Beyond UEBA and DLP: New Visibility for Insider Threats

By Mary Roark, Director of Product Marketing, Cyberhaven

Many security teams lack the visibility tools to show the business where the risks are. Current tools including legacy Data Loss Prevention (DLP) products and even new User and Entity Behavior Analytics (UEBA) can address only certain scenarios.

Building policy around data movement is becoming even more challenging with new collaboration apps driving digital transformation. IT teams are blind to Shadow IT. New ever evolving business practices utilizing an increasing number of SaaS apps on which employees rely on are contributing to data dispersion.

With UEBA the focus turned to user behavior, yet none of the security statistics point to the situation in the SOC getting better. UEBA relies on detecting anomalies. But what is “normal?” Too many false positives continue to burden security teams.

A new promising approach is  Data Behavioral Analytics(DaBA) which “provides instant visibility by automatically recording and reporting on data movement within the organization without any policies, data classification or file manipulation,“ says the CEO and cofounder, Dr Volodymyr (Vova) Kuznet of Cyberhaven.  Five PhDs invented a new approach they define as DaBA.

“DaBAis a new approach which provides complete contextual visibilityinto the behavior and movement of all data, across on-premise and cloud environments.  It immediately detects the improper handling of sensitive data by insiders.”

DaBA promises to deliver data visibility which will spotlight the root causes of risk by highlighting the improper treatment of data.

UEBA

UEBA tries to find anomalies in a paticular’s users behavior. It seeks to establish a baseline and then identify anything outside the norm.  But with global travel, global enterprises and ever evolving roles and responsibilities it is difficult to establish what is normal. As a result, UEBA tends to be noisy. Even after a baseline is established, the business and users keep evolving. UEBA has no context for the data that a user is interacting with. To establish a complete picture of the user, it requires integration with other tools that define identity such as Microsoft’s Active Directory or HR systems. Another limitation is that most UEBA systems are monitoring endpoints which results in a gap in monitoring server and cloud layers.  While UEBA has brought additional context in someuse cases, organizations continue to struggle with increasing investigation times as they try to bring the pieces of the puzzle together.

Users and Patterns

UEBA promised to find the malicious employees who were exfiltrating valuable data outside normal business hours.  If there was an account takeover in the middle of the night by threat actors from a remote small country then UEBA would know that something was amiss and UEBA could trigger the DLP to block. It would be simple and the SOC analyst would only need to occasionally press a few buttons. Unfortunately,  it turns out that malicious actors are not only malicious but they are really crafty and deceptive.

Employees as a root cause

Even more depressing, as the 2019 Verizon reports pointed out again, that in over one third of breaches, we, the employees, were the ones to blame for careless activity that had led to significant breaches. While the impact of the damage that employees exacted was typically less than that of malicious outsiders, overall, the costs due to employees was actually higher.

Data Dispersion Challenge

Data dispersion is the spread of data to multiple locations. With the prolific use of collaboration apps including Slack, cloud storage like Box, and networking tools like Zoom, employees are constantly sharing and distributing information.  In the spirit of being helpful, we copy, share, zip and distribute information to our peers and contractors. And when we are in a really good mood, we resend, duplicate a report, and parse important information. The result is data dispersion across more locations than IT can name and that gives security teams nightmares.

DLP can’t stop them

DLP is good at preventing egress of data.  It can stop data from exiting the organization. But new ways of sharing data exasperate the teams who are trying to maintain DLP policies and rules. Keeping up with new regulation and compliance keeps DLP and security teams so busy that they don’t feel as though they have enough time to address the more serious security threats.

DaBA

What organizations require is contextual visibility. Insights are needed into not only who is sharing information but what information they are sharing and under what circumstances so that IT and security can drive the adoption of more secure apps or more secure business processes. The goal is to enable the business. No one is rewarded for blocking or preventing collaboration. Collaboration is seen as productivity.

Data Behavioral Analytics (DaBA)  is a new approach that focuses on the data. Data Behavior Analysis (DaBA) helps us see not only where the data originated from but every location that it is dispersed to.  Most importantly it helps organizations be vigilant to new locations that put information at risk of being leaked.  DaBA provides real-time instant visibility by automatically recording and reporting on data movement within the organization without requiring any traditional DLP policies or data classification or file manipulation. DaBA monitors both on-premise and cloud environments. DaBA reports on where all your data is going and living.

With DaBA, security teams can quickly identify and respond to data exposure and help enterprises reduce business risk from both careless or malicious insiders.

Summary

In summary, since DaBA focuses on the behavior of the data provides immediate insights into organizational risk.  The sequence of events and detailed metadata tells a complete story of what happened with context. DaBA provides visibility to an employee not only accessing documents for a new secret product but copying content from that file and renaming it something unrelated and sending it via their personal email account to non-company contacts.  DaBa tells the complete story with context.

DaBA is a tool which helps C-levels see an abstracted view of their security risk and understand what processes, teams or individuals are putting the company at risk.  It helps not only cyber teams speed their investigations but spotlights Shadow IT and new problem areas. DaBA also provides an easy way for representatives outside of security (including legal, HR and others) to understand and immediately act on risky behavior.

To learn more go to www.cyberhaven.com

About the Author

Dr. Mary Roark is the Director of Product Marketing of Cyberhaven. Mary’s passion for launching new products has led to a dynamic 20 year career in technology marketing with firms like AT&T and  Microsoft. She has led product marketing efforts in mobile, network and data security at RSA Security, Sophos, Veridium and now as the Director of Product Marketing at Cyberhaven in a completely new area of Data Behavior Analytics (DaBA). She has a Bachelor’s of Science in Electrical Engineering and an MBA from the Stern School of Business at New York University.

Mary can be reached online at https://www.linkedin.com/in/maryroark/ and at our company website https://cyberhaven.com/