DLP, UBA, or Both?

In this first entry in a series, I’m going to look at DLP and UBA (User Behavior Analytics)—how each one of them works and what role each can play in an overall data protection effort.

Every day, data protection companies are adding insider risk assessment capabilities to their portfolios, whether as a component of their integrated solutions or as a separate package. At the same time, other companies sell standalone solutions, but they call them UBA (or UEBA—User and Entity Behavior Analytics) instead of DLP. This makes choosing the right solution challenging. Obviously, companies want to protect themselves from insider threats, but how do they know which product to choose?

Traditional DLP

DLP solutions have been around for a long time now—by that name, since 2006 at least. DLP software looks for potential unauthorized transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). They do serve a targeted purpose, which is to prevent exfiltration of specific data types.

As the name suggests, the focus is on the type of data. DLP solutions were and are primarily designed to meet compliance requirements around the handling of PII, PCI, and PHI. The threat types they address include:

• data exfiltration, or the theft of private, confidential and sensitive data, and
• accidental exposure sending sensitive data to the wrong recipient.

They work well for data that is easy to match with text-based regular expressions like social security numbers, bank account numbers, or the results of a medical test. However, traditional DLP solutions are not very reliable for any other data types, especially soft and hard IP such as legal documents, partnership agreements, software source code, and schematics. Such data does not lend itself to easy identification and classification the way more normalized data types would.

The Arrival of UBA

Those failings meant a new solution was needed to identify data loss and protect systems. To address those kinds of situations, UBA came out around 2015, designed to look at patterns of user behavior rather than types of data. After identifying normal behavior patterns, UBA then applies algorithms and statistical analysis to detect meaningful divergence from those patterns to identify evidence of intruder compromise, insider threats, and risky behavior on the network.

The focus for UBA is system protection as opposed to data protection. Although UBA can provide very basic DLP insights, the primary threat types it addresses are much different. They include:

• the inappropriate use of access permissions;
• privilege escalation—a change of access credentials;
• anomalous behavior such as accessing external domains, remotely accessing highly privileged assets, and unusual login duration, time, or location; and
• credential compromise, or the stealthy takeover of accounts for malicious purposes.

The ways in which UBA differs from DLP are highlighted by the different user types each is concerned with. There are two approaches that can be taken with DLP: targeting only users with high-value data access, or targeting all users because at some point everyone has access to sensitive data. Whether you monitor some or all users really comes down to your appetite for risk.

UBA, by contrast, is designed to focus on privileged-access users. The targets are IT admins, security architects, DBAs, and the like—users that have the keys to the kingdom and could cause a lot of damage. This is a very limited group, and UBA should be deployed with this in mind. It may be tempting to deploy UBA to all users, but these solutions monitor lots of events, so the results are typically noisy, with lots of alerts. Because of that, it’s a best practice to deploy only to the privileged user roles. Also, there’s a new culture of security with privacy in mind that companies are adopting, and the inherent invasiveness of UBA compromises end users’ privacy.

What it comes down to is that these solutions are completely different. One simply fills the gaps of the other, leaving clients with two solutions, both poorly equipped to ensure data protection in a modern enterprise.

A New Approach

To really address these gaps, you need a different approach to data leak protection, one not based on content inspection alone.

Using a proprietary technology called Dynamic Data Tracing (DDT), Cyberhaven monitors all your business-critical data across on-premise and cloud environments—endpoints, network shares, email, and SaaS applications. Rather than relying solely on content inspection, Cyberhaven provides a rich, automatically inferred context around each data flow, including how the data was created and where it was stored throughout its lifetime.

Cyberhaven extracts and records metadata from each user interaction so that you can inspect any data flow in real time or retrospectively with just a few clicks, enabling you to automatically detect improper handling, such as data stored in unsecured locations. But it does not capture or store any of the actual sensitive data in question, so the process does not jeopardize compliance or privacy.

The result is effective data protection without impeding employee productivity and dramatically reduced incident investigation time and cost.