Most IT and security professionals will tend to be pretty comfortable with maybe four alerts in a day, said Beardsley. That's about an hour of work. "If they start getting more than 10, people are not paying attention. We try to solve that by weighting and building out a better profile," he continued.
So what's the general response to an alert? "You'll start with an account lockout, lock the account and then launch the investigation. Drill down to what the account has been doing for the last hour, the last day, the last few days, Beardsley said.
The investigation is intended to detect malicious behavior before it becomes a problem. Those who have already been breached know the pitfalls of not monitoring their networks, as the people who don't do this type of monitoring tend to have attackers lurking around for more than 200 days.
Locking out an account for maybe an hour is not the end of the world, said Beardsley, but it can save anywhere from a couple of months to several months of an attacker lurking on the inside.
When a criminal gains access through a person's account, that tends to mean that they have given up their user account credentials. Remind users that passwords need to be complex and changed often. "Easy to remember is easy to extract. I strongly recommend machine generated passwords that people don't know so that they can't give them up," said Beardsley.
It's also important to keep in mind that no product or platform is a panacea. Every network should have baseline protections, firewalls, intrusion prevention system, and "get your pen tests-it's good hygiene," said Beardsley. As with other security tools, UBAs are a complementary approach that augment a baseline of cyber hygiene.
Sign up for Computerworld eNewsletters.