[February 20, 2020]

Data Sprawl: Will DaBA save us from ourselves? (and Why UEBA can’t)

What happened with UEBA?

UEBA promised it would identify the guilty employees who were "misbehaving." It also promised to make life more sane for SOC analysts. But many UEBA solutions continue to have the reputation of being "noisy." Too many "false positive" alerts continue to plague SOCs. Now nearly every SIEM has a UEBA solution bundled into it but for many life in the SOC is getting worse with conditions such as increasing investigation times.

According to a September, 2019 Critical Start report:

  • 70% of respondents investigate 10+ alerts each day (up from 45% last year).
  • 78% state that it takes 10+ minutes to investigate each alert (up from 64% last year).
  • nearly 50% report a false-positive rate of 50% or higher.

What's missing? Despite tools like UEBA - investigation times are increasing. Are we monitoring the right factors in the right combination? Or are employees fundamentally unpredictable?

We the employees are a root cause

Why are the Insider Threats generated by our own employees creating over a third of the incidents as reported by Verizon in their 2019 report. The main challenge is that employees are just trying to get their work done. And sometimes they work at 3AM and set off an alarm when they do. So if we can’t control employees - what can we control?

Challenge #1 Data Sprawl

What security worries about is data leakage. A root cause of data leakage is the consequence of the data sprawl spurred on by the ever increasing number of SaaS apps we use to collaborate at work. Now, we read, send, copy, and zip information and disperse data not just via email, but Slack, WhatsApp, Zoom meetings and suites like Office 365. There are numerous copies of the same data in emails, zoom meeting chats, Slack and the dozens of collaboration and communications tools that people are using.

Root Cause #1 Too many places for data to hide

Unfortunately, the most common scenario that frequently does the most damage is the "careless employee" who sends information to their personal email or places information on a public share accidentally. Even worse, we all forget to delete the files after we finish our work. But, frequently they never actually remove the new design diagrams from the public location. In many cases the careless employee is making numerous copies of sensitive information in order to speed their work. These numerous and superfluous copies of valuable material end up living in locations like their smartphones and home personal computers where they are an easy target. Of course, each of us is guilty of recreating work because we can't remember what we called a file or where we put the file we were working on last week, resulting in yet another duplicate spreadsheet containing sensitive customer or business data. We all thought that cloud storage was going to be less expensive but the proliferation of sharing and storage apps has created a whole new set of filing problems.

Root cause #2 Too much collaboration

Surprisingly, another challenge in the era of collaboration is preventing certain groups within the same organization from sharing too much information. While you want sales and marketing to communicate frequently, you don't want the potential for new features to delay current sales. So you may not want Product Marketing briefing sales too early on future product features. Having insights into what policies to put in place is difficult without inhibiting the positive collaboration that is taking place.

Many in security and IT see the problem as being Shadow IT. Cautiously, many leaders realize they don't want to inhibit collaboration or creativity at work but they remain concerned with where their data is going. New forms of visibility are needed to see how data is being used by employees so that protection against data leakage can be put in place before data falls into the wrong hands.

Consequence #1 Loss of competitive advantage

Another challenge that many innovative organizations have is preventing the leaking of new product information. New product information can range from official Trade Secrets to any intellectual property that would be of value to the competitor or that diminishes revenues in any way. Whether it is Apple or Legos, the potential profit losses are not trivial. Most frustrating is that the threats are coming from the inside from helpful employees who are typically sharing information with peers so that malicious insider is much harder to identify.

Consequence #2 Exposure to Insider Threats

When everyone has access to similar information it becomes very difficult to identify who the insider that is sharing information with the outside may be. Insider threats are on the rise and they are becoming more difficult to detect as our communication and collaboration becomes more global and dispersed. Various tactics such as Data Loss Protection which are heavy on policies and rules have become cumbersome to maintain. Businesses are moving too fast to tag and classify all their data. They need tools that can immediately identify improper treatment of data and that links the actions to users.

DaBA to the rescue

What organizations require is contextual visibility. Not only who is sharing information but what information they are sharing and under what circumstances.

