Posted in Insider Threat Management

User and Entity Behavior Analytics Tools: Why They Fall Short for Insider Threat Management

Reading Time: 5 minutes

TL;DR: While UEBA can be a powerful tool, it often falls short for insider threat management and decreasing insider threat risk. In this blog, we explain why this is the case.

Insider threats are a major issue today, as Ponemon has reported on in detail. However, there is still a lot of misunderstanding and misinformation in the market regarding what insider threats are comprised of (just subversive elements that need to be rooted out? Think again!) and how to deal with them.

There are many tools on the market today—including UEBA—that purport to “solve” insider threat problems in different ways. Without actually implementing a heavy and complicated tool like UEBA, it can be alluring to buy into the hype that AI and machine learning will solve all of your insider risks.

In this blog post, we’ll explain why UEBA security —while suited for some purposes—is not a panacea for ITM, and where its limitations arise. Critically, UEBAs cannot solve many of the problems related to accurate alerting on relevant, risky user behavior, especially in the context of insider threat management. Let’s take a deeper look at why this is true.

User and Entity Behavior Analytics vs. Purpose-Built Insider Threat Management Tools

User and Entity Behavior Analytics (UEBA), or sometimes just UBA, are security software tools that analyze user behavior. These tools apply advanced analytics (including machine learning and artificial intelligence algorithms) to detect anomalies in user behavior that may indicate security risks or incidents. The “E” in UEBA is often included to indicate these tools are intended to also monitor the behavior of devices like routers, servers, and IOT.

UEBA security tools are often seen as competitive with ITM platforms and tools. While the two categories can be confused with each other because both are concerned with risky user behavior, UEBA are not developed to manage the lifecycle of the insider threats from detection through investigation to user education and protection. Moreover, for most organizations, the management of UEBA security becomes a part time job, taking away from the original insider threat problem.

So when is UEBA useful? UEBA is most appropriate for organizations with sizable security teams and significant financial resources set aside to store and analyze the massive amounts of data it produces.

To make UEBA work for your organization, you’ll need:

  • Data engineers to integrate data from endpoint, network, cloud, and user-focused technologies together
  • Data scientists to train and optimize the data science models
  • Security operations (SOC) analysts trained and often solely dedicated to triaging detected anomalies
  • Incident response (IR) teams to manually analyze logs from various sources feeding the UEBA
  • Significant time and resources to correlate evidence and build contextual cases in the event of an insider threat incident

If your organization has all the above in spades, it may be possible to realize the value promised by UEBA. However, given the drastic security talent shortage, very few organizations meet these criteria.

That said, UEBA, to its credit, is particularly useful to detect “unknown” threats—those that use new methods and creative approaches not yet seen before. However, the reality is that, if you have limited resources (and almost every organization does), this isn’t the best place to focus risk management efforts.

The well-worn and well-known paths to data exfiltration, privilege abuse, and application/system misuse are still so common that companies must concentrate there. The 80/20 rule very much applies here: At least 80% of threats use common exfiltration patterns (think: USB sticks, print jobs, email, and cloud storage) and well-understood attack lifecycles. Only the most advanced organizations have enough resources and time to also focus on the 20% of “unknown” threats that may or may not come their way.

User and Entity Behavior Analytics Can’t Provide Critical Context

Context is critical in insider threat management. In other words, when something fishy takes place, source logs rarely provide enough insight into what happened, where, when, why, or how. They won’t tell you if it was accidental or malicious or help you build a case for response. And they are time-consuming and manual to comb through and correlate.

Often the difference between “right and wrong” when it comes to data exfiltration is situational. In other words, insider threat analysts need to have complete and easily understandable context at their fingertips to respond quickly and appropriately. The power of UEBA constant stream of detected anomalies is also a weakness here as analysts have to sift through logs and uncover the context around the alerts. If not, security teams are adding to their alert fatigue and data overload. They need an ITM platform so that analysts only triage more granular alerts with easy to understand context immediately at hand.

The faster you can identify meaningful insider threat alerts, analyze what happened, and respond (whether via policy reminders, investigations or notifications), the less risk your organization faces. The ​longer an incident lingers, the costlier it gets​, according to Ponemon’s 2020 Cost of Insider Threats Global Report. The average incident takes 77 days to contain, which is far too long. Incidents that took more than 90 days to contain cost organizations an average of $13.71 million on an annualized basis. UEBA security does not solve the time problem when it comes to insider threats.

The Limitations of Artificial Intelligence and UEBA: Real-World Examples

While the media often portrays it as such, the artificial intelligence that powers UEBA is not a silver bullet. At this point in time, there is still a lot of hands-on, human effort involved in algorithm training, sorting signal from noise, and understanding what a UEBA is really saying. Artificial intelligence has its place in a sophisticated, modern security organization. However, it is more useful in specialized cases than it has proven to be for insider threat management programs today.

One customer of ours, a mid-sized private equity firm, had two of their security analysts stand up the UEBA solution as the first step in building an ITM program. While they started out with high hopes for the tool, after one year, they’d only managed to integrate the underlying security logs and set up three models. This took a good deal of effort—yet, afterward, a security audit found gaping holes in the organization’s ability to detect anomalous user behavior that could indicate threats.

The security analysts found that they were forced to rely on other security tools to detect basic threats. Even when they found real incidents, they had to manually correlate information to build a case and respond. The CISO of this organization quickly realized that the UEBA was costing them a good deal of money, especially as more and more data was ingested and stored, yet providing insufficient value.

Other customers we have spoken with revealed that, for the first month of working from home during the COVID-19 pandemic, they were unable to rely on their UEBAs because people’s work patterns changed so dramatically in such a short period of time. Suddenly, working outside normal hours, using a mix of personal and work machines, relying on cloud storage and VDIs, and other activities that might normally indicate potential threats, were just part of how work was getting done.

Too many false positives cropped up, and the models and training data for UEBA took too long to adapt, falling short at a time when the real-world was changing so fast. Many of our customers echoed this sentiment during a time when it became critical to secure remote workers. ObserveIT ITM was able to make sense of the data and provide them with clear and real-time context when red flags and incidents cropped up. 

Key Pillars: Visibility, Clarity, and Efficiency

A purpose-built ITM platform is the best path to insider risk management for most companies. This is because, unlike UEBA, an ITM platform like ObserveIT is easy to set up and provides quick time to value. There is no need to train models or build complex anomaly detection rules. Instead, the purpose-built ITM platform offers real-time detection of real threats with low false positive rates, alongside granular and trustworthy visibility into all user activity (anonymized to preserve privacy).

Successful insider threat management requires rapid detection of incidents, accelerated incident response, and efficiency. With ObserveIT ITM, you have the visibility, clarity, and efficiency to detect, investigate, and respond to insider threats before it’s too late—something you’ll be hard pressed to do with a UEBA alone.

To learn more about the comparison between insider threat management and user entity behavior analytics read our latest solution brief.

Download a copy here.