There's a lot of, a lot of, I guess, consolidation in SIM. And I think, I don't think there is a SIM vendor that doesn't have some kind of UBA focused offering at the moment. And while traditionally Sims were looking purely at the kind of network layer, more and more people are looking at the application layer with their SIM. So there's even more crossover now.
And, and I'll, I'll try and cover that to some extent in the slides sort of.
So as I was kinda introduce my name's Chris burtenshaw, I've got about, I guess, over 15 years experience deploying various security technologies with enterprises, usually financial services, defense, that kind of environment. And over the course of my career, really, I've kind of taken a really keen interest in the security value of the technologies that I've been deploying.
I mean, I've seen a lot of sort of like, I guess, poorly scoped projects that where people have tried to do too much, I've seen projects that have been maybe too focused in one particular area that perhaps isn't the particular sort of, you know, value, sorry, doesn't offer particular value for the client. So I think I've sort of come up with my own sort of interpretation of what good value looks like. And I'll hopefully try and sort of talk about a little bit about that in the following slides.
So yeah, I'm co-founder of strata security solutions. So we do consultancy around cm, IM cloud, and also we have a, a solution that brings together all of your security data so that you can understand what's going on in one place and also use that same data to understand risk and demonstrate compliance. Cuz typically security teams are working with a number of different technologies, but they don't talk to each other. So it's kind of a solution to fix that problem. Okay.
So contents, I'm gonna start off with a bit of a definition of, of UBA or U E B a, but I think Martin obviously quite succinctly did that for us. So I might sort of go over that one quite quickly. And then I'm gonna talk about some of my experiences from the cold face, as it were over the years with regards to UBA, I'm then gonna segue into how you might get UBA because as I kind of touched on there with the, the question, it may well be that you already have some elements of, of UBA within your environment.
If you have some sort of best of breed security tools, and then I'm gonna talk about the typical value proposition and sort of some current enterprise trends and what perhaps impact they may have on, on UBA or U E B a. So very similar to the, the slide that Martin put up here, the definition of U E B a. So this was the slide that I showed my wife and she said it looked a bit boring.
So I, I apologize. So yeah, obviously Gartner have their own definition of, of U E B a so effectively. What they're saying is that these solutions use analytics to build standard profiles of behavior and then they are alerting effectively when they're they anomalous behavior is, is detected. So kind of similar to the other definition, not largely different. So these fonts aren't quite right. I apologize or strange there, but so just to kind of give you some of my own experiences over the years.
So going back sort of two thousands early two thousands, there weren't any products that particularly marketed themselves as UBA. So I've called this roll your own. So back then we were using at the time SIM tools to look for anomalous behavior. So I remember one of my earlier kind of experiences was within a, a mobile phone company who had problems with their, their call centers effectively. And what we were doing was we were using UBA type type processes that were mentioned by by Martin, but without any, any tools to help us.
So we were looking at, you know, refunds and that kind of thing to detect fraudulent behavior. And from my personal perspective, it was the first time I realized that that kind of my job could lead to somebody getting a disciplinary. So that's kind of a, a big learning point for me. And then moving forward to sort of 2010s, by this point, the, some of the, the seam tools had started to add like UBA type functionality, maybe a set of rules, or maybe a set of kind of best practices and, and documentation.
And obviously that was a good step.
And at that time, a number of different technologies started to come onto the market that were specifically calling themselves user behavioral analytics, and that kind of segues into today where there's a MI, what I call a myriad of options. Obviously there's a lot, as I said, there's a lot of consolidation.
So today, if you're looking to implement UBA, if you already have a SIM, you may well find that that in has options to allow you to, to do some UBA. If you don't have anything, then there are tools out there like the Veronas of these world, of this world, et cetera, that allow you to quite quickly deploy something to start to detect and more importantly, respond to effectively anomalous behavior. And as Martin's slide towards the end of his presentation, quite, quite succinctly pointed out, there's a lot of vendors in this space at the moment.
So how do I get it?
So again, as referred to by Martin UBA really is sitting an intersection of technologies at the moment, you know, including, but not limited to UBA, cm, DLP, maybe even like database activity monitoring, et cetera. And I guess really, I just wanted to talk about if you already have some of these tools, how, how you might sort of, of expand them to start to work, sorry, to start to follow some EPA techniques. So obviously there are the pure players, and as Martin mentioned, the relatively few of those at the moment, they may have specialized agents or integrations.
That mean you can start to do some kind of blocking out of the box, so detecting activities and then blocking the account, that kind of thing. Other options such as C may not have that.
So, you know, it's one thing to bear in mind.
And of course, typically, because they've been designed from the ground up with this use case in mind, they've got an interface that sort of supports and, and helps the, the Analyst to understand what's going on, understand the context and respond. So scene tools.
And again, there's a lot of consolidation. So C may have specific UBA modules, or it may have a complimentary helper utility offered by the vendor, weren't mention any names, but some of the big players, they have their own pre-integrated UBA offering. So you just kind of buy an extra box that slots in alongside your SIM to start doing UBA type monitoring. I guess a key point is that it may already be in integrated with your key log data.
