Data Protection & the Insider Threat

Issue 2

1 Data Protection & the Insider Threat

4 Veriato Recon 6 Veriato 360 Data Protection & the Insider Threat 8 Research from Gartner: Market Guide for User and Entity Behavior Analytics Veriato (formerly known as SpectorSoft) has With multiple studies and surveys showing 22 Contact Us been enabling greater insight into insider actions that 50% of employees believe it is OK to take for over a decade. Thousands of companies, corporate data, the chances your organization has, government agencies, educational institutions is, or will experience insider driven data exfiltration and non-profits have successfully used Veriato are unacceptably high. In addition, the constant solutions to increase the security of critical stream of data breaches caused by imposters – systems and intellectual property, and to more external actors who level compromised credentials quickly and effectively respond to incidents. to “become” insiders – highlights the need to detect changes in insider behavior that suggest An established leader in employee monitoring attack. and investigations, we recognized the need for greater intelligence about the behavior of insiders. If you do not have a plan in place to detect it, you Many solution providers have done the same will miss your chance to prevent the damage. -- as evidenced by the Market Guide to User and Entity Behavior (“UEBA”) from Gartner Research With our unique ability to collect data at the point contained within these pages. of interaction between insiders and the IT resources they access, we saw an opportunity to help address Why Veriato? this challenge. Veriato has a proven data collector; As we set out to create a high value, differentiated one that provides much greater visibility into offering, we first focused on the need to secure insider activity than is available from logs. data. Insider data exfiltration causes tremendous damage every year. Worse, the vast majority of By applying an analytics capability to the data, we insider data exfiltration goes undetected – simply are able to detect shifts in behavioral patterns that because the organization is not looking for it. would otherwise go unnoticed. Our software does this by creating a baseline that reflects normal Ask yourself how your organization detects behaviors within your organization. Utilizing things like insider data theft or leaks. Relying on machine learning and statistical analysis, the technologies designed primarily to secure the software identifies deviations from the baseline – perimeter leaves much to be desired. Relying on anomalies – that suggest threat to data security. trust is only an option if the only employee is you. 2

One way Veriato Recon, our UEBA solution, differs With a few clicks, the data stored by Veriato from many others is that we look at both technical Recon can be transferred into Veriato 360. Once indicators and psycholinguistic indicators. The transferred, deep, context-rich visibility into the ability to look at these two very different sources actual actions taken by the insider is available. of intelligence translates into early warnings and CIRT and CSIRT teams around the world use easier prioritization. Veriato 360 for exactly this purpose: to identify and respond to security issues, to rule out false A simple example illustrates the point. One insider positives being generated by other systems, and is triggering alerts from a technical indicator such to conduct investigations. The combined power of as increased usage of USB drives with no other Veriato Recon and Veriato 360 equates to a robust indication of threat. Another insider is triggering insider threat detection and response solution. the same alerts, but is doing so after showing a significant negative shift in the sentiment (tone & One of the keys for us when building our UEBA intensity) of their communications and other shifts solution was to make it both usable and powerful - in language usage suggesting they are engaged to deliver a solution that could be up and running in insider threat behavior. The second insider’s in a short period of time, without lengthy and activity has a greater likelihood of being attack expensive professional services engagements related and should receive prioritized response. and the need for heavy customization. We set And that response can take place prior to the data out to build a product that would deliver value to exfiltration taking place – in the form of closer organizations no matter where they were on their inspection of activities and monitoring for unusual behavioral analytics journey - to those just starting resource access. out and to those with dedicated and sophisticated teams. We think we’ve done just that. Once Veriato Recon detects anomalies, it sends alerts. These alerts can be routed to a SIEM A Deeper Dive into the Veriato Approach solution to operationalize them and integrate Let’s take a closer look at the data for analysis. them with other sources of information. However, if you do not have a SIEM solution in place, Veriato Veriato focuses on human activity. Our job is to Recon can send alerts directly to appropriate staff eliminate blind spots and to catch things that for review and action, or via syslog to any other might otherwise fall through the cracks. solution you wish. Our data collector gathers a wide array of As a security analyst reviews the data and information about exactly what the insiders in determines that additional steps must be taken an organization are doing, including applications to investigate and respond to a potential attack, used, web activity and network usage, as well as: Veriato offers a very unique benefit. Veriato Recon stores up to 30 days of detailed user activity User Status – tracks things like logon and logoff, data – the data that underpins the alerts. Veriato as well as the amount of time that a user is Recon also operates from the same management spending within applications. console as Veriato 360, our monitoring solution that enables rapid exploration and review of user Communications Activity – which fuels our ability activity data. to track common date exfiltration methods, as well as analyze psycholinguistic indicators for early warning of elevated insider risk. 3

Document tracking and file transfers – which indicators can be gathered, without any human provides insight into what information is being eyes on the content of the communications, accessed and what is being done with it once by bulk analysis using machine reading and accessed. algorithms that identify changes in patterns of communication. Adding a psycholinguistic Keystrokes – which enables visibility into what component to your insider threat detection insiders are doing within applications and program can be the difference between proactive documents, as well as monitoring of highly interdiction and reactive incident response. privileged users who have the potential to damage the organization’s security with a few keystrokes. The Insider has options An insider, should they decide to take information With this rich set of user activity data to analyze, against company policy has an array of options we are able to detect meaningful anomalies across available to them simply by being inside the the range of methods insiders typically use to take technology moat. Everything from email, portable critical intellectual property out of the control of storage, personal cloud solutions, and even tried the organization. and true low tech printing of documents or screens is available to them. Psycholinguistics and the insider threat While monitoring and alerting on technical Contrasted with an external actor, who must indicators like the ones described above is widely attempt to take the data off to a remote server understood and employed, there are less obvious via a network connection, the scope of the task of methods that can and should be employed to detecting and preventing insider attacks becomes improve your organization’s security against the clearer. Dedicated insider threat detection possibility of a damaging insider attack. programs require User and Entity Behavior Analytics as a key component. Locking information Additional indicators, or metrics, exist that provide down tightly enough to make it truly secure isn’t early warning about an insider’s potential to an option – the productivity costs are too great. carry out such an attacks. The psychology of Rather, a comprehensive approach that includes language, known as psycholinguistics, is one device and data security, as well as recognizing such area. Indicators can be found in the digital that the human factor requires analysis of human communications of insiders that, when present, behaviors and activity, is needed to stop the insider are clear warnings that risk is elevated. These attack before it makes it into the media.

