By David Sanders
In Part 1 of this post we explored the basic characteristics of user activity monitoring (UAM), security information and event management (SIEM), user and entity behavioral analytics (UEBA) and artificial intelligence-based analytics software systems.
In this post we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.
For illustration purposes, let’s consider a company with 10,000 trusted insiders that has the following circumstances:
- 500,000 files per week are copied to removable media by 2,500 employees
- 50,000 files per week are being sent outside the company via email
- 100,000 DLP alerts per week for files being copied to removable media
- 10,000 DLP alerts for email
- 500,000 web page visits per week
- 100,000 files downloaded from websites
- 7,500 files uploaded to websites
The above assumptions are reasonable if there are few or no controls on the use of removable media and on sending files via email. The number of alerts generated would require a significant effort to review in a timely manner; therefore, there needs to be effective threat scoring to point the analysts to the insiders that pose the greatest threat to the organization.
To contrast the differences of how SIEM/UEBA solutions develop threat scores versus Haystax, and the effectiveness of each approach, we will evaluate three user behavior scenarios:
- User A has contextual, technical and non-technical behaviors;
- User B has contextual and technical behaviors; and
- User C has contextual and non-technical behaviors.
The scenarios and resulting scores are presented below.
User A has both cyber and non-cyber behaviors that should be considered in the overall threat analysis. The SIEM/UEBA score, on a relative scale of 0-100, is low. Scoring assumptions for the SIEM/UEBA are:
- Non-cyber behaviors and contextual data did not impact the score;
- The non-productive web browsing has low impact because it is not data exfiltration; and
- Sending files via email has low impact because the volume is low.
The Bayesian Inference Network (aka BayesNet) probabilities consider all of the activity, resulting in higher threat probabilities. The behaviors of User A could be indicative of many things – disengagement from the organization, unfamiliarity with company policy or attempts to test controls and monitoring. Identifying the increased threat level allows for further investigation (perhaps using the UAM tool) and proactive risk mitigation.
User B has contextual and technical behaviors and the SIEM/UEBA score is high, on a relative scale of 0-100. Scoring assumptions for the SIEM/UEBA are:
- The cyber behaviors are scored high due to the large volumes of data being sent outside the network; and
- The contextual data has no impact on the score.
The BayesNet probabilities consider all of the activity, resulting in higher threat probabilities. Specifically, the “Conducts Potential Insider Threat Activities” is high due to the data exfiltration. But the overall “Is Insider Threat Concern” is lower because it is impacted by the “Exhibits Concerning Characteristics,” which is lower due to the contextual data (e.g., position as recruiter, longevity with company, absence of other negative behaviors to increase the score). The behaviors of User B are likely that of an employee doing their job – sending company information to prospective employees.
User C has contextual and non-technical behaviors and the SIEM/UEBA score is zero, due to the absence of technical behaviors and the lack of scoring non-technical behaviors.
The BayesNet probability scoring indicates a low probability of “Conducts Potential Insider Threat Activities” due to the attempted access behaviors, and a medium probability of “Exhibits Concerning Characteristics” due to the access to critical data, attempted access, performance review and being a relatively new employee. User C does not appear to be a threat based on this information, but these behaviors should be retained and considered in the light of future behaviors.
These use cases demonstrate that insider threat programs should implement both UAM and advanced analytics. The UAM tools provide necessary details about users’ activities on computers and laptops, but do not contain all the data required to detect insider threat activity.
A broader set of data, usually at a higher level, needs to be integrated into and effectively analyzed by an advanced tool that can effectively consider both technical and non-technical indicators. The Haystax Insider Threat Mitigation Suite employs just such a tool: a BayesNet that effectively and consistently evaluates both of these behaviors, thus developing a picture of the whole person – and any early indications of insider risk.
# # #
Note: A former high-flying corporate executive suffers a series of personal and professional setbacks and gradually develops into an insider threat. Find out how Haystax would have used probabilistic analysis and technical/non-technical data to discover him prior to his massive theft of intellectual property, in To Catch an IP Thief.