Why User Behavior Analytics is not a Silver Bullet for Insider Threat
User behavior analytics (UBA) has become ubiquitous in the field of insider threat and nearly synonymous with the practice of insider threat monitoring. In fact, UBA tools are widely perceived as the only answer to an effective insider threat program (ITP) and, by extension, your ITP cannot be complete without one. This perception, however, is incorrect.
Put simply, UBA tools employ data science to collate user activity from across an enterprise’s disparate datasets to assess and predict users’ relative risk to that enterprise. A UBA tool might tell you, for instance, that an employee logged into the company network on a Sunday and never had before, or that the employee’s usage of certain keywords in their email communications suggested they were likely disgruntled and therefore posed an increased risk.
But does this mean an insider attack from the employee is imminent? Not necessarily. Though moderately interesting, these types of details comprise a relatively small part of a user’s overall risk profile. In order to accurately estimate how risky a user actually is, there’s much more you still need to learn about them. Indeed, this is why estimating and detecting an insider threat requires far more than UBA. Just as a stool without three solid legs will likely topple over, an ITP without the following three components will likely fail:
• ITP Tools include UBA and similar automated components designed to identify users’ noteworthy patterns and activities. The output of such tools helps shape the direction of the ITP’s investigative efforts, but, as mentioned previously, alone they can neither predict nor detect an insider threat.
• An investigative function scrutinizes and synthesizes the output of ITP tools and other relevant findings to determine their significance and the extent to which they might indicate a potential insider threat. When the result of an investigative effort suggests that an insider attack could be imminent, this function works with the programmatic function—and in many cases also with relevant stakeholders from other departments—to verify and attribute the threat.
• A programmatic function specifies the direction, resources, and priorities of an ITP and ensures that its tools and investigations are well documented, repeatable, consistent, and follow the appropriate processes and protocol. The program also addresses any compliance, legal, and privacy issues that arise during an ITP investigation.
One of the primary challenges posed by this ITP framework is that it warrants a different approach than the information security community’s traditional defense-in-depth methodology. Rather than layering multiple defensive measures on a specific issue, ITP practitioners need to think about defense in breadth—particularly when it comes to ITP tools such as UBA. In this case, are the tools capturing a broad enough range of indicators to provide the full picture of a user’s behavior? Is there a comprehensive understanding of whether a particular user may be trying to do harm? Such tools may extend your capabilities, but in many cases, they simply reveal information you already know. And when the data analyzed by an ITP tool is insufficient, the entire ITP becomes less accurate and less effective — similar to a three-legged stool with a wobbly leg.
However, regardless of how sophisticated your ITP is, if your company isn’t upholding the fundamentals of information security, your ITP doesn’t really matter. Many of the large-scale data breaches disclosed in recent years can provide fine examples, even though most of them were not related to insider activity. Often the root cause of these breaches was as simple as not having patches deployed or users properly educated on security awareness. But that fact is irrelevant. If a company’s security controls are unable to detect a user exfiltrating sensitive data onto a flash drive, for example, it doesn’t matter that a UBA tool revealed that a user logged in to the company’s network at 2 a.m.
Above all else, it’s crucial to remember that predicting and detecting an insider threat requires far more than just one tool, technique, or dataset. As with most security-related issues, there is no silver bullet for insider threat.
Flashpoint Analyst Team
The Flashpoint analyst team is composed of subject-matter experts with tradecraft skills honed through years of operating in the most austere online environments, training in elite government and corporate environments, and building and leading intelligence programs across all sectors. Our team covers more than 20 languages including Arabic, Mandarin, Farsi, Turkish, Kazakh, Spanish, French, German, Russian, Ukrainian, Italian, and Portuguese.