Source: Veriato 4

ADVANCED INSIDER THREAT SOLUTION KEY BENEFITS For companies who have sensitive intellectual EARLY DETECTION AND WARNING property, which if stolen or exposed by insiders Veriato Recon’s behavioral analytics capability poses risk to the company, and want to protect provides critical insight into shifts in established critical information without restricting access or patterns that are directly related to insider threat locking systems down so tightly that productivity behavior. Early detection is key to mitigating risk, is hindered, Veriato Recon is User Behavior harm and the threats insiders pose. By focusing Analysis Software that provides early warning of directly on the behavior of insiders, Veriato suspicious behavior by passively monitoring user Recon can isolate anomalies and alert on them behavior and alerting when actions contradict immediately. policies or vary from well-defined patterns. SYSTEM OF RECORD Rather than focusing on protecting assets, Veriato Stop piecing together information from disparate Recon monitors user behavior for indicators of sources in an effort to reconstruct what happened. risk, recording and alerting when insider risk is Save time and money with a system of record that elevated, enabling rapid interdiction, reducing doesn’t require specialized expertise to decipher. false positives, and insuring actionable reporting. Veriato Recon supports best practice of reviewing departing employee online activity during the 30- PROBLEM day period prior to resignation or termination. Insider threats are more prevalent than ever. Because the insider has been granted access 3RD PARTY INTEGRATIONS (or is impersonating someone who has access), Best practice dictates aggregating user activity perimeter defenses and access controls are data with other sources of intelligence to minimize rendered ineffective. As the insiders have the risk of an insider threat. Integrations with authorized access, and are often trusted, insider leading SIEM providers, along with the ability to attacks are more difficult to detect than external export data via syslog, provide a powerful stream threats. The ability of insiders to damage their of user activity intelligence to the solutions you’ve company is heightened because they know what already invested in – making them even more information assets they need and exactly where to effective. find them. HIGHLY USABLE USER BEHAVIOR SOLUTION ANALYTICS Veriato Recon’s User Behavior Analytics detects Veriato Recon stores underlying user activity data insider risks and insider threats early and reliably. on local machines and transmits only alerts and By learning your users’ normal behavior, Veriato transactional information across the network. It Recon is able to detect behavior pattern shifts does not require dedicated hardware and once directly related to threats and alert you before deployed requires very little IT interaction. Unlike the problem fully manifests. User Behavior many User Behavior Analytics solutions, it is easily Analysis (“UBA”) provides a critically needed and tuned to your environment. different perspective because it is laser focused on actions of the insiders themselves. Veriato KEY FEATURES Recon’s approach to UBA combines an intuitive BEHAVIORAL BASELINES user interface with powerful analytic capabilities. Recon is always on, monitoring the behavior This powerful combination improves insider threat patterns of users and scanning for signs of an program effectiveness, augments your other insider threat. The software learns what normal security investments (like SIEM) and lowers your looks like, and adapts to changes in routine risk to insider attacks. 5

seamlessly. The agent runs silently in the and available, these employee activity logs are background, and Veriato Recon does not interfere encrypted and obfuscated. The employee activity with business processes or productivity. logs provide a comprehensive record of everything that an employee did before, during and after an ANOMALY DETECTION & ALERTING alert. Veriato Recon applies algorithms and statistical analysis to detect anomalies in user behavior that EASY INTEGRATION WITH VERIATO 360 indicate elevated insider risk or insider threat. Built on the proven foundation of Veriato 360, Once detected, alerts are sent via email and, at Veriato Recon is deployed and managed from the your discretion, to your SIEM solution. Veriato same console. Organizations that wish to employ Recon also includes keywords and phrases that are a mix of User Behavior Analytics and User Activity proven indicators of insider threat activity. Monitoring will find it exceptionally easy to implement and manage, enabling proper coverage USER ACTIVITY LOG of higher and lower risk insiders. Employee activity logs are created and stored on the local machine where the activity is occurring Source: Veriato for up to 30 days. To ensure the logs are safe 6

THE VISIBILITY YOU NEED – A SOLUTION THOUSANDS OF COMPANIES TRUST KEY BENEFITS Organizations worldwide use Veriato 360 to PRIVILEGED USER MONITORING protect their assets; monitor highly privileged Highly privileged users (or “super users”) have a users; reduce litigation risk and expense; disproportionate ability to harm an organization, improve efficiency and productivity, and ensure because of the level of access they have been compliance with company policies. Veriato 360 is granted to. By monitoring their activity, you can a comprehensive user activity monitoring solution ensure that the access they’ve been granted is not that enables companies to log, retain, review and used improperly. There is no greater risk than a report on employee activity when there is cause highly privileged user gone rogue. to do so. Veriato 360 creates a definitive record of an employee’s digital behavior, and in doing so INTELLECTUAL PROPERTY AND CORPORATE provides organizations with the ability DATA PROTECTION to see the context of user actions. Which translates Employees leaving the organization take IP with into the answers you need, without high false them when they leave. positive rates, in one easy to use package. 1 out of 2 employees surveyed think it is OK to do so. If you are not actively monitoring the activity of PROBLEM employees during this high risk exit period, you are Without accurate information, making good letting your IP and sensitive data (like customer decisions is difficult at best. Not all of the contacts) leave with them. information needed to make the right call is easy to see; organizations typically piece together IMPROVING OPERATIONAL EFFICIENCY clues from a multitude of disparate sources in an AND EFFECTIVENESS attempt to assemble a complete picture of what is Benchmark the activities of top performing happening within. Not having a definitive record of employees and departments to identify training the digital activity occurring in your organization opportunities and best practices. Make sure leaves you vulnerable to insider threats, increases the tools and processes you’ve invested in are your litigation risk, and prevents you from being used. Identify the top “time drains” in your improving operational efficiency and maximizing organization and implement changes to maximize productivity. productivity.

SOLUTION KNOW WHAT YOU NEED TO, WHEN YOU Collecting data on employee digital activity NEED TO KNOW addresses these problems head on. From early Lever powerful alerting and reporting capabilities detection of fraud and other insider threats, to put the answers you need in easy-to-create, through more efficient and effective investigations, easy-to-understand forms. No digging through termination protection, and reduction of HR related myriad sources of data; no cobbling together risks, to base lining in support of establishing best reports. More than 75 out of the box reports, and practices and improving training programs, having the ability to create custom reports with just a visibility into the online and communications few clicks. fabrics of your organization gives you the information you need to support your corporate goals and objectives. 7

KEY FEATURES ACTIVE TIME, FOCUS TIME DETAILED RECORDING OF DIGITAL ACTIVITY Veriato 360 distinguishes between active time Veriato 360 collects data on human interactions and focus time – so you can know whether an with the IT resources they access and use. application or website was opened and left idle, Uniquely able to see what people are doing or being actively interacted with. This is critical to within the online and communications fabric of accurately assessing productivity, and eliminates the organization, Veriato 360 creates a definitive any questions about what was done and when. record of user activity, including file and document access and movement, web activity, application usage, network activity, and communications INTELLIGENT ACTIVITY DRILL-DOWN activity across email and IM platforms. Veriato 360 allows you to quickly find the action in question, so you can spend your time addressing POWERFUL EMPLOYEE PRIVACY risks impacting the business instead of looking PROTECTIONS through tens of thousands of actions in a single Though it may seem counter-intuitive, Veriato day. 360 contains numerous options to maximize the privacy of your employees. From the simple SCREEN PLAYBACK (not recording activity on personal banking Veriato 360 can capture actual screen snapshots, sites) to the more complex (masking passwords enabling you to replay computer-based actions and user names), Veriato 360 enables you to tied to activity data within context, before, during balance employee privacy and the needs of the and after an event. organization. Source: Veriato

SECURE STORAGE All data collected is written to an on–premises SQL database that uses a proprietary database schema. Object level encryption using AES or 3DES ensures the data remains secure. 8

