User Behavior Analytics Best Practices
UBA Best Practices
- Identify the existing sources of data on user behavior, including logs, data warehouses, network flow data, etc. The more data you have, the better.
- Integrate data from other monitoring systems, such as advanced threat management and HR customer relationship management (CRM) systems.
- Enable Active Directory auditing to track who is doing what across your critical systems.
- Enable auditing for all systems that contain sensitive information, including your file servers, SharePoint, SQL servers, etc.
- If you are using SaaS applications, enable access and user activity logging.
- Track account creation and account logons, because such activity can reveal account takeovers and other attacks.
- Enable journaling on your email server and use e-discovery software for email flow analytics.
- Regularly review effective permissions and enforce a least-privilege model.
- Track and control your users’ internet traffic via web filtering software.
- Provide your UBA solution with all the data mentioned above. Fine-tune its rules, alerts, reports and thresholds to reduce noise and false-positive anomalies.
- Review UBA reports on anomalous activity regularly and investigate incidents promptly.
Challenges for securing the modern IT environment
- Companies lack visibility into employee activity and application usage across critical IT systems.
- Legacy defense strategies are typically focused on the perimeter, so they fail to identify insider threats or attacks in progress within the network.
- Security teams are often overwhelmed by the huge volume of audit logs generated every day, increasing the risk that important actions can be missed.
- Most legacy security applications, such as SIEM solutions, are time-consuming to use.