Insider threats are, and have been, a growing issue — the Ponemon Institute has reported on this trend extensively. However, there’s still a great deal of misunderstanding and misinformation in the market about what actually constitutes an insider threat and how to navigate it.
There are many tools on the market today, including user and entity behavior analytics tools (UEBA), that aim to “solve” insider threat problems in different ways. Yet, UEBAs can’t solve many problems related to accurate alerting on relevant, risky user behavior, especially in the context of insider threat management (ITM) solutions.
In this blog post, we’ll explain why UEBA security, while suited for some purposes, is not a panacea for ITM — and where its limitations arise.
Understanding UEBA vs. purpose-built ITM tools
At face value, it can be easy to confuse UEBA security tools with ITM platforms and tools because both focus on risky user behavior. But there are two primary differences between UEBA and ITM:
- UEBA tools aren’t developed to manage the lifecycle of insider threats from detection through investigation to user education and protection.
- Managing UEBA tools effectively requires significant resources—and it can be a full-time job.
What is UEBA and how does it work?
UEBA, also referred to as UBA, are security software tools that analyze user behavior. These tools apply advanced analytics, including artificial intelligence (AI), algorithms and risk scoring, to detect anomalies in user behavior that may indicate security risks or incidents. UEBA tools can also monitor the behavior of devices within the network, such as routers, servers and Internet of Things (IoT) devices; the “E” in UEBA refers to these various “entities.”
UEBA is particularly useful in detecting unknown threats—or those that use new methods and creative approaches not yet seen before. However, the well-worn and well-known paths to data exfiltration, privilege abuse, and application and system misuse are still so common that companies must continue to concentrate on those areas.
The 80/20 rule applies here: At least 80% of threats use common exfiltration patterns (think USB sticks, print jobs, email and cloud storage) and well-understood attack lifecycles. Only the most advanced organizations have enough time and resources to focus on the 20% of “unknown” threats that may or may not come their way.
In fact, to make UEBA work for your organization, you’ll need:
- Data engineers to integrate data from endpoint, network, cloud and user-focused technologies
- Data scientists to train and optimize the data science models
- Security operations (SOC) analysts trained and often solely dedicated to triaging detected anomalies
- Incident response (IR) teams to analyze logs manually from various sources feeding the UEBA
- Significant time and resources to correlate evidence and build contextual cases in the event of an insider threat incident
Clearly, UEBA is most appropriate for organizations with sizable security teams and significant financial resources set aside to store and analyze the massive amounts of data it produces. If your organization has all the above, it may be possible to realize the value promised by UEBA.
But the reality is that very few organizations meet these criteria. And, on top of that, UEBA can’t provide critical context around an insider threat event. This is where ITM platforms and tools come into play to help organizations solve the challenges associated with insider threats.
ITM provides critical context
Context is critical in ITM. Often, the difference between “right” and “wrong” when it comes to data exfiltration is situational. In other words, insider threat analysts need to have complete and easily understandable context at their fingertips to respond quickly and appropriately to threats.
Traditionally, organizations have relied on source logs to gain insight into an event, but source logs rarely provide enough insight into what happened, where, when, why or how. These logs won’t tell you if the event was accidental or malicious—or help you build a case for response. And on top of that, source logs require time-intensive manual work to comb through and correlate.
In fact, organizations that use UEBA tools gain a constant stream of detected anomalies, requiring analysts to sift through logs and uncover the context around the alerts. That adds to alert fatigue and data overload for security teams.
But with an ITM platform, analysts only need to triage more granular alerts with easy-to-understand context that’s readily available.
The reality is this: The faster you can identify meaningful insider threat alerts, analyze what happened and respond (whether via policy reminders, investigations or notifications), the less risk your organization faces.
The longer an incident lingers, the costlier it gets. In fact, according to a recent Ponemon study, the average incident takes 77 days to contain, which is far too long. Ponemon found that incidents that took more than 90 days to contain cost organizations an average of $13.71 million on an annualized basis.
In addition to limited context, UEBA security tools don’t solve the time problem with insider threats. Proofpoint ITM, on the other hand, is better suited to help organizations respond more effectively and swiftly to insider threat scenarios because it’s literally built to mitigate the insider threat problem.
The limitations of AI and UEBA: real-world examples
AI has its place in a sophisticated, modern security organization and can prove to be particularly useful in specialized cases. But for ITM programs, AI falls short. AI platforms still require a lot of hands-on, human effort in algorithm training to sort signal from noise and understand what a UEBA is really saying. And, as noted earlier, the importance of gathering context quickly is critical to an effective ITM program.
Consider this real-world example: A midsize private equity firm and Proofpoint customer had two of its security analysts stand up the UEBA solution as the first step in building an ITM program. While the firm started out with high hopes for the tool, it only managed to integrate the underlying security logs and set up three models after the first year. This took a good deal of effort. Yet, afterward, a security audit found gaping holes in the firm’s ability to detect anomalous user behavior that could indicate threats.
The private equity firm’s security analysts found that they had to rely on other security tools to detect basic threats. Even when they identified real incidents, they needed to correlate information manually to build a case and respond. The chief information security officer (CISO) of this organization quickly realized that the UEBA was costing the firm a good deal of money, especially as more and more data was ingested and stored—but the solution was also providing insufficient value.
Other customers we’ve spoken with revealed that, for the first month of working from home during the COVID-19 pandemic, they were unable to rely on their UEBAs because people’s work patterns changed so dramatically in such a short period. Suddenly, working outside normal hours, using a mix of personal and work machines, relying on cloud storage and VDI, and other activities that might normally indicate potential threats, were just part of how work was getting done.
Too many false positives cropped up, and the models and training data for UEBA tools took too long to adapt, falling short as the world was changing so fast. Many of our customers echoed this sentiment when it became critical to secure remote workers. Proofpoint ITM was able to make sense of the data and provide them with clear and real-time context when red flags and incidents cropped up.
Key pillars of effective ITM: visibility, clarity and efficiency
Successful ITM requires rapid detection of incidents, accelerated incident response and efficiency. A purpose-built ITM platform is the best path to insider risk management for most companies.
Unlike UEBA, an ITM platform is easy to set up and provides quick time to value (TTV). There’s no need to train models or build complex anomaly detection rules. Instead, the purpose-built ITM platform offers real-time detection of real threats with low false positive rates, alongside granular and trustworthy visibility into all user activity (anonymized to preserve privacy).
With Proofpoint ITM, you have the visibility, clarity and efficiency to detect, investigate and respond to insider threats before it’s too late—something you’ll be hard-pressed to do with a UEBA alone.
Implementing a dedicated ITM platform can reduce the risk of leaked and stolen data. Read the Proofpoint e-book, Anatomy of an Insider Threat Investigation, to learn more about the limits of ad-hoc insider threat investigations—and why context and response speed make all the difference in mitigating insider threats effectively.