Research From Gartner: Market Guide for User and Entity Behavior Analytics

UEBA successfully detects malicious and abusive • Do not discount the need to investigate activity that otherwise goes unnoticed, and individuals who have low risk scores in UEBA effectively consolidates and prioritizes security systems. alerts sent from other systems. • Operationalize UEBA by sending alerts to Key Findings security orchestration, ticketing and workflow • The user and entity behavior analytics (UEBA) systems. market grew substantially in 2015; UEBA vendors grew their customer base, market • Favor UEBA vendors who profile multiple consolidation began, and Gartner client interest entities including users and their peer groups, in UEBA and security analytics increased. and devices, and who use machine learning to detect anomalies. These features enable more • Enterprises successfully use UEBA to detect accurate detection of malicious or abusive malicious and abusive behavior that otherwise users. went unnoticed by existing security monitoring systems, such as SIEM and DLP. Strategic Planning Assumptions By 2017, at least four UEBA technology companies • Not all companies think they need UEBA. with revenue less than $50 million will be Advanced SIEM users say they maintain acquired by SIEM, DLP or other large technology sufficient visibility as long as they keep SIEM vendors supporting security use cases. rules tuned, while organizations with advanced data science skills say they build more-effective By 2017, at least 60% of major cloud access business-focused models than UEBA vendors security broker vendors and 25% of major SIEM do. and DLP vendors will incorporate advanced analytics and UEBA functionality into their • UEBA vendors align their technology with products, either through acquisitions, partnerships one or more domains, including security or natively. management, insider threats, data exfiltration, access entitlement use monitoring, or securing By 2017, deep learning will be incorporated into at use of SaaS applications. least one UEBA product, and, by 2019, this number will rise to at least 20 UEBA products. • UEBA vendors need to mature their offerings for enterprise scalability by implementing Market Definition UEBA access controls, user interfaces for rule User and entity behavior analytics is bringing management and richer reporting. profiling and anomaly detection based on machine learning to security. UEBA vendors use packaged Recommendations analytics to evaluate the activity of users and other Chief information officers, chief information entities to discover security infractions. security officers and security managers should: UEBA vendors: • Use UEBA to detect insider threats and external hackers, and choose vendors with solutions that • Profile and baseline the activity of users, peer align with your use cases, for example, security groups and other entities such as endpoints, monitoring or data exfiltration. applications and networks.

• Integrate UEBA with existing security • Form peer groups based upon common applications by feeding UEBA systems with user activities, using directory groupings logs and data the existing security applications and human resources information only as a already collect. Incorporate network and starting point. endpoint data for visibility into activity not available in logs. 9

• Correlate user and other entity activities and profiled in order to more accurately pinpoint behaviors. threats, in part by correlating the behavior of these other entities with user behavior (see Figure 1). • Detect anomalies using statistical models, machine learning and/or rules that compare The UEBA market does not include vendors that do activity to profiles (see Note 1). not profile users and do not detect anomalies in user behavior — for example, vendors that analyze User activities are evaluated beyond an initial endpoint and/or network behavior but not user login, and include user movements, access to behavior. The UEBA market also does not include organizational assets and the context with which vendors that support security use cases through that access occurs. data mining, user-driven data exploration and visualization, but that don’t provide packaged user This market definition is updated from last year’s behavior security analytics as part of this support. Market Guide definition of the user behavior Near-real-time monitoring is a required capability. analytics (UBA) market that included vendors that support both security and fraud use cases Market Direction (see Note 2). The UEBA market, as now defined, Growth and Consolidation comprises only vendors that support security The UEBA market grew faster and matured more use cases with packaged analytics. This updated quickly than Gartner anticipated a year ago. definition recognizes the distinct market that has Gartner expects UEBA market revenue will climb to developed around security and is separate from almost $200 million by the end of 2017, up from fraud. The letter “e” in the term UEBA recognizes less than $50 million today. Market consolidation the fact that other entities besides users are often has begun and is expected to continue. In July

FIGURE 1 UEBA Defined

Security Orchestration

Application*

Security and other organizational Data lakes and systems warehouses User

Endpoint** Network

= UEBA

External Threat & Identity Intelligence

* includes cloud, mobile and other on-premises applications ** includes managed and unmanaged endpoints

Source: Gartner (September 2015) 10

2015, Splunk acquired UEBA startup Caspida, will start adding user-centric behavior analytics which had just a handful of customers, for into their products, either through acquisitions, $190 million. In September 2015, Microsoft partnerships or natively. acquired Adallom, a cloud security broker with UEBA functionality and about 100 customers, Convergence of UEBA for SaaS and On- for a reported $250 million.1 In April 2015, HP Premises Applications announced that it had repackaged Securonix To remain successful, UEBA vendors will need to technology into its HP ArcSight User Behavior support user and entity behavior analytics for both Analytics product. on-premises and cloud-based workloads so that enterprise customers can have a single integrated Providers of security monitoring technologies and view of all their users’ activities, independent services need to develop or acquire statistical of where they occur. These vendors will have to analysis and machine learning capabilities to add techniques to capture and analyze data from incorporate into their security monitoring platforms environments and applications they currently do or services. Rule-based detection technology not support. This will likely to be much easier alone is unable to keep pace with the increasingly said than done because of the different technical complex demands of threat and breach detection. competencies required to work with cloud-based or on-premises workloads. By 2017, at least 20% of major security vendors with a focus on user controls or user monitoring For example, vendors that work on-premises will incorporate advanced analytics and UEBA and ingest SIEM log files will have to learn how into their products, either through acquisitions, to collect data from SaaS applications, either partnerships or internal development (see Note 3). by evaluating network traffic routed between the enterprise and the SaaS application, or Expect to see security information and event by connecting to APIs of widely used SaaS management (SIEM) vendors drive and lead UEBA applications. Similarly, vendors that provide market consolidation, with other large vendors that UEBA for SaaS should integrate with on-premises provide data loss prevention (DLP) or cloud security applications and data, although they are unlikely technology to follow. Some UEBA vendors will to do so within the next three years. At the same remain independent and grow into companies with time, some cloud access security brokerage (CASB) more than $100 million in revenue by 2018. vendors will develop more analytics and will focus strongly on profiling users of cloud applications. UEBA Becomes a Preferred Security Operations System User Endpoint Visibility Over the next three years, leading UEBA platforms We are already seeing vendors (such as Dtex will become preferred systems for security Systems and SpectorSoft) that have agent- operations and investigations at some of the based UEBA technology that monitors employee organizations they serve. It will be — and in some activities on their desktops, planning to ingest cases already is — much easier to discover some server logs into their analytics. This will give these security events and analyze individual offenders in vendors’ products greater visibility into network UEBA than it is in many legacy security monitoring and system activity. The technical integration systems. of agent-based and agentless data collection methods will continue across UEBA vendors, as Other UEBA Market Entrants users demand broader and deeper system, and In the next two years, many (non-UEBA) vendors network and endpoint visibility. Organizations will that offer platforms with advanced analytics, demand that UEBA vendors give them options as big data integration and data visualization used to which data collection mechanisms they can for security (and other use cases) will end up implement, especially for full endpoint visibility. packaging analytics that focus in part on user One UEBA vendor, Interset, already does this, for behavior. These include vendors such as RedOwl example, by enabling organizations to choose Analytics, Prelert, Cloudera, Platfora and Sqrrl. between its agentless and agent-based endpoint activity collection. We also expect different segments of the security analytics market to start converging with the UEBA Some vendors claim to offer full endpoint visibility market. In particular, vendors offering advanced without having to deploy endpoint agents. Rapid7 analytics that are network- or endpoint-centric says it already has full agentless visibility into 11

