(Updated 01/29/2021)
There’s an entire alphabet soup of tools on the market today that claim to help organizations deal with the very real problem of insider threat management.
You have your DLPs and your PAMs, not to mention SIEMs and UAMs and, oh yeah, UBAs… But do all of these tools really work to combat insider threat incidents? And if not, which ones are the real deal?
Let’s break it down by technology and take a look at where the hype ends and reality begins.
Data Loss Prevention (DLP)
We’ve written quite a bit before about the limitations of DLPs when it comes to insider threat management. While these technologies are powerful in theory, they are difficult to set up and even more difficult to wield against insider threats.
What it Is: Data Loss Prevention solutions, or DLPs, are designed to catch data use policy violations and prevent leakage or loss of data from an organization. They require extensive data discovery and classification efforts to find, categorize, and understand sensitive data.
Where it Falls Short: Due to these extensive processes, DLPs are incredibly time-intensive and manual. Many (in fact, most) DLP implementations are not done correctly and/or completely because it’s so difficult to resource the project and to keep the classification schemes up to date as data streams in and out of organizations. DLPs don’t hold up well for modern organizations, and they are ineffective at stopping insider threat incidents because they focus on static data classification rather than dynamic user behavior indicators.
However, when paired with an Insider Threat Management platform, there is a greater potential for success.
Privileged Access Management (PAM)
Users need varying amounts of privilege based on their roles and responsibilities within an organization. Controlling who has what type of permissions is a step toward preventing insider threats, but it can’t catch and stop insider threat incidents in progress.
What it Is: Privileged Access Management (PAM) software is purpose-built to detect who has access to certain systems or applications. It does this via provisioning and deprovisioning of user identities—using passwords, sessions, and access as the limiting factors.
Where it Falls Short: It’s harder than you might think to define privileged users, especially since statuses can change rapidly within an organization.
Often users need an increasing amount of privileged access over time, but it can be difficult to accurately keep track of who needs what and when, which leads to increased risk. Least-privilege access is a good principle to put in place regardless of whether you are using a PAM, but this type of software isn’t behaviorally focused enough to catch insider threat incidents in progress.
User Activity Monitoring (UAM)
User Activity Monitoring tools, also known as UAMs, are a step in the right direction because they do—as you might guess from the name—focus more on user behavior.
However, they are not perfect at stopping insider threats.
What it Is: UAMs monitor what users are doing on endpoints, which helps security teams see how they are interacting with files and folders, what their privileges are, and whether they are granting inappropriate permissions to others. These tools provide more context than DLPs or PAMs.
Where it Falls Short: The biggest problem with UAMs is they focus solely on endpoints and miss network-level data. This means they can’t catch certain types of insider threats, like DNS tunneling. UAMs are also overly reactive, which means that they don’t do much to help you catch insider threat incidents occurring in real time. In today’s fast-paced threat climate, this can mean slow response times and significant (and costly) damage done as a result.
User Behavior Analytics (UBA)
Similar to UAMs, UBAs are focused on user behavior as a means of detecting threats—and that’s the right idea. Unfortunately, they too have some serious limitations.
What It Is: User Behavior Analytics tools employ machine learning to group users and identify outliers who might be causing trouble. They focus on log data from not just endpoints but also networks, hosts, and cloud environments.
Where it Falls Short: As you probably know if you follow the tech industry closely, machine learning and artificial intelligence hold a lot of promise but have not yet made good on that promise. Today, the machine learning that undergirds UBAs is not advanced enough to consistently detect and stop insider threats.
Furthermore, UBAs miss the mark because they don’t offer context when an incident occurs, meaning you’ll still have to do quite a bit of manual digging to find out what happened and stop it from happening again.
Security Information and Event Management System (SIEM)
SIEMs are a broad-brush security tool that can be used for a variety of purposes. They can be helpful for insider threat detection, but they aren’t perfect on their own.
What It Is: If your organization has a security operations center, or SOC, then odds are there is a SIEM at the heart of it. SIEMs are used to ingest and archive logs and can be employed for a wide range of security activities, including potentially insider threat detection.
Where it Falls Short: While SIEMs can detect similar information to UBAs, they require a whole lot more set-up and tuning to do so. If there are resources available to set the SIEM up properly, these tools can be really valuable to the organization. However, they do tend to focus more on forensics and less on spotting insider threat incidents in the moment, which can leave teams on the back foot. SIEMs are very powerful security tools, but they aren’t the ideal way to catch and stop insider threat incidents.