User Behavior Analytics Best Practices

UBA Best Practices

• Identify the existing sources of data on user behavior, including logs, data warehouses, network flow data, etc. The more data you have, the better.
• Integrate data from other monitoring systems, such as advanced threat management and HR customer relationship management (CRM) systems.
• Enable Active Directory auditing to track who is doing what across your critical systems.
• Enable auditing for all systems that contain sensitive information, including your file servers, SharePoint, SQL servers, etc.
• If you are using SaaS applications, enable access and user activity logging.
• Track account creation and account logons, because such activity can reveal account takeovers and other attacks.
• Enable journaling on your email server and use e-discovery software for email flow analytics.
• Regularly review effective permissions and enforce a least-privilege model.
• Track and control your users’ internet traffic via web filtering software.
• Provide your UBA solution with all the data mentioned above. Fine-tune its rules, alerts, reports and thresholds to reduce noise and false-positive anomalies.
• Review UBA reports on anomalous activity regularly and investigate incidents promptly.

Challenges for securing the modern IT environment

• Companies lack visibility into employee activity and application usage across critical IT systems.
• Legacy defense strategies are typically focused on the perimeter, so they fail to identify insider threats or attacks in progress within the network.
• Security teams are often overwhelmed by the huge volume of audit logs generated every day, increasing the risk that important actions can be missed.
• Most legacy security applications, such as SIEM solutions, are time-consuming to use.