By David Sanders

Part 1

A common question among companies seeking to mitigate the risk of an insider attack is: “What tools should we buy for our mitigation program to be successful?”

Our view is that every effective insider threat program must have two tools. One is a user activity monitoring (UAM) system and the second is artificial intelligence-based analytics software.

It’s important to understand that these tools perform distinctly different functions, and that no single technology will meet the breadth of requirements that UAM and AI analytics do when combined.

UAM is a structured, consistent and continuous collection and reporting process across the whole of an organization at the device level. It helps users identify, assess, decide on responses to and act on specific analysis of employee behaviors.

The purpose of UAM is to gather detailed and substantive activity information (e.g., screen captures, text content, keystrokes, etc.) in the digital realm that may be indicative of an insider threat. UAM tools gather a level of detail not available from other tools, including data loss prevention (DLP), security information and event management (SIEM) and user and entity behavioral analytics (UEBA).

Some UAM tool vendors are adding dashboards and scoring to help focus analytical attention on users generating the most severe and frequent alerts. This is a helpful and positive development within the context of user activity on networks and devices, but it fails to include other data sources not generated by the UAM tool. It is important to remember that UAM systems provide only a limited digital view of the user, which precludes a broader understanding of the user’s full range of activities and behaviors.

Therefore, insider threat programs need to integrate data from across the organization into a separate tool that can perform advanced analytics, with the goal of creating a continuous, comprehensive and accurate assessment of insider behaviors to determine if a trusted individual has conducted or is likely to conduct acts of concern.

The analytical tool must be able to make sense of an abundance of data from technical (i.e., digital) and non-technical sources, and then transform the results into actionable risk intelligence for purposes of detection, risk prioritization and response.

Technical data includes voluminous raw feeds from DLP, web proxies, access management systems, UAM, printers, scanners, email and firewalls.  Non-technical data includes information about the individual from multiple departments within the organization, including:

  1. Human Resources (e.g., role, location, performance, incidents, status, leave patterns, projects, objectives, training records);
  2. Finance and Accounting (credit card activity, travel and expense records); and
  3. Security (badging activity, incidents, special access).

Prior to the advent of structured insider risk/threat programs, this broader non-technical data set was rarely integrated and analyzed. That said, there are some tools that were built specifically to conduct this type of multi-source analysis.

Within the CIO or CISO departments, SIEM and UEBA (now known as SIEM 2.0) are used predominantly for this purpose. Without question, the strengths of these two classes of tools are their ability to connect to multiple data sources (i.e., ingest, format, correlate and process data); search and report; and apply advanced analytical processes (e.g., rules, machine learning and other artificial intelligence techniques) to generate alerts.

However, SIEM/UEBA tools are not good at generating actionable risk scores, which are vital to identifying insider threats in a proactive, even predictive, manner. There are several reasons for this:

  1. Scoring is simplistic – adding scores together, sometimes applying a multiplier or adding a very large value when a specific high-threat event occurs to move users to the top of the scoring list;
  2. The tools do not effectively score non-technical behaviors, but rather create watch lists with the information; and
  3. Scoring models are not built specifically for the insider threat domain, but rather relate to specific use cases such as data exfiltration and attempted unauthorized access, which can often be ‘explained away’ as a product of non-malicious and non-negligent activity.

With UAM and SIEM/UEBA tools, then, organizations have abundant alerts but lack an effective scoring capability to identify insiders whose behaviors indicate that they have conducted or are likely to conduct acts of concern.

So what is the best analytical tool to make sense of the volumes of alerts and behavioral indicators that can be found buried in all that technical and non-technical data? At Haystax, we believe in the power of a probabilistic model known as a Bayesian Inference Network, or BayesNet.

BayesNets are a place to capture the knowledge and insights of domain experts and then apply data as evidence to support this or that belief. They are ideally suited to situations where the problems are complex and don’t lend themselves to black-or-white binary answers, and where the data is sparse, noisy or even non-existent.

The Bayesian model at the core of our Insider Threat Mitigation Suite was purpose-built to assess the probability that a user’s behaviors indicate potential or actual insider risk. The model is the single environment where all of the technical and non-technical data and alerts generated from UAM and SIEM/UEBA systems can be applied and effectively evaluated, which is why we call it a ‘whole-person’ model. If a customer does not have a SIEM/UEBA system already in place, the Haystax Insider Threat Mitigation Suite can fulfill many of the data integration and analysis functions in its place.


The screen image above represents a portion of the Haystax whole-person insider threat model. Ingested and processed data can be applied to any model node. The impact of each new piece of evidence is determined by the strength and frequency of the event and probability attributes of how one node in the model affects another.

