their environment and its users.
UEBA in theory enables incident responders to identify insider threats and compromised accounts but it is not enough by itself and provides just a sliver of value when it comes to inside-out security. The next chapter of cyber risk analytics must include UEBA and so much more. Companies must understand their information assets’ business value, vulnerabilities and threats to their most valued assets so that SOC investigators don’t waste their time on false positives and the real threats get actioned.