Windows endpoints by using proprietary software UEBA vendors must be capable of making sense that remotely extracts information from the and use out of social network information, for Windows system. LightCyber deploys a temporary example, by analyzing an employee’s social media endpoint agent only when an endpoint is deemed activities and network in order to assess employee suspect by its network analytics in order to obtain risk. full-system forensic information. (Continuous remote execution of code using protocols such as However, the ability to automate the ingestion Windows Management Instrumentation [WMI] and and analysis of such unstructured information will remote procedure call [RPC] on all organizational remain very difficult for the next few years. endpoints, particularly in large organizations with thousands of endpoints, is not practical or External Threat and Identity Intelligence scalable because of time and computing resource External threat and other identity intelligence constraints.) information will gain more importance, especially when companies have the tools to make this Other UEBA vendors plan to integrate with well- intelligence actionable. This is becoming more known adopted endpoint agents already gaining plausible as standards for threat information traction in the market, such as Tanium or Bit9 + sharing such as STIX and TAXII take shape, and Carbon Black. Other UEBA vendors claim they get threat intelligence platforms from companies such what they need from most endpoints using WMI as ThreatConnect, ThreatStream, and BrightPoint and RPC protocols that periodically scan selected Security gain adoption. subsets of endpoints on an enterprise network. Analytics Network Visibility Advanced analytics and the type of machine In the next three years, UEBA customers will learning used by vendors with UEBA functionality pressure vendors that acquire data from system are key to their success and competitiveness. logs to also ingest network flow or packet data or The main goals for UEBA vendors are to pinpoint other summarized network information, in order to threats and improve the signal-to-noise ratio give visibility into user and application activity not across multiple monitoring systems or other captured in logs. This will be especially important information sources that feed into their platforms. for vendors that do not have full visibility into a These goals are only achievable and sustainable user’s endpoint. if advanced analytics are used, so that UEBA vendors (or other vendors that incorporate UEBA Behavior Indicators and Information technology) can keep pace with the increasing Customers trying to address insider threat use volume and complexity of security events. cases will pressure UEBA vendors to add support for semistructured and contextual unstructured Expect to see rapid advancements in analytics information that informs organizations on used by systems that have UEBA functionality, employee behavior and potential insider threats. especially since security is a fruitful use case For example, this behavioral information may be for their applications. In the next few years, found in various user communication channels, machine learning will start migrating into deep such as email and messaging. For data privacy learning, where the models learn on their own reasons, the data collection and analysis from “training data,” and select which attributes will normally be limited to metadata of such and variables to key their analytics off of. Deep communications, but, in some cases, will also learning promises to disrupt the UEBA market and include content and sentiment analysis, which other sectors that rely on machine learning and provides important contextual information about advanced analytics. user activities and behavior. (RedOwl Analytics is known for analyzing email content and Market Analysis sentiments.) Despite almost $80 billion spent globally on security,2 attackers are still getting through Similarly, unstructured contextual information organizational defenses. In almost every publicized found in performance reviews or on social media is case of a breach or system intrusion, alerts becoming increasingly desirable in understanding and alarms did go off in the various monitoring user behavior and threats against an enterprise, systems, but were ignored since they were buried especially when trying to detect insider threats. among tens or hundreds of thousands of alerts. 12

At the same time, most enterprises spend a to work on security models discover that this majority of their security budget on prevention employment arrangement is not sustainable. measures, such as firewalls, strong user The reason for this is that they cannot afford to authentication, intrusion prevention, antivirus retain data scientists on the payroll while they systems and the like. Successful hackers have try to keep pace with rapid advances in attack figured out how to beat these prevention systems. techniques and in machine learning techniques. So In addition, the attackers are often not detected instead, some security organizations are looking once they intrude on a network, since many for vendors that are capable in machine learning monitoring systems generate so many false alarms and have packaged analytics that can detect that intrusion alerts often remain unnoticed. malicious or abusive behavior, security events and breaches. Most recent breaches involved hackers taking over existing user accounts, activities that UEBA Gartner client interest in UEBA and related systems are designed to detect. Organizations security analytics rose substantially in the past need to balance their security investments across 12 months, ending June 2015. Inquiries by end- protection and detection. Detection can be user organizations on user behavior analytics more successfully accomplished using advanced rose nearly tenfold, and on security analytics by behavioral analytics rather than just using rules. 25%. Volume of inquiries into security analytics is about five times higher than it is in user behavior What Is UEBA Used For? analytics, but this is partly due to the familiarity of UEBA is primarily used for one or more of three terms used by Gartner clients to lodge inquiries. objectives: Most client interest comes from North America and Europe, but we receive inquiries on these • Analyze: Find bad actors via rapid detection subjects from all over the globe. and analysis of attacks and other infractions UEBA Technology • Prioritize: Prioritize alerts organizational UEBA has five main technology components — users need to act on, and/or improve alert data analytics, data integration, data presentation/ management by correlating and consolidating visualization, source systems analyzed and service alerts from existing systems delivery method, as defined below.

• Respond: Streamline alert and incident Data Analytics investigations by reducing the time and Advanced Analytics: Rules Versus Machine number of staff required to investigate those Learning Versus Deep Learning alerts (since the underlying data for the correlated alerts is typically readily available, A UEBA vendor’s data analytics capabilities are and investigators can easily look across optimized for specific security use cases and organizational assets and entities linked to domains. The quality of the predefined analytics is suspect behavior) more critical to success than current data source integration, since effective analytics are harder Who Buys UEBA? to achieve than integration with additional data Not all companies need or think they need UEBA. sources. Most organizations don’t have the interest or resources for advanced detection and analytic The effectiveness of an analytics engine greatly systems, which currently appeal to mainly very depends on: large global organizations. Even among this group, interest is not ubiquitous. Advanced SIEM • Knowing which data and variables need to be users say they maintain sufficient visibility and analyzed low alert volume as long as they keep SIEM rules tuned. Organizations with advanced data science • Making sure it’s reading the “right” data skills and resources say they build more effective sources that will give it the full picture business-focused models than UEBA vendors can. • Knowing how much weight to give to key But many large organizations aren’t satisfied with variables that are analyzed via risk rating the results of their incumbent security systems, functions and some of those that have hired data scientists 13

Therefore, users should be highly selective Humans must also supplement machine learning about the entities and data they incorporate into models with rules that only the business knows analytics, in order to reduce unnecessary noise about. Humans still know things machines don’t, that the detection engine must filter out. Once the for example, a specific threat indicator affecting entities and variables are selected (which UEBA their organization. Therefore, UEBA systems vendors help with), the more information extracted need to give their customers the ability to add the better in order to help pinpoint “bad behaviors” their own rules that fire in coordination with and increase detection rates. The analysis of other the UEBA system’s rules and models. Customers entities (such as endpoints and networks), and should be able to keep these rules private and correlating that analysis with user behavior informs only accessible to designated users, as they the analytic engine so that malicious activities can may contain highly confidential and sensitive be more easily detected. information.

