How Enterprises are Making Use of User & Entity Behavior Analytics (UEBA)

Aidan Simister by   10.25.2018   Auditing

One of the most important ways to address your cybersecurity in today’s threat landscape is to ensure you know how your users are interacting with your sensitive data.

By sensitive data, we’re referring not just to data containing company secrets or financials, but also to consumer and employee data. Personally identifiable information (data containing credit card numbers, addresses, names etc.) can fetch a large amount of money on the black market and the biggest threat to your data security comes from within your organization.

To address this, organizations are looking towards what is known as User & Entity Behavior Analytics (UEBA). To understand why UEBA is so popular, we need to first have a look at the state of the cybersecurity market.

The Cybersecurity Challenges Enterprises are Facing

The main problem that enterprises are facing is that the potential attack surface is ever increasing and becoming more complex. Vast amounts of data are being created every day and it can be very difficult to track where your sensitive data and which users have access it. This can be further complicated in larger enterprises that are dealing with multiple third-parties, contractors and have a wide variety of data sources.

Reports and research are suggesting that traditional cybersecurity techniques, such as perimeter defences and firewalls, are no longer as effective as they once were. This is because the biggest threat to the security of your data is from insiders.

Unfortunately, what we have seen is that the vast majority of organizations simply do not have a way to track what their most privileged employees are doing in relation to their data and the surrounding systems. They rely heavily on native audit techniques using raw event logs, which can be far too time consuming and generates far too much noise to be of any real value.

There also appears to still be a mindset of reactive cybersecurity over proactive monitoring. Many organizations don’t look for User & Entity Behavior Analytics solutions until they have experienced a breach that needs investigation. This mindset does appear to be changing, thanks in part to some stricter compliance regulations, but for now it seems as though more education needs take place.

Detecting Anomalous User Behavior

Those organizations in the right frame of mind tend to look for security solutions that feature UEBA. Such solutions run continuously in the background of an organizations and collect events over what’s usually known as a learning period. After this learning period, they are able to determine automatically whether user behavior deviates from the established norm.

This kind of reporting enables organizations to quickly spot and react to potentially suspicious user behavior in such a way that they would never be able to do using raw event logs.

For example, if a user suddenly decides to access folders that they have never looked at before, the anomaly spotting will detect this as being potentially harmful. Enterprises can make use of these solutions by paying close attention to users more likely to be a threat – such as privileged users and people on their notice period.

Is UEBA Changing?

Whilst UEBA solutions certainly have their place in the market, Gartner suggests that we will soon the UEBA market disappear. If you search for UEBA solutions you will find a plethora of vendors offering this functionality, so why does Gartner think this market is likely to diminish?

Simply put, the cybersecurity market is heading toward data-centric audit and protection (DCAP) – with UEBA being a feature instead of the main event. DCAP, as the name suggests, places data at the heart of security. All interactions with the data and surrounding systems (including UEBA), as well as environment states, are all elements of a DCAP strategy.

This is why, over the next five or so years, it’s likely that we will see fewer UEBA solutions and a larger number of more comprehensive Data-Centric Audit & Protection solutions. For more information on whether you need a DCAP solution, click here.