(Updated on 11/04/2020)
Some organisations have invested significant resources into user and entity behaviour analytics (UEBA) tools, which (as the name suggests) focuses on user behaviour as a means to help detect and stop insider threats. UEBA tools leverage machine learning technology to analyse a group of users, identifying outliers who may be potential insider threats. Unfortunately, UEBA tools alone may be too inconsistent, leaving significant gaps in coverage for the organisations deploying them.
For many organisations, the solution to the insider threat problem isn’t as simple as ripping and replacing a UEBA solution. These initiatives can often take up to six months to implement and fine-tune. According to a recent study by Crowdflower and Figure Eight, 51% of a data scientist’s time is spent collecting, labeling, cleaning and organising data. Even with that level of effort, there’s a high likelihood for the system to trigger false positives due to poor training data, disparate data sets and knowledge workers’ shifting daily routines.
Instead, supplementing a UEBA alongside a user- and file-activity-based insider threat management solution like Proofpoint ITM may fill some of the gaps where machine learning falls short today—and could be the best way to detect and stop insider threats. Here are three reasons why:
1. The Machine Learning Talent Crunch
Many organisations don’t have enough team members who are well-versed in machine learning to continuously fine-tune and interpret the results from a UEBA tool, which may leave a high margin for error when it comes to detecting and stopping insider threats.
The harsh reality is, employees with machine learning skills are in high demand and short supply. According to a recent survey from Indeed.com, job listings with the terms “machine learning” or “AI” have increased by 119% in since 2015; however, the number of applicants searching and applying to jobs with these terms seems to have leveled off.
Unfortunately, security operations center (SOC) analysts aren’t always equipped to create clean data input pipelines and wade through the analytics generated by a UEBA, so they can become quickly overwhelmed. By integrating an insider threat management solution with an existing UEBA, cybersecurity teams can get a full picture of both the user activity and data movement in their organisation, without the need for heavy maintenance or a machine learning background.
2. Need to Correlate Data Movement to Risky User Activity
Oftentimes, insider threat incidents can be detected more effectively when there’s a combination of user behaviour analytics, user activity monitoring, and data monitoring (including file, folder, and system-level data) in play. If UEBA systems are tracking behaviour alone, often they’re ineffective at detecting data exfiltration attempts, unauthorised activity, or accidental actions.
Considering that two out of three insider threat incidents are caused by employee or contractor errors, a majority of incidents may be falling through the cracks undetected with a UEBA alone. An insider threat management solution would pick up on these types of incidents by detecting suspicious data movement that may have resulted from a mistake.
In addition, the insider threat investigation process requires irrefutable context around who did what, where, when, and why. The fast, searchable metadata and visual capture of user activity and data movement available in a robust insider threat management solution can supplement the analytics captured from a UEBA. With both solutions in place, cybersecurity teams can get the necessary context to quickly investigate incidents and take the proper steps toward remediation.
3. The Rising Tide Around Consumer Data Privacy
The increasing frequency and shock factor of the headlines around consumer data privacy prove that SOCs need to balance insider threat vigilance with maintaining user privacy. Not to mention, the need to maintain compliance with regulations like GDPR and the California Consumer Privacy Act of 2018 makes user privacy a business imperative.
An insider threat management solution can provide cybersecurity teams with significant controls over access and usage of collected data, with data anonymisation, and “audit the auditor” capabilities. Realistically, security teams don’t have time to watch users constantly. So having the appropriate guardrails ensures that potential incidents are effectively detected while keeping user privacy considerations in mind.
Supplementing a UEBA with an insider threat management solution can ensure that teams are complying with various data privacy regulations and doing right by their employees at the same time.
Tag-Teaming Data Protection Efforts
Cybersecurity professionals know that ripping and replacing a UEBA solution isn’t always the answer to preventing insider threats. There’s still inherent value from knowing which user behaviours may be leading indicators of a possible insider threat incident. When combined with user and file activity monitoring from a dedicated insider threat management solution, UEBA technologies can increase their value in an organisation, and go a long way toward decreasing overall risk.