As noted in the Market Definition section, UEBA Cautions About Profiling and Anomaly brings machine learning and statistical analysis Detection to security monitoring, generating risk scores for evaluated events and entities. These scores UEBA profiling and machine learning are still not indicate the likelihood of data breach, compromise sufficiently proven when it comes to detecting or other abusive behavior, and are in stark contrast suspicious behavior among privileged users or to binary “yes” or “no” outputs generated by rules. developers. In these cases, organizations still have to rely partly on their own rules instead of solely Rules are based on what a human knows about on statistical analysis and machine learning. These the data. When rules are not tuned properly, they rules can work well with vendor models, but users generate too much noise and too many alerts must take responsibility for writing and including that are not properly prioritized. This is a common them. scenario among many large Gartner clients that use rule-based security monitoring systems that UEBA users should note that: end up generating hundreds of thousands of alerts or more per day.3 Most importantly, humans • The behavior of privileged users, IT developers cannot predict what future attacks will look like. and others can be highly irregular depending Statistical analysis and machine learning can find on their job functions, making baselining anomalies in data that humans wouldn’t otherwise user behavior through profiling, and anomaly know about. detection, much more problematic.

Still, in most cases and with most analytic • A given user or peer group can be bad from the systems, humans must supervise the machine start of profiling, so that ongoing bad behavior processes and tell the models which data to will not be noted as anomalous to the baseline. evaluate and how to weight the different variables This caution applies for both privileged and — a process known as “feature selection.” Future nonprivileged users. models based on deep learning promise to reduce human involvement in machine learning Data Integration processes, but those models have not reached the UEBA solutions should be able to integrate UEBA market yet and likely will not until 2017. any type of structured data and, optimally, also nonstructured information needed for its analysis. For the time being, machine learning for UEBA As already noted, a UEBA solution that only ingests requires model supervision based on human logs may miss important activity, especially feedback and confirmation of “bad” behavior if it does not have full visibility into the user identified by the machine learning models. endpoint. For example, these systems may not Machine learning models are good at establishing see if an employee is moving sensitive files from baselines and detecting anomalies to those his or her desktop to a cloud storage and sharing baselines, but they are not capable of knowing if provider. As such, the ingestion of network data those anomalies represent good or bad behavior is advantageous, as are agent-based or agentless unless humans tell them so. Similarly, machine systems that collect user endpoint activity. learning models are incapable of knowing if the baselines they have established represent good or bad behavior. 14

It is inherently more difficult to automate • The sophistication of the vendor’s analytics, ingestion of unstructured contextual information that is, whether it incorporates statistical than it is to automate the ingestion of structured models and machine learning as opposed to or semistructured (such as unpredictable log) data; just rules hence, the inclusion of unstructured contextual information will elongate project timelines • How much of the analytics comes prepackaged, considerably. However, unstructured contextual that is, the vendor knows which data to collect information (such as performance appraisals, travel for the various use cases, and which variables logs and social media activity) can be extremely and attributes are important to the analytics useful in helping discover and score risky user behavior. Gartner has also seen the ingestion • How easy it is for the vendor to automatically of results from systems that help organizations integrate the required data secure application code (for example, with code reviews) into UEBA. The correlation of this data • How focused the organization’s use case is, with IT developer behavior and activity has been how many datasets the use case requires and successfully used to facilitate secure product how well the organization’s use case aligns development (see Note 4 for samples of structured with the vendor’s domain expertise and unstructured data sources). • How much organizational involvement is Data Presentation and Visualization required, for example, to write rules, clean up data such as dormant accounts and account This technology component represents the ability privileges, and to assign weights to variables of the vendor to display UEBA analytics and selected for evaluation results in a manner useful to the organization’s security operations team, IT and business users • How scalable the vendor’s solution and so that patterns and trends in security infractions architecture is relative to the organization’s are readily apparent and can be acted upon. This current and future requirements includes providing functionality for link analysis, time series and trend analysis, and queries and Domain Expertise and Use Cases reports across users and other entities. Not all UEBA vendors approach the security market Source Systems and Applications Incorporated in the same way. Gartner has seen five primary domains and use cases that the vendors and their This technology can be deployed on-premises users align with, and some vendors align with or in the cloud. It is related to data integration multiple domains: capabilities, but the emphasis in this component is the vendor’s in-depth knowledge of the source • Broad-scope security management: The systems. Some UEBA vendors, for example, are use case here is to rapidly detect and analyze much more familiar with SIEM or DLP, while bad activities (many of which were heretofore others are more familiar with identity and access unknown), improve signal-to-noise ratio, management (IAM) or various SaaS applications, consolidate and reduce alert volume, prioritize depending on the domains they are targeting. (See alerts that remain, and facilitate efficient the Domain Expertise and Use Cases section.) response and investigation. UEBA vendors that target this use case typically have tight Service Delivery Methods two-way integrations with organizational SIEM As used by the UEBA solution, these methods systems. are either on-premises or offered as a cloud- based service. Often times, UEBA vendors require • Data exfiltration: The use case in this domain organizations to install appliances for network is to detect the exfiltration of organizational traffic capture. data. Vendors focused on this use case typically enhance existing DLP systems with Vendor Differentiation anomaly detection and advanced analytics, Time to Implement thereby improving their signal-to-noise ratio; The ease and time of a UEBA implementation, and consolidate DLP alert volume; and prioritize its future effectiveness, largely depend on: alerts that remain. For additional context, they tend to integrate with, and rely more on, 15

