The value of User Behavior Analytics is without question — they can give you a whole new insight into user activity, which is critical when identifying anomalies and compromised credentials. But it’s very possible that you won’t get the value you should be from your UBA project, even if its analytics are top notch. Why? Because you may be missing key pieces of data. If your data doesn’t contain the events that actually indicate an insider attack, then that will drastically limit what you can find during your User Behavior Analytics initiative.
Most User Behavior Analytics solutions rely on log files for their data, which are surprisingly inadequate when it comes to capturing information that can actually detect sophisticated insider threats. Despite massive volumes, log files simply don’t capture the right information.
Let’s take a look at an example to show you what we mean. Take, for instance, one of the most common insider threat maneuvers that we see at Dtex: a user stealing a folder of sensitive information through web-based file sharing sites.
Step by step, here’s what our theoretical insider did:
The user copied a sensitive folder and pasted to it to their desktop.They then zipped the file….Then encrypted it and added a password.They changed the file name and file extension to something seemingly harmless, in this case My Mothers Recipes.pdf. Then, they dropped this file into a Dropbox folder — successfully getting it out of the organization.
This is one of the most basic, straightforward types of insider threat cases, and it’s a relatively common one. If your security system can’t even detect something this simple, then you’re in trouble. Unfortunately, log files don’t fare so well here. In the three minutes that it takes to pull off this data theft, the system generated thousands of logs. Even worse, these don’t even contain this user’s most critical actions. They don’t see when the file was zipped, or when it was encrypted. It didn’t even log when the user renamed the file.
When you’re fighting the insider threat, it’s just not enough to have great analytics alone. You don’t have enough ingredients to get true visibility, or to be able to pull out critical context from all of the noise.
So, What Can You Do?
When evaluating UBA solutions, take a risk-based approach to evaluating your success criteria. Some UBA solutions offer best-in-class data analysis capabilities, but they’re only as good as the data they’re fed. If your goal is to improve your control over insider threat and data exfiltration, you will need an additional, dedicated visibility solution that puts the emphasis on seeing the most important events in your organization (like Dtex does). End-user visibility solutions catch what log files and networking monitoring miss — which means that they would catch the scenario above, and many more. Then, you can feed this information into your User Behavior Analytics to get the best of both worlds: top-notch visibility with top-notch analytics.