How do you get started with UBA?
Generally, you’ll start using UBA with four basic steps: ingest data, configure workflows, target use cases, and customize your models.
Getting data into your UBA solution is the first step toward understanding your user data. Your tool should provide a number of options for identifying, validating, then ingesting data from multiple sources across your infrastructure — from reading simple, well-known log file formats, to invoking programs to handle custom data formats.
Once you’ve successfully prepped your environment and onboarded relevant event data, the next step is to configure your workflows. Integrated workflows allow security teams to quickly respond to incidents by opening tickets or placing surveillance on high-risk users. By hammering out a streamlined investigation and feedback loop, security teams won’t have to scramble when trouble comes.
Next, you’ll need to determine what use cases you’d like to address with your UBA tool. This can be anything from data exfiltration to account compromise and misuse. You should also involve your organization’s security architects and engineers so they can provide feedback. Remember, while most UBA solutions will provide use cases that can apply to almost every customer in the form of rule sets, they aren’t necessarily priorities of your business. The needs and objectives for retail, e-commerce, financial services, the public sector, etc., vary immensely.
Last but not least, you’ll need to customize your anomaly scoring models. Providing input on key assets or users/departments can increase the risk score accordingly (for example, data exfiltration involving staff in your organization’s research lab may be more of a threat than data theft on your marketing team). Your UBA tool should also increase the score if it deviates from peer group profiles. If a specific risk-scoring logic is not applicable to your environment, adjust it up front.
As you decide how to implement UBA in your organization, consider:
- How much and what type of behavioral data you’ll have available.
- The level of internal expertise you have — and whether you have the ability to train security personnel to implement and manage UBA.
- How large and sprawling your network of users is (e.g., number of remote locations and the degree of user mobility).