network traffic (for example, Web proxy) and in the UEBA Market Definition section, such as endpoint data, as the analysis of these data predefined analytics): sources can help shed light on data exfiltration activities. Data exfiltration detection is used • Access controls in the UEBA system so that to catch both insiders and external hackers administrators can properly grant and partition threatening an organization. access across UEBA users. In addition, UEBA system users themselves should be audited and • Identity access management: UEBA vendors tracked by the system. in this domain monitor and analyze user behavior against already-established access • Reporting and query systems so that events rights. This holds true for all types of users and can be viewed from various angles and across accounts, including privileged users and service multiple entities, and so that users can pivot accounts. Organizations have also used UEBA queries off of entities of special interest. to help clean up dormant accounts and user privileges that are set higher than they need to • An easy-to-use rule engine so that users can be. write their own rules to work with vendor analytics. • Insider threats: UEBA vendors targeting this use case monitor staff only for unusual, bad or • Ability for users to export their alerts, signals abusive behavior. Vendors in this domain don’t and other outputs to existing enterprise monitor or analyze service accounts or other systems. nonhuman entities in order to inform their analysis. Largely because of this, they are not • Ability for users to incorporate their own oriented toward detecting advanced threats analytic models, if they are so inclined. where hackers take over existing user accounts, but are oriented instead toward finding insiders Market Phases engaged in malicious activities. In last year’s Market Guide for User Behavior Analytics, we outlined three market phases: Phase Essentially, insider threats emanate from 1, tools; Phase 2, advanced data integration and trusted users with malicious intent who seek early canned (or packaged) analytics; and Phase to impose damage on their employer. Since 3, more advanced canned and predictive analytics malicious intent is difficult to assess, best- for cybersecurity and fraud (see Note 4 for the in-class vendors in this category analyze definitions of these phases). contextual behavioral information not readily available in log files. Some vendors depend In 2015, most UEBA vendors are in Phase 3, and on downloadable user endpoint agents to packaged analytics are being used to determine capture and analyze a rich set of user activities. the likelihood of security infractions. Some, Vendors in this domain also optimally ingest however, at still in Phase 2, where they profile and analyze unstructured information, such as users and provide tools for data integration email content, performance reviews or social and analytics. They still rely heavily on human media information, for employee behavior involvement and intelligence, and on professional context. services to build rules and data filters, and to select variables and data for different entity views. • SaaS security: Some vendors, especially in the Some Phase 2 vendors incorporate basic statistical CASB space, use UEBA functionality to ensure analysis into some functions, like noting standard security and visibility into enterprise use of deviations of selected events (such as user logins) SaaS applications. This is true of Adallom, the across time. CASB vendor that Microsoft acquired. Gartner expects Phase 2 vendors to start moving Enterprise Readiness and Product Maturity into Phase 3 and packaging more analytics for repeatable use cases and scenarios. Most To be enterprise-ready, UEBA vendors should organizations want the vendors to do the “heavy provide these features, which are missing from lifting” on the analytics and data science, since many of the UEBA platforms in the market (note those skills are difficult to come by and take that these are additional to the core features noted considerable time to put to use for security 16

analytics. Further, the rate of change in data Primary Domains: Insider threats, data exfiltration science and machine learning is accelerating rapidly, and few organizations have the resources Cynet is a startup UEBA vendor that reports it to keep up. has about 30 customers, mainly in EMEA, but also in the U.S. and Australia. It offers agentless Representative Vendors endpoint probing by remotely executing code on the endpoints. Cynet profiles users, endpoints, The vendors listed in this Market Guide do not network activity and files, and correlate anomalous imply an exhaustive list. This section is intended to behavior alerts across them. It uses machine provide more understanding of the market and its learning and says it continuously analyzes all offerings. entities, including endpoints (via remote code execution), and not just when suspect activity Most vendors in this list are Phase 3 UEBA vendors; is detected. Included in the Cynet offering is a however, a few are still in Phase 2, meaning that managed UEBA service, where Cynet’s security end users of the products have to play a very operations center (SOC) investigates the most active role in setting up rules and user profiles. advanced threats and assists customers with the Primary domains and use cases that the vendors remediation of these threats. target are listed in the vendor descriptions. The five primary domains are outlined in the Market Primary Domains: Security management, data Analysis section above. Some UEBA vendors exfiltration support additional domains, including compliance and fraud management, as noted below by vendor. Dtex Systems is focused on insider threats, and provides human analytics and a behavioral risk Bay Dynamics profiles and analyzes users, engine built on top of an endpoint agent. The endpoints, applications and other entities agent can be pushed to endpoints by software independently and then correlates their alerts. distribution or logon scripts. Dtex says its agent Its Risk Fabric application presents users with is lightweight in terms of the amount of data it a shortlist of their top risk users, endpoints, collects and the impact to the endpoint, and Dtex applications and IP addresses. Bay Dynamics anonymizes identities it profiles. Its roadmap successfully ingests multiple types of data includes integrating data from logs and SIEM to feeds (it started with DLP information, since it provide greater visibility into security events. was integrated with Symantec’s DLP package), and supports multiple use cases beyond data Primary Domain: Insider threats exfiltration. For example, it highlights anomalies in privileged user access, vendor behavior and IT E8 Security profiles behavior of users and devices developer security practices. It also has a module using automated machine learning algorithms to that analyzes an organization’s “attack surface.” detect anomalies and discover advanced attacks in the enterprise. E8 Security integrates user, Primary Domains: Security management, data endpoint and network behaviors into its Entity exfiltration, identity and access management, Behavioral Analytics solution, providing visibility insider threat into multiple stages of attacker activity inside the enterprise perimeter. E8 Security’s Entity Behavior Bottomline Technologies provides UEBA Analytics solution is built on top of big data functionality since it acquired Intellinx, a fraud technologies, such as Hadoop, Spark and HBase. detection and security company, in January 2015. The firm’s Cyber Fraud and Risk Management Primary Domains: Security management, data platform parses network data of multiple protocols, exfiltration, insider threats and reconstructs user sessions providing visual replay for investigations of internal and external Exabeam has about 50 active deployments of its threats, data leakage and anomalous events. It UEBA platform that integrates directly with SIEM uses a rule-based analytic engine and statistical systems such as Splunk and QRadar. Exabeam profiling of users and their peer groups. It correlate is installed very quickly at most customers (in alerts and generates predictive risk scores for hours or days), as its solution is tightly focused on compliance (anti-money-laundering, privacy security management and analytics, and the data regulations, PCI), security and fraud use cases. it requires, but some implementations have taken 17

longer. It does not rely on agents or network taps. Primary Domains: Security management, data The system profiles users, peer groups and other exfiltration, insider threats, SaaS security entities, and adds points to a user’s risk score based on anomalies it detects with its statistical LightCyber began its solution by primarily models, machine learning and rules. It builds profiling network and other machine assets (for timelines of sessions and attack sequences. example, applications, endpoints), and using machine learning to detect anomalous activities Primary Domains: Security management, data related to these entities. More recently, the firm exfiltration, insider threat began profiling users and correlating user behavior alerts with other entity alerts. The firm gathers its Fortscale provides user, peer group, and other information from a network-based appliance, and entity profiling and machine learning incorporating is primarily focused on detecting advanced attacks multiple data sources using unsupervised machine and breaches. LightCyber deploys a lightweight learning algorithms. It is deployed at some major endpoint (“dissolving”) agent on suspect devices companies, and consolidates high-risk events upon detection of suspect activity, which then into security alerts. It comes with a rich reporting proceeds to interrogate the host to automatically module that enables incident-based investigations. gather data for both detection and investigative Canned analytics are designed to detect purposes. rogue insiders and hackers with compromised credentials. Primary Domains: Security management, data exfiltration, insider threat Primary Domains: Security management, data exfiltration, insider threat Lockheed Martin’s LM Wisdom product is focused on identifying insider threats. LM Wisdom Insider Gurucul has over 35 active deployments and says Threat Identification (ITI) integrates structured it innovated dynamic peer group analytics based and unstructured contextual information, such on users’ activities and access patterns. Peer group as performance reviews or employee information analysis has proven useful in monitoring privileged access, where it performs key word searches and accounts, detecting insider threats and reducing uses other analytics to look for signs of employee false positives. Gurucul supports on-premises or risks. Lockheed Martin’s projects are highly cloud-based implementations, and integrates consultative in nature and take several months with several SaaS applications such as Salesforce, to launch. The LM Wisdom ITI software largely Office365 and Box. Clients can put their own rules uses rules and filters developed by the product’s on top of Gurucul’s packaged analytics, which are power users, as well as statistical algorithms. The based on machine learning algorithms. Gurucul tool ingests data from CSV file formats. The firm provides a big data back end in Hadoop, plus it developed the product for internal use and is also uses information staged in big data technology. selling to the commercial and public sector.

