By David Sanders
A common question among companies seeking to mitigate the risk of an insider attack is: “What tools should we buy for our mitigation program to be successful?”
Our view is that every effective insider threat program must have two tools. One is a user activity monitoring (UAM) system and the second is artificial intelligence-based analytics software.
It’s important to understand that these tools perform distinctly different functions, and that no single technology will meet the breadth of requirements that UAM and AI analytics do when combined.
UAM is a structured, consistent and continuous collection and reporting process across the whole of an organization at the device level. It helps users identify, assess, decide on responses to and act on specific analysis of employee behaviors.
The purpose of UAM is to gather detailed and substantive activity information (e.g., screen captures, text content, keystrokes, etc.) in the digital realm that may be indicative of an insider threat. UAM tools gather a level of detail not available from other tools, including data loss prevention (DLP), security information and event management (SIEM) and user and entity behavioral analytics (UEBA).
Some UAM tool vendors are adding dashboards and scoring to help focus analytical attention on users generating the most severe and frequent alerts. This is a helpful and positive development within the context of user activity on networks and devices, but it fails to include other data sources not generated by the UAM tool. It is important to remember that UAM systems provide only a limited digital view of the user, which precludes a broader understanding of the user’s full range of activities and behaviors.
Therefore, insider threat programs need to integrate data from across the organization into a separate tool that can perform advanced analytics, with the goal of creating a continuous, comprehensive and accurate assessment of insider behaviors to determine if a trusted individual has conducted or is likely to conduct acts of concern.
The analytical tool must be able to make sense of an abundance of data from technical (i.e., digital) and non-technical sources, and then transform the results into actionable risk intelligence for purposes of detection, risk prioritization and response.
Technical data includes voluminous raw feeds from DLP, web proxies, access management systems, UAM, printers, scanners, email and firewalls. Non-technical data includes information about the individual from multiple departments within the organization, including:
- Human Resources (e.g., role, location, performance, incidents, status, leave patterns, projects, objectives, training records);
- Finance and Accounting (credit card activity, travel and expense records); and
- Security (badging activity, incidents, special access).
Prior to the advent of structured insider risk/threat programs, this broader non-technical data set was rarely integrated and analyzed. That said, there are some tools that were built specifically to conduct this type of multi-source analysis.
Within the CIO or CISO departments, SIEM and UEBA (now known as SIEM 2.0) are used predominantly for this purpose. Without question, the strengths of these two classes of tools are their ability to connect to multiple data sources (i.e., ingest, format, correlate and process data); search and report; and apply advanced analytical processes (e.g., rules, machine learning and other artificial intelligence techniques) to generate alerts.
However, SIEM/UEBA tools are not good at generating actionable risk scores, which are vital to identifying insider threats in a proactive, even predictive, manner. There are several reasons for this:
- Scoring is simplistic – adding scores together, sometimes applying a multiplier or adding a very large value when a specific high-threat event occurs to move users to the top of the scoring list;
- The tools do not effectively score non-technical behaviors, but rather create watch lists with the information; and
- Scoring models are not built specifically for the insider threat domain, but rather relate to specific use cases such as data exfiltration and attempted unauthorized access, which can often be ‘explained away’ as a product of non-malicious and non-negligent activity.
With UAM and SIEM/UEBA tools, then, organizations have abundant alerts but lack an effective scoring capability to identify insiders whose behaviors indicate that they have conducted or are likely to conduct acts of concern.
So what is the best analytical tool to make sense of the volumes of alerts and behavioral indicators that can be found buried in all that technical and non-technical data? At Haystax, we believe in the power of a probabilistic model known as a Bayesian Inference Network, or BayesNet.
BayesNets are a place to capture the knowledge and insights of domain experts and then apply data as evidence to support this or that belief. They are ideally suited to situations where the problems are complex and don’t lend themselves to black-or-white binary answers, and where the data is sparse, noisy or even non-existent.
The Bayesian model at the core of our Insider Threat Mitigation Suite was purpose-built to assess the probability that a user’s behaviors indicate potential or actual insider risk. The model is the single environment where all of the technical and non-technical data and alerts generated from UAM and SIEM/UEBA systems can be applied and effectively evaluated, which is why we call it a ‘whole-person’ model. If a customer does not have a SIEM/UEBA system already in place, the Haystax Insider Threat Mitigation Suite can fulfill many of the data integration and analysis functions in its place.
The screen image above represents a portion of the Haystax whole-person insider threat model. Ingested and processed data can be applied to any model node. The impact of each new piece of evidence is determined by the strength and frequency of the event and probability attributes of how one node in the model affects another.
These nodes and their probabilities were developed with input from experts in the fields of behavioral psychology, security, counterintelligence, human resources, investigations and analytics. The result is a detailed yet understandable model that continuously assesses the probability that an insider has committed an adverse act or has exhibited concerning behaviors, and then produces a risk score on a dashboard in the Haystax user interface that allows decision-makers to proactively mitigate their highest-priority insider threats.
In Part 2 of this post we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.
# # #
Note: The effectiveness of a whole-person approach to insider threat mitigation has been supported by extensive research and has gained wide acceptance in operational settings. Hear from two leading experts in the scientific and practical aspects of whole-person insider threat mitigation – Dr. Frank Greitzer and Dr. Eric Shaw – by tuning in to our Haystax Insider Threat Roundtable on October 29 from 2:00 PM – 3:30 PM EDT. Register here.