How data loss prevention strategies benefit from UBA
Data loss prevention strategies require unique insight into user activity. Can user behavior analytics capabilities benefit threat management and breach detection?
The COVID-19 pandemic has forced employers -- many of which rarely, if ever, had remote workers -- to suddenly manage a workforce that is off-site and out of sight.
Among other management challenges, losing direct oversight means employers can't keep tabs on those employees who might do things on the job that could be harmful to the company and themselves. These behaviors might have been easier to detect in a traditional workplace. Remote work makes such scrutiny impossible.
To improve cybersecurity in this environment, companies are tapping into user behavior analytics (UBA) to exploit features built into commonly used data loss prevention (DLP) software.
Early DLP strategies were focused on identifying sensitive corporate data and then preventing that data from being exfiltrated. DLP works by monitoring data channels, and in the early 2000s, there were only a handful of data channels, such as USB external drives and networking drives. As networking became more distributed through the years, DLP vendors engineered their products to monitor almost every communication channel imaginable, ranging from email and Bluetooth to network shares and other common data repositories.
Most DLP products work by placing agents that reside in each client. As more monitoring channels are added, the ability to track user behavior also increases. If a user tries to send a file, an agent is aware; if the user accesses or even attempts to access a file, the DLP agent tracks that behavior. The same holds true if a user tries to read, update or delete a file. The result is a detailed log that can be then be used to build a comprehensive UBA foundation.
At its essence, UBA involves identifying normal versus abnormal behavior to establish a baseline that reflects how employees typically perform their tasks and then tracks the resources used to complete those tasks. If a user's performance deviates from the norm -- say, they suddenly copy a customer master file to an external drive -- this behavior is flagged, and security is notified. Analytical intelligence is an important component of UBA. Otherwise, security teams would be swamped with alerts, many of which could be false positives.
A caveat: It's important to consider the privacy ramifications of UBA. The right of employers to monitor behavior of employees' computer interactions must always comply with prevailing privacy regulations.
DLP vendors aren't the only suppliers incorporating UBA into their portfolios. Online security company Code42, for example, places agents in its software, giving it a detailed view of all user file activity. Exabeam, a SIEM vendor, uses a combination of logs and data sources to provide a holistic view of user activity and behavior. Packet capture vendors offer products that can illuminate user behavior by combing through packet-level data.
By tapping into the features provided by vendors like these, enterprises can get some of the help they need to ensure their remote employees are doing their jobs and doing them securely.