These nodes and their probabilities were developed with input from experts in the fields of behavioral psychology, security, counterintelligence, human resources, investigations and analytics. The result is a detailed yet understandable model that continuously assesses the probability that an insider has committed an adverse act or has exhibited concerning behaviors, and then produces a risk score on a dashboard in the Haystax user interface that allows decision-makers to proactively mitigate their highest-priority insider threats.

In Part 2 of this post we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.

Part 2

In Part 1 of this post we explored the basic characteristics of user activity monitoring (UAM), security information and event management (SIEM), user and entity behavioral analytics (UEBA) and artificial intelligence-based analytics software systems.

In this part we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.

For illustration purposes, let’s consider a company with 10,000 trusted insiders that has the following circumstances:

  • 500,000 files per week are copied to removable media by 2,500 employees
  • 50,000 files per week are being sent outside the company via email
  • 100,000 DLP alerts per week for files being copied to removable media
  • 10,000 DLP alerts for email
  • 500,000 web page visits per week
  • 100,000 files downloaded from websites
  • 7,500 files uploaded to websites

The above assumptions are reasonable if there are few or no controls on the use of removable media and on sending files via email. The number of alerts generated would require a significant effort to review in a timely manner; therefore, there needs to be effective threat scoring to point the analysts to the insiders that pose the greatest threat to the organization.

To contrast the differences of how SIEM/UEBA solutions develop threat scores versus Haystax, and the effectiveness of each approach, we will evaluate three user behavior scenarios:

  1. User A has contextual, technical and non-technical behaviors;
  2. User B has contextual and technical behaviors; and
  3. User C has contextual and non-technical behaviors.

The scenarios and resulting scores are presented below.

User A has both cyber and non-cyber behaviors that should be considered in the overall threat analysis. The SIEM/UEBA score, on a relative scale of 0-100, is low. Scoring assumptions for the SIEM/UEBA are:

  1. Non-cyber behaviors and contextual data did not impact the score;
  2. The non-productive web browsing has low impact because it is not data exfiltration; and
  3. Sending files via email has low impact because the volume is low.

The Bayesian Inference Network (aka BayesNet) probabilities consider all of the activity, resulting in higher threat probabilities. The behaviors of User A could be indicative of many things – disengagement from the organization, unfamiliarity with company policy or attempts to test controls and monitoring. Identifying the increased threat level allows for further investigation (perhaps using the UAM tool) and proactive risk mitigation.

User B has contextual and technical behaviors and the SIEM/UEBA score is high, on a relative scale of 0-100. Scoring assumptions for the SIEM/UEBA are:

  1. The cyber behaviors are scored high due to the large volumes of data being sent outside the network; and
  2. The contextual data has no impact on the score.

The BayesNet probabilities consider all of the activity, resulting in higher threat probabilities. Specifically, the “Conducts Potential Insider Threat Activities” is high due to the data exfiltration. But the overall “Is Insider Threat Concern” is lower because it is impacted by the “Exhibits Concerning Characteristics,” which is lower due to the contextual data (e.g., position as recruiter, longevity with company, absence of other negative behaviors to increase the score). The behaviors of User B are likely that of an employee doing their job – sending company information to prospective employees.

User C has contextual and non-technical behaviors and the SIEM/UEBA score is zero, due to the absence of technical behaviors and the lack of scoring non-technical behaviors.

The BayesNet probability scoring indicates a low probability of “Conducts Potential Insider Threat Activities” due to the attempted access behaviors, and a medium probability of “Exhibits Concerning Characteristics” due to the access to critical data, attempted access, performance review and being a relatively new employee. User C does not appear to be a threat based on this information, but these behaviors should be retained and considered in the light of future behaviors.

These use cases demonstrate that insider threat programs should implement both UAM and advanced analytics. The UAM tools provide necessary details about users’ activities on computers and laptops, but do not contain all the data required to detect insider threat activity.

A broader set of data, usually at a higher level, needs to be integrated into and effectively analyzed by an advanced tool that can effectively consider both technical and non-technical indicators. The Haystax Insider Threat Mitigation Suite employs just such a tool: a BayesNet that effectively and consistently evaluates both of these behaviors, thus developing a picture of the whole person – and any early indications of insider risk.

#    #    #

Note: A former high-flying corporate executive suffers a series of personal and professional setbacks and gradually develops into an insider threat. Find out how Haystax would have used probabilistic analysis and technical/non-technical data to discover him prior to his massive theft of intellectual property, in To Catch an IP Thief.