Data is important – Context even more so
To be able to understand the real threats, a good solution must be able to have the full contextual information:
Without all three, UBA solutions will continue to claim they have an understanding of what’s going on, and the false positive ratio will continue to remain high.
Want to know who is about to rob a bank? You must be looking at all people entering the bank, track those with a weapon or means, and to be fully able to prevent a robbery in real time, be able to reconcile what any person is asking from the cashier, with what they have available. Full contextual understanding of the course of events, as they take place.
Just the same with your assets and sensitive information – a proper UBA solution must be able to know which user accesses which data or application, and connect all dots to form the correct picture.
Lack of visibility into the actual data requests and transactions, which today exist only in some of the logs and only in a fragmented and obscure way, results in high number of false positives, which in turn mean that SOC teams are busy cleaning them up, rather than addressing actual vulnerabilities.
Monitoring vs. Prevention
Lack of prevention capabilities is one of the major drawbacks of most UBA solutions.
Being able to discover an incident post fact, is basically like having a monitor outside of a stable, letting you know that all horses are out, and you just lost your entire herd.
A proper UBA solution must have the ability to stop a breach as it happens, or better yet, preventing it from happening altogether. Having the means and the tools to do so is crucial!
Want to know what to look for? Here’s a list of things to consider when choosing your UBA.