Are you ready to invest in UEBA technology?

Are you ready to invest in UEBA technology?

Assess your readiness across six key security components.

"Fifty-three percent [of 2018 survey participants] confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent."

2018 Insider Threat Report by Cybersecurity Insiders

User and entity behavior analytics (UEBA) tools provide considerable value – but only if an organization is well-positioned to effectively leverage the tools’ capabilities. Through machine learning, UEBA tools provide security analytics that enable data-driven proactive strategies for a robust insider threat program. Before investing in such tools, organizations should ensure their house is in order. Technology, processes, and people should be evaluated and on a path to maturity so significant return on investment isn’t left on the table. Take this quick, six-question quiz to assess how prepared your organization is to implement a UEBA solution.

download the six question worksheet to review with your team

Choose the option that best aligns with your current structure:

1. What’s the state of your currently defined data sources? 

  1. Technical data sources (e.g. web traffic logs, VPN, authentication logs) have been identified, but the application source owners are unknown. Or, minimal data sources beyond those being ingested into the SIEM have been identified. (1 point)
  2. Technical data sources and their source application owners have been identified. You have identified the desired non-technical data sources (confidential reporting, employee badge data, personnel records, etc.) that would be ingested into UEBA technology for further event correlation. However, the source application for these non-technical data sources has not been defined and you are unsure how to properly integrate the data sources. (2 points)
  3. You have identified technical and non-technical data sources and their corresponding source application owners, implemented an approval process for new data sources to be integrated, and have visibility into the network (decrypting data where necessary to get a complete picture) both internally and at the perimeter. Although risk ranking is being conducted, there is some uncertainty around setting threat thresholds for correlated events. (3 points)

2. Have you identified your insider threat use cases?

  1. You have minimal to no technical (lateral movement, data exfiltration, etc.) or non-technical (threats, violence, retaliation, etc.) insider threat use cases identified. (1 point)
  2. You have developed technical insider threat use cases, but non-technical use cases are yet to be identified. (2 points)
  3. You have identified technical and non-technical insider threat use cases. Trend analysis is continually conducted to identify new use cases which are formally reviewed during table top exercises. (3 points)

3. Are you leveraging your SIEM and knowledge management platform to their fullest?

  1. You are collecting some security-relevant logs (e.g. DNS, VPN, Windows event logs, anti-virus logs). However, there are still application logs that are not being reviewed consistently, and no defined log retention period. (1 point)
  2. You are collecting most security-relevant logs and have a defined retention period for the varying log sources. The majority of detections are tailored to the company and are based on observed attack activity and externally-reported trends. (2 points)
  3. You are collecting and managing all security-relevant logs, and retaining them for a specific timeframe depending on classification or impact to the organization. All detections are tailored to the company and based on observed attack activity and externally-reported trends. Additionally, your SIEM allows for rapid dynamic searches and log correlation across dates and sources. Criticality levels are established for all detections to assign priority. A ticket creation process is defined and an analysis platform for investigations is being utilized. Finally, you are conducting continuous alert improvement based on false-positive and true-positive metrics. (3 points)

4. How comprehensive are your insider threat policies and procedures?

  1. Your organizational policies have been defined and communicated on a regular basis. Procedure development is being conducted and is still in the governance process. That said, you have not yet identified clear definitions of insider threat activity. (1 point)
  2. Your organizational policies are defined and effectively communicated. The corresponding procedures are defined and communicated to individuals with aligning job roles. Development of specific insider threat policies and procedures is underway. Communication paths and workflow diagrams are being identified and are going through the governance process. (2 points)
  3. You have defined policies and procedures that directly support the operations of an Insider Threat Program (e.g. user monitoring, acceptable use, enhanced monitoring, corrective actions, etc.). Communication paths and workflow diagrams are defined. However, the escalation chain may still be in the approval process. Additionally, you have some minor policies about contractor performance / management, though they may need further development. (3 points)

5. Have you identified, and are you engaging, the right stakeholders? 

  1. The implementation of an Insider Threat Program is a corporate goal, but you have yet to identify the relevant stakeholders for essential roles and responsibilities. (1 point)
  2. The implementation of an Insider Threat Program is a corporate goal and the correct stakeholders have been identified with their corresponding roles and responsibilities. Identified stakeholders are representatives from the following organizational units: Ethics, Human Resource, Legal, Communications, Corporate Security, IT/Cybersecurity, Risk Management, and others as applicable. (2 points)
  3. Your organization has begun implementing an Insider Threat Program and the program architecture has been formally defined. Stakeholders are participating in monthly (or more frequent) program meetings, with established expectations for supporting ad-hoc meetings for significant incidents. Although the organization is making headway on the program’s implementation, future insight and guidance is desired by program members. (3 points)

6. Do you have the resources necessary to manage a UEBA tool?

  1. Your organization lacks the IT security budget or personnel to handle the current workload of insider threat cases. (1 point)
  2. Your organization does not have an extensive IT security budget, but the current staffing model is effectively managing the workload required to defend the enterprise. Or you have the budget, but your team is spread too thin and struggles to resolve cases within the SLA. (2 points)
  3. You have the IT security budget you need, and your team is adequately staffed and able to absorb additional workload when circumstances require it. However, the granular details regarding physical location and extra staffing required for the program have yet to be identified. (3 points)


Tally Your Results

The above questions provide a cursory review of your organization’s UEBA implementation preparedness across six domains. Tally the value of your responses and review the corresponding descriptions and next step considerations below. (Want to use our formatted worksheet for easy tabulation? You can download it here >)

You Scored 6 – 9 Points

Needs improvement. Some areas consistently rate under-prepared. For example, the creation of organization-specific use cases and/or securing buy-in from stakeholder departments can be a challenge. Next step: Choose two of the six domains outlined above that could be advanced most rapidly before pursuing a UEBA solution.

You Scored 10 – 14 Points

Solid standing. This rating may indicate your organization needs to further develop its Insider Threat Program. Next step: Pinpoint areas in need of increased maturity and ensure the proper security controls are implemented to prevent, detect, and respond to insider threats against critical services. Then, pursue a proof-of-concept for UEBA technologies.

You Scored 15 – 18 Points

Great start! Your answers indicate your security posture is maturing at an advanced rate, but you may be looking for additional guidance moving forward. Next step: Refine your findings with an advanced assessment and get ready for UEBA solution selection and roll-out! 

Ready to dig deeper? Let’s discuss what an in-depth assessment of each category would look like for your organization.

Request a Meeting


Technical Assessments for ICS—Know the Risks
Three Must-Haves for Your Vulnerability Management Assessment