So if you have a SIM you want to do some UBA, you may well find that your SIM may already be in a place to see what user up to let's say, for example, if you've got good quality application logs going into your platform and then just to sort of keep it in there for mentioning it really DLP. So there's a lot of convergence, but DLP is one of those areas that has kind of, I guess, merged most into the, into the UBA proposition.
If you have a DLP tool, it may well be doing elements of, of, of UBA. Most of the use cases that these tools are focused on are obviously data filtration.
So it may well be that if you have a particular DLP tool, it may have merged into another, into with another, another product or suite of products that could offer you UBA. And again, I've listed that they're likely to have blocking options because obviously if it's data loss prevention, it needs to be doing some kind of blocking a, the prevention. And then finally, just to kind of, I guess, provide the wider context emerging offerings within this area.
So while not necessarily specifically UBA products, one thing that Martin mentioned was that there's a lot of, there's a lot of data analytics required to get that baseline and to understand the trend of your, of your users or your, your staff's behavior. So increasingly organizations for other purposes, such as DevOps or whatever are deploying elk stacks. So elastic log and cabana, there's a lot of capability there to ingest process and trend high volume data that possibly five or even 10 years ago was almost unthinkable for, for, for organizations. So it's worth bearing in mind
Anyway.
So onto the enterprise value proposition, which is kind of the, the, the presentation contact presentation title. So what is the, the typical value proposition here based on analysis of user behavior, we're looking to identify malicious or compromised users. So managing the well well known and well documented inside a threat, that's obviously a, a pretty big value proposition to the CSO or whoever else identifying a PT or targeted attacks.
So if we can identify these earlier in the kill chain, and we, sorry, if we can identify these earlier, we can potentially stop them earlier in the, in the kill chain, we can save money and reduce the impact or reduce the number of affected systems or users we can identify, or perhaps even prevent data exfiltration. So, as I mentioned about DLP, if one of your users is pasting your customer database to the internet, of course, DLP type UBA tools are in the, in the position to block that behavior when it's detected.
And then finally, this is a kind of a, I guess, something that I've been very keen to get into a number of initiatives, but it really depends on what, what the customer's looking to do. So the data that you have about what your users are actually doing can actually provide useful input to other processes.
So if a collection of users have a certain set of access rights and using the data that you've captured for UBA purposes, you can see that that data, that access isn't being used, then maybe you can look at reducing the access rights of that collection or that that user or collection of users. So with this data, you can do a lot of good security stuff. That's basically what I'm saying. Okay. So this sounds great. Let's do it. What's the catch. So covering all of your assets, users systems, it's significant undertaking and it's costly. So you really need to think about what is your scope.
And we'll talk about that in a little minute.
It may also only be detective. So if you are only detecting anomalous behavior, somebody a real person needs to make a decision and understand what's going on and then respond accordingly. And of course, quite often the response is, is, is not to do anything, but obviously in, in some cases they need to deal with some quite serious incidents. So there's a lot of process that needs to be defined there so that people understand people so people can understand what the what's happened, why and respond accordingly.
And then in brackets, I've put ordeal with the exceptions, because if you do have a technology that can do some form of blocking, it's really important to have an exception management process, because you mentioned earlier about the end of year, end of year finance activities, things like that. If you block one of those activities, you need to make sure you've got a process ready to really quickly change the rules or change the setup so that they're not blocked anymore because those reports and those, that data is needed now to finish a critical business process.
Okay.
So what's what else communication. So if you are dealing with what users are doing within their, the environment, it's a bit more personal. If you need to approach them to understand what's going on, then say, for example, you're just looking at the network activity on their, on their machine. It could be that somebody's accessing some files that perhaps they wouldn't necessarily want somebody to be asking them questions about. So it's really important that users understand that they're being monitored.
And obviously we touched on GDPR a few minutes ago, the law is one thing, but expectation is another, I've seen a couple of projects where teams have had something set up they've been blocked. And then there's been some kind of escalation when people have realized that their activities are being impacted by a security process. So it's just worth bearing in mind the communication. And then again, finally privacy.
So kind of, kind of in a similar, similar area to the communication in some countries, you may not be able to do this, but of course, with EU GDPR, we've got the, the legitimate exception under the slide mentioned by Martin. Okay. So
How am I gonna optimize value? Or what's the sort of secret formula for success?
Now, what I will say is I think this slide probably applies to pretty much any security technology, not just UBA. So I've put UBA at the top, but I think it probably applies in many other places. So what's optimal value, define your objectives and, and try and be sort of agile to an extent about this set horizons at various points work to make sure that what you are suggesting has a good end, you've defined what good looks like. And also maybe you've got a, you know, a different stages of the project going forward. So what are we doing in three months? What are we doing in six months?
