People that are trying to get away with something are going to fly below the radar, said Stolte. “Just writing a rule to detect certain activities should catch it, but the problem is that people know where those lines are.”
Behavior analysis takes security beyond rule writing by looking at activities and behaviors so that even if someone is able to compromise a user’s identity, they still have to be able to act like the user, which is when the alarms start to go off.
“We need to use these analytics capabilities as an indicator to see the change in behavior not just did they cross a certain line or not,” Stolte said.
Saryu Nayyar, CEO at Gurucul, said that there is a difference between a user and an identity. UEBAs can determine, “This user is risky” Nayyar said, “But what matters more is, who is the identity, what is the access, and what is the activity being done?”
Once a user is compromised, the criminal then has to be able to behave in accordance with the normal daily activities of that identity. Failure to do so will trigger anomalies in the system.
“Our role through UEBA is to model all good behaviors to surface unknown bad behavior. When we are called in, we look for the unknown unknown,” she continued.
The unknown unknown differs from enterprise to enterprise, which is what makes the element of human interpretation and interaction with UEBAs so critical. The rules and models are contingent upon the risks and threats of each organization, which demands that they remain private and confidential.
Tomer Schwartz, director of security research, Adallom Labs, said the security team performs proactive research and builds intelligence back into the UEBA solution, thereby making the security tool a living, breathing, and evolving system that relies on the human element.
One of the benefits to a security team bringing a human interpretation to the solution, said Schwartz, is that there is, “A cycle of constantly improving and tuning the algorithms used for the UEBA engine, based on research and the results of their performance.”
When the problem is insider threats, which means the enterprise is looking at an employee who has all the credentials and technology to access everything, UEBAs can be useful in determining what activities are legitimate versus potential threats.
Having the flexibility to change specific data sources or provide more information, allows enterprises to “tune the likelihood of a particular event to correlate with a suspicious activity, to develop completely new algorithms to solve specific use cases,” said Schwartz.
The result is a security system that will hopefully provide the right signal to noise ratio which addresses both the problem of big data and identifying internal threats, but will that ratio come at the cost of employee privacy concerns?
Sign up for CIO Asia eNewsletters.