Primary Domains: Identity access management, Primary Domain: Insider threats security management, data exfiltration, insider threat, SaaS security, compliance and fraud Microsoft’s Advanced Threat Analytics (ATA) platform is based on the Aorato software it Interset uses advanced analytics and machine acquired in November 2014. It provides deep learning, and can ingest data from multiple packet inspection of Active Directory traffic, which sources, including security applications, is captured through port mirroring and data from authentication sources, network traffic, cloud- SIEM tools. The system uses machine learning, based application connectors/APIs, and from and user, peer group and other profiling to detect an optional endpoint sensor that customers can anomalous behavior. Analytics are entirely install. Its software does not require rules or automated and don’t use rules. In September 2015, thresholds, and surfaces timelines of an attack Microsoft acquired Adallom, a CASB vendor that chain by correlating multiple suspect events. It uses UEBA techniques to secure SaaS applications. can be deployed on-premises or as a cloud-based service. Interset has aligned with multiple use Primary Domains: Insider threats, identity and cases, such as insider threat, advanced attack access management, SaaS security detection and IP protection. 18

Mobile System 7’s Interlock product provides groups and other entities, and collects and detection and access controls for both on-premises analyzes Windows, Mac and Linux endpoint logs and cloud-based systems. Interlock collects event without an endpoint agent. The solution integrates and log information from enterprise applications, with cloud platforms such as Microsoft Office 365 as well as from SaaS platforms such as from its and Salesforce. UserInsight is quick to install and partner Okta, an identity and access management can discover traditional blind spots (for example, as a service (IDaaS) vendor. Interlock analyzes data compromised local admin accounts) without user in near real time using statistical and machine intervention. UserInsight also offers investigation learning algorithms to detect anomalies and assess workflows for incident response. the risk of users, peer groups, devices and other entities. Interlock includes a policy enforcement Primary Domains: Security management, SaaS capability that manages access controls based on security, identity and access management detected risks. Raytheon Websense’s SureView Insider Threat Primary Domains: Identity and access focuses on insider threats, and its rule-based management, SaaS security product monitors employees by collecting endpoint data with an agent. It uses risk-scoring Niara is a well-funded startup vendor that came algorithms to identify a shortlist of users who have out of stealth mode in June 2015. The firm performed the most potentially risky activities. profiles users, peer groups and devices, and SureView Insider Threat provides analysts a discovers anomalous behavior using supervised workflow for reviewing a risky user’s activities and unsupervised machine learning algorithms in context, and the tools to remediate those and, optionally, rules. It also analyzes discrete behaviors. In addition to offering its own analytics, data entities (for example, files, URLs, domain SureView integrates with other analytic engines names) using supervised machine learning, and such as RedOwl Analytics. Its implementations correlates the results of this analysis with the extend to over 100,000 endpoints. UEBA analysis in order to reduce false positives and determine malicious intent and activities. Primary Domain: Insider threats Niara’s product sits on top of Hadoop and ingests data from native logs, network flows and packet Securonix, founded in 2008 and one of the first data for integrated analytics and forensics. The firm UEBA vendors, supports behavioral analytics for has also integrated its software, which can be run multiple use cases, such as detecting insider or on-premises or in the cloud, with Splunk and HP’s external threats, for more than 50 enterprises. SIEM systems. Its platform profiles users, peer groups, devices and other entities, and performs near-real-time Primary Domains: Security management, data behavioral analytics using rules and statistical exfiltration, insider threats analysis to detect anomalies. Securonix ingests identity, security events, activity and access ObserveIT uses an agent-based desktop collection information from existing data lakes or directly method to monitor desktop and user activity, from the source while providing a Hadoop big data and it aligns its solutions to the domains of storage option. Securonix supports on-premises employee monitoring (including privilege users), and cloud-based implementations. audit and compliance, insider threat, vendor risk management, and gateway and windows Primary Domains: Security management, insider monitoring. The firm profiles user activity and threat, data exfiltration, SaaS security, identity behavior, and uses rules to look for anomalies. It access management plans to incorporate cluster analysis and machine learning in the future. SpectorSoft focuses on employee monitoring and insider threats, and collects data using an agent. Primary Domain: Insider threats The firm is developing an analytics application for Splunk, and eventually other SIEM deployments, Rapid7’s UEBA solution, called Rapid7 which will give its customer broader visibility into UserInsight, leverages attacker knowledge from activities beyond what is seen at endpoints. The Rapid7’s well-known Metasploit penetration firm uses profiling and behavioral analytics. testing product and the firm’s Global Services team. Rapid7 UserInsight profiles users, peer Primary Domain: Insider threats 19

Splunk moved into the UEBA market with its July • Consider the need to investigate individuals 2015 acquisition of Caspida, which profiles users, who have low risk scores in UEBA systems, peer groups, endpoints, IP addresses and other since the system may be missing important entities, and detects anomalies using machine data sources in its risk-scoring calculation. learning and by correlating entity behavior. Most Also, user profiles may be built on existing UEBA vendors in this Market Guide have relatively bad behavior, so anomaly detection will be tight integrations with Splunk, but now Splunk has misleading. its own UEBA engine that supplements its existing Enterprise security module. Splunk’s UEBA system • Write your own rules and policies for focuses on advanced attacks and data exfiltration, monitoring developer and privileged-user and is moving to also support fraud use cases. behavior that work in conjunction with UEBA models, since UEBA anomaly detection is less Primary Domains: Security management, data reliable for these unpredictable users. exfiltration, fraud • Consider the inclusion of nonstructured Varonis uses a rule-based engine and some behavioral information, such as performance statistical analysis functions that focus on information, travel logs, or social media activity insider threats and data exfiltration by analyzing to provide fuller context for user behavior users’ access to files and their use of email. It analysis. But be prepared for longer project discovers and prioritizes the file assets that need timetables and the inability to fully automate to be protected through its user monitoring and their inclusion. analytics. The system profiles users and helps analysts write their own rules through discovery • Operationalize UEBA results by sending alerts of unusual events. Varonis also has built-in rules to security orchestration, ticketing workflow to alert on statistically significant deviations from and investigation systems, which over time may normal data usage behavior, and built-in analytics be an integral extension to the UEBA system to signal where employees have more access than itself. they require. • Favor UEBA vendors who profile multiple Primary Domains: Insider threats, data exfiltration entities including users and their peer groups, and devices, and who use machine learning to Market Recommendations detect anomalies. These features enable more accurate detection of malicious or abusive • Evaluate UEBA vendors with domain expertise users. that aligns with your primary use case, for example, monitoring use of privileges • Look for UEBA solutions that give your established in identity and access management organization integrated visibility into on- systems, pinpointing data exfiltration premises, cloud-based and BYOD platforms and and leakage, or security management via endpoints. prioritization of alerts, anomaly detection and enabling more efficient response and • Promote cultural change and executive-level investigations. interest in security and risk at your organization by using UEBA dashboards to present security • When implementing UEBA, start with a narrow and risk postures and indicators in a meaningful well-defined use case and a limited set of data, way to senior risk and security managers. and grow the use cases and dataset inclusion This type of information presentation can and over time. has been used to promote secure IT product development. • Integrate UEBA applications with existing security applications by ingesting logs and data • Augment UEBA with other layered security they already collect and filter. solutions, such as network, endpoint, data, and application protection and deception platforms, • Incorporate network and endpoint data to gain because UEBA is not a be-all and end-all additional visibility into user and application security system. activity beyond what is present in log files. 20