What are we doing in 12 months, define your scope. So critical digital assets or your crown jewels. You wanna make sure they're covered. And one thing to bear in mind and I'll perhaps touch on this on a subsequent slide is that those assets may not be in your data center anymore. They may well be in a, an externally managed cloud service.
So you need to also obviously think about who is accessing those crown jewels.
And also, you know, maybe there are particular teams that are high risk. So for example, I mentioned earlier about call centers. You may well be that you have a higher, you know, a more transitive workforce people, you know, coming in for temp jobs, that kind of thing. They may well not be necessarily sort of malicious, but with that kind of high level of churn, it's quite likely that one of them won't have had a full background check or something like that.
So it's worth bearing mind that different teams may have a different risk profile and perhaps that would help influence your scoping business process. So kind of similar to, to Martin's point 70, 30 rule as I call it 70% process, 30% product. So make sure you've got a good business process to investigate and resolve alerts.
And as I mentioned earlier, don't forget exception management and false positive management.
If you are blocking, especially, you need to have a good process for requesting and exception because any blocking act, any blocking process that you set up will eventually create a false positive it's just going to happen. So bear that in mind. And then finally, it's really important to communicate what you're doing and to communicate with stakeholders about how well, your act your, your UBA activity is performing. So use metrics to communicate performance, for example, that could be coverage of user communities like 98% of our, of our call center.
For example, it could be of your applications or your critical applications. As in we cover a hundred percent of our critical apps, or it could be, you know, particular areas of the network or device communities as I called it, perhaps for you, mobile devices is higher risk, that kind of thing.
And then critically the business process performance. So if you are dealing with a number of UBA alerts every day, you want to show the business that you're closing off X percent of them within X working hours, that kind of thing, the usual kind of good security operations best practice.
And that's important to make sure that you can get that data out of your UBA tool, because they're all slightly different. In this respect. You mentioned earlier about SIM, if you're using your SIM tools, UBA capability, maybe you can exploit the workflow management that you already have within your, within your SIM.
Okay. So some enterprise trends. So on the left here cloud, some of your critical assets may are, are unlike well, it's quite likely these days that some of your critical digital assets are not in your data center.
So obviously you need to make sure that you're covering that with your UBA program, the exact nature of how you would do that depends on, on what your, what your cloud model is. I would say that now what's good is some of the leading PLA sorry, the leading software as a service platforms are providing good audit trails and things like that, that you can get into your UBA or your SIM tool. So there's a lot of good movement in that space, but bear in mind that it's quite likely you'll have something that isn't in your data center along the same sort of trend with cloud things are changing faster.
So you have one tool this week. You might have a different tool next week. So it's worth bearing in mind that things are moving pretty quickly these days, and then finally different controls.
So, as I mentioned, obviously, with external tools, you may need to use a different set of controls than with your internal tools.
Now what's this one about in the middle. This is one of those cases where you choose an icon before you've kind of finalized your content, but I like the robot machine learning capabilities are emerging across the business. So this is something that's being used in all kinds of different places.
Again, I think this has been mentioned in a previous presentation, but what is the hype versus the value of the machine of the machine learning capabilities, which are very heavily marketed within all of these tools? So yes, built in capabilities for trending and, and anomaly detection. But does that give you the context or does that give sufficient context in order for a yes, no decision to be made? So in Martin slide, he had a pretty good analysis of activity over time.
It could well be that in order to understand whether something should be blocked or not, you need to also know their level of authentication they had at that point, for example, things like that extra context.
And then finally, I guess what I want you to convey here is that with, I guess, current sort of trends within the enterprise high volume data processing as in collection of, of, of, of data about user activity is a lot easier and a lot cheaper than it used to be.
When I first started working with SIM tools, they were based on, you know, sort of databases with, you know, traditional Oracle, this kind of thing. Now, with some of the more modern tools, you can process a lot of data and you can keep it for a very long time. So you have the capability to do long term analysis of your, of what your users are doing. And then finally, I've kind of put it under the same sort of vein, cuz there's a lot of innovation going on at the moment with a software refresh there's time, there's a chance to get things right from the start.
So maybe you can embed user behavior analytics or good logging or integration with your UBA tools from the very beginning of a, of a software refresh project it's worth bearing in mind, okay, are we doing for time?
So just by way of a summary, then the key value proposition here is detecting and enabling you to respond to compromise or the insider threat. And that quicker response means that you can reduce the impact and the cost pretty straightforward, or it sounds it anyway, you may already have some elements of UBA.
So it may well be that you don't necessarily need to invest significantly in new technologies. But of course there are many products out there that you could, you could deploy in addition to what you already have, if you wish to do. So. It's really important to think about people, process and communication, especially when you're dealing with what people are doing personally within systems, because there'll always be doing some, there'll always be someone doing something you didn't expect, and they may well not be expecting that level of, of, of monitoring and observation of their activities.
And then finally consider using metrics to demonstrate your progress and the value that you brought back to the business. And that's it. Thank you very much. Thank you.