User Behavior Analytics (UBA), which tracks a system’s users to detect threats and breaches, provides a strong alternative to signature-based threat detection, a method that compares the current system code to the code of already discovered threats. Organizations have become increasingly aware that simply detecting a threat is not enough—the origin and location of the threat can be just as, if not more important.
Considering signature-based threat detection investigates systems and explore components up against a series of recognized threats, this method is only as strong as its data. If threats are not known, or being used by an attacker for the first time, this method of prevention and detection will not be as useful. There is simply nothing to compare the current data against, making it relatively easy for a threat to go undetected.
Organizations looking for a silver bullet for threat detection may not find what they are looking for, since UBA is only piece of the puzzle. While UBA is strong in detecting threats inside and outside of a system and can be formatted to address different categories of systems and data, it does not provide contextual data, which can be helpful in identifying and locating threats.
Ryan Stolte, co-founder and CTO of cyber risk analytics firm Bay Dynamics told Homeland Security Today that UBA is just one ingredient, but not a complete and final recipe. He said organizations need more than UBA, rules, and signatures, since these methods are can leave permeable gaps in protection plans.
“User behavior analytics, defining something that doesn’t look normal” and “looking for those anomalies, is actually very important,” said Stolte.
UBA can be an integral part of the solution itself. In fact, it can be vital to threat detection, isolation, and removal methods in both the public and private sectors when used in conjunction with signature and context-based methods, which can contain very important location data to help narrow down areas of vulnerability.
Additionally, identifying contextual information could greatly enhance UBA data, since it contains details on location and breach points. Without that type of contextual information, threats are not prioritized and are oftentimes mislabeled in severity level.
With contextual data, when leaders and personnel work through an avalanche of information, they are able to base their decisions and plans off traceable data rather than anomalies, reducing overall risk.
“Anomalies can be used as a starting point, but I think that the big mistake we have right now is that we’re taking those anomalies and putting them back into SIM, and then putting them in front of the people out in the security operations center, and they’re saying ‘I don’t know what to do with this stuff, there’s not nearly enough information to actually act on,’” said Stolte.
Stolte added, “You need to focus on vendors and technologies that will take these anomalies, and help put them into context and add value in the environment, focus on technologies that will help communicate this to people outside of the security operations center. I think that’s really one key thing.”
Stolte stressed the importance of training personnel to be proactive instead of reactive. Through communication and education, workers can become well informed. Furthermore, improved training can lead to overall behavioral changes in the ways people handle and address data, whether using legacy technology or more advanced methods.
Overall, by having in place context rich data, organizations are better equipped to define anomalies, reduce risk, add value, and encourage personnel to ask the right questions at the right times to get the most helpful answers.