Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > BRI > Why User Behavior Analytics is not a Silver Bullet for Insider Threat

Why User Behavior Analytics is not a Silver Bullet for Insider Threat

Walter Cook headshot

User behavior analytics (UBA) has become ubiquitous in the field of insider threat and nearly synonymous with the practice of insider threat monitoring. In fact, UBA tools are widely perceived as the only answer to an effective insider threat program (ITP) and, by extension, your ITP cannot be complete without one. This perception, however, is incorrect.

Put simply, UBA tools employ data science to collate user activity from across an enterprise’s disparate datasets to assess and predict users’ relative risk to that enterprise. A UBA tool might tell you, for instance, that an employee logged into the company network on a Sunday and never had before, or that the employee’s usage of certain keywords in their email communications suggested they were likely disgruntled and therefore posed an increased risk.

But does this mean an insider attack from the employee is imminent? Not necessarily. Though moderately interesting, these types of details comprise a relatively small part of a user’s overall risk profile. In order to accurately estimate how risky a user actually is, there’s much more you still need to learn about them. Indeed, this is why estimating and detecting an insider threat requires far more than UBA. Just as a stool without three solid legs will likely topple over, an ITP without the following three components will likely fail:

ITP Tools include UBA and similar automated components designed to identify users’ noteworthy patterns and activities. The output of such tools helps shape the direction of the ITP’s investigative efforts, but, as mentioned previously, alone they can neither predict nor detect an insider threat.

An investigative function scrutinizes and synthesizes the output of ITP tools and other relevant findings to determine their significance and the extent to which they might indicate a potential insider threat. When the result of an investigative effort suggests that an insider attack could be imminent, this function works with the programmatic function—and in many cases also with relevant stakeholders from other departments—to verify and attribute the threat.

A programmatic function specifies the direction, resources, and priorities of an ITP and ensures that its tools and investigations are well documented, repeatable, consistent, and follow the appropriate processes and protocol. The program also addresses any compliance, legal, and privacy issues that arise during an ITP investigation.

One of the primary challenges posed by this ITP framework is that it warrants a different approach than the information security community’s traditional defense-in-depth methodology. Rather than layering multiple defensive measures on a specific issue, ITP practitioners need to think about defense in breadth—particularly when it comes to ITP tools such as UBA. In this case, are the tools capturing a broad enough range of indicators to provide the full picture of a user’s behavior? Is there a comprehensive understanding of whether a particular user may be trying to do harm? Such tools may extend your capabilities, but in many cases, they simply reveal information you already know. And when the data analyzed by an ITP tool is insufficient, the entire ITP becomes less accurate and less effective — similar to a three-legged stool with a wobbly leg.

However, regardless of how sophisticated your ITP is, if your company isn’t upholding the fundamentals of information security, your ITP doesn’t really matter. Many of the large-scale data breaches disclosed in recent years can provide fine examples, even though most of them were not related to insider activity. Often the root cause of these breaches was as simple as not having patches deployed or users properly educated on security awareness. But that fact is irrelevant. If a company’s security controls are unable to detect a user exfiltrating sensitive data onto a flash drive, for example, it doesn’t matter that a UBA tool revealed that a user logged in to the company’s network at 2 a.m.

Above all else, it’s crucial to remember that predicting and detecting an insider threat requires far more than just one tool, technique, or dataset. As with most security-related issues, there is no silver bullet for insider threat.

Related Posts

About the author: Walter Cook

Walter Cook headshot

Walter Cook serves as a Senior Associate, Flashpoint Intelligence Academy. He spends his time creating and delivering training workshops and supporting content designed to help client companies get the most out of BRI and from their intelligence teams. Previously, Walter served as a Principal Advisor, Insider Threat, specializing in insider threat mitigation and primarily working with customers to initiate, develop, and enhance their insider threat programs. Prior to Flashpoint, he spent 16 years at American Express, where he was a founding member of the Amex Insider Threat Program and Data Breach Management teams. Walter brings a wide array of analytical and problem-solving tools to Flashpoint and holds a bachelor of science degree in chemistry from the University of Arizona.

About the author: Tim Condello

Tim Condello headshot

As the Business Operations Lead at Flashpoint, Tim Condello is responsible for analyzing, developing, and optimizing the integrative workflows and systems on which the company’s employees, customers, and partners rely. Prior to Flashpoint, Tim spent more than a decade honing his security analytics and leadership skills at various top-tier corporate and government organizations including RedOwl Analytics, where he worked with information security and regulatory surveillance teams to mitigate insider threats; BNY Mellon, where he was a Vice President of Cyber Threat Intelligence; and the United States Marine Corps, where he established the first Law Enforcement Battalion Intelligence section, worked with outside federal agencies to gather workflows and tie in databases to be shared across the law enforcement community, and spearheaded numerous other security- and intelligence-related initiatives in support of the Law Enforcement Battalion’s domestic and international missions. Tim holds a bachelor of arts degree in sociology from St. Bonaventure University, as well as a master of science degree in cybersecurity from the University of Maryland University College.