But saying this and fully understanding what it means can be two different concepts. Once you understand that someone in mining your company in some creative fashion at any given moment you stop thinking about being secure and start thinking about catching the SOB.
User Based Analysis or UBA
In most cases, the attacks are coming through legitimate credentials. Ether an employee acting inappropriately, or someone using an employee's credentials is executing the theft.
UBA works under the theory that an attacker typically hits when the employee isn't around or, if the employee is the thief, they are behaving unusually. They could be there after hours when they typically don't work late, they could be downloading and printing stuff that no one downloads and prints (like IDs and passwords) or they could be taking a sudden interest in things they never seemed to care about before.
UBA builds a profile of each employee and if it sees an employee acting strangely it sends out an alert. It doesn't know the why's of the strange behavior (it could be legitimate), but it recognizes it as suspicious. The IT organization and/or security team gets an immediate alert so they can either confront the employee or use a tool like SIEM (Security Information and Event Management) to determine what is going on and determine if there is a crime in progress. It could be as simple as checking the security cameras to make sure it is actually the employee and not a maintenance worker or someone else using the employee's ID getting access. However, typically, access should be cut off until the identity of the employee is confirmed to assure that if there is a leak it is minimized.
Two types of companies ...
Years ago, security firm Kaspersky indicated there were two types of companies, those that have been attacked and those that don't know they have been attacked. I'm struck by the high number of reported attacks in firms using a UBA product and that these firms are no different than the ones not deploying this tool. The difference is the second group falls into the second half of Kaspersky's definition. If you want to be in the dark, don't look at tools like UBA. However, if you want to actually catch the folks who are stealing from the firm that puts food in your kid's mouth maybe it is time to take action.
Sign up for MIS Asia eNewsletters.