An Anatomy of UEBA for Practical Insider Threat Detection


Derek Lin (Chief Data Scientist, Exabeam)

Location: Grand Ballroom C

Date: Thursday, May 3

Time: 3:00pm - 3:50pm

Pass Type: All Access, Conference

Format: Conference Session

Track: Data & Analytics

Audience: Intermediate

Vault Recording: TBD

Audience Level: Intermediate

Detecting insider threat by data science methods has many benefits. In fact, a data-centric approach is the only way, particularly when there are no prior signatures for rule-based detection or known ground labels for supervised machine learning. But how does it work and what to consider for making a successful operation?

The talk starts by surveying use cases supporting insider threat detection. It compares and contrasts the uses of simpler statistical analysis vs. more sophisticated machine learning. Bulk of this talk centers on detailed example use cases to ground the discussion. Learning algorithms are explained in layman’s term. One should come away understanding the recipe behind the science. Example use cases for discussion may include the following:

  • The use of histograms for profiling user or asset behaviors, with tricks and tips to avoid false positives.
  • Detection of a user’s abnormal AD event sequence, where you’ll see a statistical procedure (principal component analysis) in action.
  • Detection of anomalous behavior of windows command line usage, where a simple inference method (Bayes-based) applies.
  • Peer group analysis by representing users as vectors in space to allow user-to-group comparison.
  • Determination of user-to-asset “distance” via recommender system used in retails as a way to reduce false positives in popular application of user-to asset access-based rules.

While data science is useful for insider threat detection, there are pitfalls to avoid when it comes to operationalization. Difficulties can render a buzzy data science project to merely a science project – prototyped but soon forgotten. This talk will candidly address the challenges and share lessons learned in deploying data science-based applications. I’ll talk about considerations for user elements and operational constraints.

This talk is geared toward those who have interests in applying data science to insider threat detection or user-entity-behavior analytics, but don’t have the requisite training to fully understand the intricacy and complexity involved in data science. By examining some use cases in details, you will develop a sense of what and why is possible to find insider threat, and understand what makes a successful field deployment.

Presentation File