Today, there are a range of User Behaviour Analytic (UBA) tools available to organisations, however, the most effective ones need to be able to detect and respond to three key aspects: insider threats before the fraud is perpetrated, compromised accounts before more systems are taken over, and privileged account abuse before sensitive data is accessed or operations are affected.
Likewise, when considering the most appropriate UBA tools for deployment, your security team should evaluate six key criteria.
- The first of these is whether you still see continued breaches even after the business has installed new security tools.
- Second, can the company easily prepare data that is associated with specific identities?
- Third, can your current security tools detect threats and provide feedback in real-time?
- Fourth, how quickly can your current security measures address critical threats?
- Fifth, do you have both AI and Machine Learning installed to enable hunting and user monitoring?
- Finally, do your current security tools have strong integration with the underlying data platform?
If you answered no to any of these then you probably need to use UBA. UBA, working alongside a SIEM solution, can more accurately detect threats and makes it more efficient to respond to incidents.
Here at RiverSafe, our expert team has tested our UBA solution against 12 conditions to ensure we offer the best UBA tool available. There are 12 tasks that the most efficient UBA solutions should be able to tackle. These conditions can then be grouped together into two distinct categories: detect and respond. These are the two most vital requirements of any UBA tool and are what we test tools against.
Starting with the former, the earlieryou detect an attack, the less impact that attack will have. To ensure your UBA can detect as much as possible you need to test it against a variety of unusual user behaviour that may appear within the network. This behaviour involves:
- Compromised user credentials;
- Compromised privileged-user accounts;
- When executive assets have been accessed by those without clearance;
- Malicious activity from inside the company’s personnel.
These four conditions make up the detect category, as UBA must be able to identify exactly where the issues are coming from and flag up unusual behaviour before any attack can take place. In doing so your security team can discern whether the malicious assault is coming from either an internal or external source and react appropriately.
Now onto the second category –respond. Remember that many UBA vendors talk about the ability to detect threats, but fewer can support the conditions needed to effectively respond. Use cases that enable better SOC and IT staff productivity are the priority, so our team has ensured that our UBA solutions meet all the criteria required. Ideal UBA solutions can:
- Instantly lock out accounts that are compromised;
- Create new accounts;
- Share company accounts with relevant users for investigation;
- Delete or reinstate inactive accounts;
- Classify service accounts;
- Investigate user accounts;
- Investigate security alerts;
- Review the network before, during and after an attack.
A UBA solution that can correctly respond with all the aforementioned tasks is an ideal tool for your security team. When combined with the ability to detect all four forms of abnormal user behaviour security teams will be able to respond to any issues faster than ever before.