Evidence Note 3 1 On 8 September 2015, major media outlet Market Phases Bloomberg reported that Microsoft paid $250 Here are summarized definitions of the three million to acquire Adallom. The same was reported market phases as outlined in the 2014 Market on 8 September by technology media company Guide for User Behavior Analytics. For more TechCrunch. See “Best Practices and Success complete information, please refer to the Market Stories for User Behavior Analytics” for more Guide itself. information on Adallom’s UEBA functionality. Phase 1: Tools 2 Gartner projected worldwide spending on information security at $71.1 billion in 2014, an The first vendors to emerge in this space over increase of 7.9% over 2013, with the data loss 10 years ago were those that enabled entity prevention segment recording the fastest growth link analysis or social network analysis across at 18.9%. Total information security spending will structured data. Analytics were driven by users grow a further 8.2% in 2015 to reach $76.9 billion. or were customized by the vendors using data that first had to be transformed through relatively 3 Some large Gartner clients receive from 500,000 lengthy extraction, transformation and loading to one million alerts a day across multiple security (ETL) and data cleansing processes so that monitoring systems, such as SIEM and DLP. identities and entities could be resolved and linked. Network visualization techniques were Note 1 introduced as part of the user interface. UEBA Market Definition: Machine Learning, Statistical Models and Rules Phase 2: Advanced Data Integration and Early UEBA vendors must profile users and look for Canned Analytics anomalous user behavior relative to their profiles using machine learning, statistical models and/or Most Phase 2 UBA vendors resolve identities rules. UEBA vendors that are considered advanced and entities automatically using their own fuzzy use machine learning and statistical models to and data-matching techniques. With these more detect anomalous behavior. UEBA vendors that sophisticated data integration tools, customers can only use rules are still, however, included in this avoid lengthy data cleansing, resolution and ETL market as long as they profile user behavior. processes that characterized past projects. Users are still responsible for defining underlying data Optimally, vendors should use all types of tools models, and discovery and linkage of source data. that aid in anomaly detection. Also, they should combine a rule engine with machine learning In Phase 2, UBA vendors started packaging and statistical models built into the platform, so more canned intelligence for repeatable use that users can write their own policies and rules cases, mainly to solve fraud in many of the areas based on information they know that the machine tackled in Phase 1 (for example, credit card bust learning models have not yet (or cannot) learn on out, account takeover, new account fraud, loan their own. For example, this could include a policy origination, insurance claims, healthcare fraud, tax that restricts all communications with a certain refund fraud, government benefit programs and geographical area based on political considerations more). that originate from state doctrines unknown to Still, UBA products of Phases 1 and 2 are machine models. primarily used for forensics and investigation and Note 2 for forensics of fraud or theft that has already occurred, which is usually ongoing and spreading. UEBA Market and Fraud Moreover, a hefty amount of professional Security technology is focused on stopping services is almost always required to successfully the theft of information or data, whereas fraud implement and maintain these projects. detection technology is focused on stopping the use of stolen information or fraud. 21

Phase 3: More Advanced Canned and 4 Network flow or packet data Predictive Analytics for Cybersecurity and Fraud 5 Data exports into standard formats like CSV

Several innovative UBA startups have gained 6 Structured threat intelligence using standards traction in solving insider and advanced threats such as STIX and TAXII with predictive canned analytics. They have managed to gain some large corporate customers 7 Metadata from electronic communications such who have achieved notable results that were as email difficult, if not impossible, to achieve using incumbent methods such as established SIEM or Unstructured contextual data sources include: DLP user monitoring applications. 1 Social media network connections and postings At the same time, larger security and UBA vendors are developing predictive analytic modules for 2 The content of electronic communications such detecting insider and advanced threats, so that as email and chat their applications don’t have to rely on customer- driven analytics and inquiries of the data. 3 Images

Note 4 4 News feeds Semistructured and Unstructured Contextual 5 Unstructured threat intelligence information Sample semistructured data sources include: 6 Other documents that help inform user behavior analysis, such as performance appraisals where 1 Logs from existing agentless or agent-based vendors parse for key words like “disgruntled” logging applications or travel records that can be used to reconcile remote access activities 2 Native log collection from event sources or operating systems Source: Gartner Research, G00276088, Avivah Litan, 22 September 2015

3 Connectors into various applications, such as SaaS applications 22

Veriato is an innovator in actionable User Behavior Analytics and the global leader in User Activity Monitoring. More than 36,000 companies, schools, and government entities worldwide have relied on Veriato solutions to gain insight into the user Veriato 360 is a user activity monitoring solution activity on their network, and enjoy the security that enables retention, review, reporting and and productivity increases that come with it. alerting on employee activity. Used for monitoring higher risk employees, and for incident response, The Veriato mission is to provide world-class Veriato 360 provides exceptional visibility and software and support that enables our customers contextual information. to protect their most valuable assets, reduce their risk, and gain unparalleled visibility into their Veriato Investigator is an employee investigation operations. solution perfect for temporary, focused investigations. Veriato Investigator installs Veriato’s award-winning solutions include quickly, records detailed information on employee Veriato Recon (behavioral analytics based insider activity, and enables fast, accurate, and efficient threat detection), Veriato 360 (enterprise-grade exploration and playback of the recorded data. User Activity Monitoring), Veriato Investigator (employee investigation tool), Veriato Log Manager Veriato Log Manager provides event and security (event and security log management) and Veriato log management. Centrally monitor Windows, Server Manager (server management solution). Unix, Linux, switches, routers, hubs and more; consolidating all of your event and security logs in WHY VERIATO one place and offering powerful reporting options. • A track record proven since 1998 Veriato Server Manager adds application, • Strong customer base in over 110 countries resource, and disk monitoring to the event and around the world log management features found in Veriato Log Manager. No other single solution equals this • Deployments ranging from 10 seats to 10 comprehensive offering for your server monitoring thousand plus seats needs.

• Dedicated support closely integrated with Product Development to insure maximum responsiveness Veriato, Inc. • Backing from leading Private Equity firms 4440 PGA Boulevard, Suite 500, Palm Beach Gardens, FL 33410 PRODUCT PORTFOLIO 1.888.598.2788 Veriato Recon is a user behavior analytics 1.772.770.5670 solution designed to provide data protection against insider attacks. The software detects and alerts on anomalies related to insider threat behaviors. Veriato Recon also enables best practices like the review of online activity of employees during the high-risk exit period.

Data Protection & the Insider Threat is published by Veriato. Editorial content supplied by Veriato is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Veriato’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.