4 Challenges of Using Anonymous User Data for UEBA
User behavior analytics can help cybersecurity teams determine when a specific person or the way they use a device goes outside of norms. Here's a helpful breakdown of why anonymous user data doesn’t give the necessary insights in such cases.
Join the DZone community and get the full member experience.Join For Free
User and entity behavior analytics (UEBA) tools support a cybersecurity strategy by looking for anomalies. These tools establish a baseline usage for users, devices, and networks, then flag cybersecurity teams about significant deviations from those norms. People are highly interested in how user behavior analytics could cut cyberattack risks. One market analysis showed that the UEBA sector was worth $1.2 billion in 2022. However, researchers believe it will get to $4.2 billion by 2026.
However, the push towards anonymizing user data for the sake of privacy could hinder that growth. User and entity behavior analytics work best when decision-makers at the companies using the technology can narrow down potential problems. Anonymous UEBA data would limit the trends it's possible to pinpoint. Here's a closer look at why anonymized information is not a good fit for UEBA platforms.
1. A Lack of the Necessary Specificity
The concept of monitoring user behaviors to spot unusual instances is not new. You can probably recall a few times when your credit or debit card declined after the provider flagged strange activity. Maybe you bought something while traveling without telling your bank about the trip. Perhaps you tried to buy a big-ticket item after habitually only using that payment method for small purchases.
Anonymized data does not allow making the necessary connections, such as identifying the card owner and contacting them to determine whether a purchase was a legitimate one.
Ryan Stolte is the chief technology officer at Bay Dynamics. He admitted that user behavior analytics could pose privacy concerns and that discussions should happen about that topic. He explained, "It is absolutely a conversation that everybody should have. The reason we are doing behavior analytics is on behalf of the person. On behalf of everyone, we are watching you and then telling you when you are not acting like yourself."
That does not mean a company keeps tabs on everything each person does. However, the UEBA system would likely flag any strange behaviors.
2. Increased Difficulties in Stopping Insider Threats
A 2022 study uncovered a 44% increase in insider threats in two years. The same research also showed that affected organizations spent an average of $15.4 million annually to fix the associated issues.
The increasing prominence of insider threats is also problematic since modern companies are increasingly connected. Industries ranging from energy to food and beverage use connectivity to improve operations. However, an employee with malicious intentions could severely hinder a company's workflow.
It's important to remember, though, that insider threats can also emerge when people have no ill intentions. They may make mistakes due to tiredness, carelessness, or a lack of proper training that could lead to or exacerbate cybersecurity issues.
However, if company leaders only have anonymous UEBA data, it'll be more difficult for them to get the kinds of details that will help them mitigate this problem. For example, are there instances where a certain person or team repeatedly makes a mistake that poses security threats? If anonymous data prevents linking data back to particular people, it's impossible to narrow down the results enough to reduce the risk.
3. Inability to Take Disciplinary Action When Needed
UEBA tools help cybersecurity teams detect when someone's behavior crosses a threshold into dangerous activity. Christian Wimpelmann is the identity and access manager at Code42. He discussed how user behavior analytics could help companies avoid dangerous outcomes.
Wimpelmann said, "Whether malicious or unintentional, unusual data access and unusual data traversing networks or apps is often a precursor to employees doing something they shouldn't or data ending up somewhere much more problematic – outside the victimized organization."
It's also likely that companies that permit remote work may deal with more data protection issues than those that only let employees work on-site. One study found that 52% of people polled believed they could get away with taking more data risks when handling it while working remotely.
There are even cases of cybercriminals recruiting employees to deploy ransomware inside their organizations. One cybersecurity leader got approached to participate in an attack where he'd get 40% of a $1 million ransom for bringing ransomware into his corporate network.
However, working with anonymous data only tells part of the story. It might reveal an employee carrying out harmful activity inside a network. However, it won't show the exact person involved. Then, the cybersecurity team at an organization only knows that a problem exists, but not how to target the person responsible.
4. Limitations for Using UEBA to Maintain Access Privileges
A company's cyber attack risk can also rise if employees have access to more information than they need to do their jobs. The ideal scenario is when an individual has an appropriate access level and does not encounter friction that makes it difficult to do their duties.
Some cybersecurity experts advocate for combining user behavior analytics with identity verification measures to keep organizations better protected. One product with UEBA tracks more than 250 attributes associated with each individual. It then assigns an associated risk score. Someone might get a high figure if they repeatedly attempt to perform uncharacteristic activities in the network.
Company leaders can tailor what happens to a person with a high-risk score. One possibility is to temporarily lock them out of their accounts until someone from the IT department can investigate the matter further.
However, if a company only has anonymous UEBA data, it cannot use that information to stop privilege misuse. It could use behavior data to spot other potential issues in a more generalized sense, such as if someone is trying to access workplace resources from an unusual location. Without linking identifying information to that behavior, though, cybersecurity teams can't get the information they need to determine who is misusing identity-based privileges.
Anonymous UEBA Data Cannot Give Meaningful Payoffs
This overview shows why cybersecurity teams should not have high expectations for user and entity behavior analytics if their data is solely or mostly anonymized. Learning about unusual network activity is a good starting point. But, if IT professionals can't link that information to particular individuals, it's virtually impossible to accurately gauge the scope of the problem.
Instead, company leaders should have frank discussions with employees about privacy implications. If they don't want to go into UEBA specifics, they should just clarify that workers should never consider anything they do on a workplace network as free from monitoring.
Opinions expressed by DZone contributors are their own.