Data Behavioral Analytics (DaBA) is a new approach that focuses on exposing the data sprawl within enterprises. DaBA helps organizations see not only where certain data originated from but every location that it is dispersed to. Most importantly it helps organizations be vigilant about monitoring the locations that put information at risk of being leaked. DaBA provides real-time instant visibility by automatically recording and reporting on data movement within the organization without requiring any traditional DLP policies or data classification or file manipulation. DaBA reports on where all your data is going and living.

With DaBA's complete contextual visibility into the behavior and movement of all data, across on-premise and cloud environments, DaBA immediately detects the improper handling of sensitive data by employees. With DaBA, security teams can quickly identify and respond to data exposure and help enterprises reduce business risk from both careless or malicious insiders.

What matters to DaBA?

Context matters

An understanding of the source of specific pieces of information and being able to place them within a larger picture is crucial to speed investigations. A complete reconstruction of events provides not only the sequence but the relevant scope and scenarios in which data is being shared. When data is taken from a sensitive file and copied to a new file and that file is named something completely unrelated like Christmas List, DaBA links all this activity together so the events and context relate the true story.

Certain data matters more

As the business changes, the security teams can shift their focus to protecting the data that is most relevant to the growth of the business. All businesses have product or project lifecycles where information may need to be tightly guarded at early stages but eventually is common knowledge both internally and externally. With the ability to focus on the data that is of the most importance to the business, it is no longer necessary to block what at another stage could be productive collaboration. DaBA facilitates visibility to how data is shared across the organization and the establishment of productive norms for collaboration while at the same time keeping vigilant that careless improper treatment of data does not result in information being stored in risky locations. Alerts can be prioritized based on particular sources such as servers or files, so access and sharing of specific domains or shares can be monitored.

Destination matters

Certain locations such as public cloud shares, social media sites and private USBs put information at risk of falling into the wrong hands. DaBA provides a macro level view of how your users interact with business data. By abstracting how data flows through an organization we can see the process that occurs as data is exposed to risky locations. Not only does this help in establishing the level of risk exposure but it can help organizations adopt improved best practices on how to collaborate and share and store data.

Differences between UEBA and DaBA

UEBA tries to find anomalies in a particular's users behavior. It seeks to establish a baseline and then identify anything outside the norm. But with global travel, global enterprises and ever evolving roles and responsibilities it is difficult to establish what is normal.

Challenges with UEBA

  1. No correlation with data
  2. No correlation with Identity
  3. High False Positives - Real systems are Noisy
  4. Limited to specific endpoints it is monitoring leaving gaps in server and cloud layers
  5. Takes time to establish a baseline.

UEBA has significant value for certain Insider Threat scenarios but as insider threats continue to become more prevalent and more sophisticated, organizations need to have immediate, deeper and broader visibility. The costs of insider threats are rising and the frequency of occurrences is increasing so waiting to establish a baseline is not an option for many organizations.


In summary, since DaBA focuses on the behavior of the data, it provides immediate insights into organizational risk. The sequence of events and detailed metadata tells a complete story of what happened with context. DaBA provides visibility to an employee not only accessing documents for a new secret product but copying content from that file and renaming it something unrelated and sending it via their personal email account to non-company contacts. DaBa tells the complete story with context.

DaBA is a tool which helps C-levels see an abstracted view of their security risk and understand what processes, teams or individuals are putting the company at risk. It helps cyber teams speed their investigations. DaBA is instant. It does not require establishing a baseline of behavior patterns. DaBA provides a more holistic view of what is happening across the organization than UEBA because it looks at what is happening with sensitive data and what the root causes of data sprawl.

DaBA focuses on the data and not the user. It addresses the risks of dangerous collaboration without preventing the sharing of information. It facilitates conversations for improvements to team as well as individual behavior that is risky for organizations. DaBA also provides an easy way for representatives outside of security (including legal, HR and others) to understand and act on risky behavior. From the data perspective organizations can easily see the user trends and identify risky business practices so that potential data leaks can be stopped. So there is an opportunity to look at our work patterns from a more global view and if we cannot save ourselves from the invasion of the apps, then at least we can save the security teams from excessive alerts.


Topics: UEBA, Insider Threat, DaBA