UBA uses many technology components - data sources, data integration, data mining, correlation, enrichment, data presentation and visualization and service delivery. Various vendor have been optimizing their capabilities around a specific security use cases and domains. However, the success of these capabilities relies on the collection of structure and unstructured information.
Analytics engine capability would greatly depend on feeding the right sources of data and applying the right context to the information, knowing which data and variables need to be analyzed, and how much weight is given to the key variables that are used to analyze risk rating functions.
Getting the right data feeds into the engine with business context is the key step to get optimal value of the investment in UBA technology. The raw data sources could include VPN gateway logs user connecting to enterprise network from remote, Active Directory logs, Windows and Unix servers logs, security event logs from firewall, DLP etc., to connect the dots right from when a user successfully connects to the VPN gateway and establishes a session, login into an application server, access data from sensitive systems, the time he spent processing and moving data around, and if he transfers any data out of a server to external systems.
Lastly, IP theft and data exfiltration, fraud detection, malware detection and analyzing employee's social media activities are some of the use cases that UBA technology can help detect and flag early warnings to the security teams. Once a vendor solution is selected and deployed in the enterprise, the next big step is to establish initial baseline by watching the user activities for few weeks before getting the actual results or value.
If the technology is not based lined and fine-tuned then it's another tool generating thousands of noisy alerts. To get the optimal results, one needs to spend quality time to watch and understand user behavior in the enterprise and distinguish normal vs anomalous behavior. Self-learning algorithms, machine learning and statistics can help highlight abnormal behavior and frequencies in identification, and detect critical insider threats and targeted advanced attacks.
Sign up for Computerworld eNewsletters.