Insider Threat Management APT, Insider Threat, and UEBA – Where’s the Overlap?

June 2, 2020

For those who work in security, it may seem that threats to your data, endpoints, and infrastructure can come from every angle. Unfortunately, many of these threats either originate from or implant themselves within the walls of the organization itself. The term “insider threat” and “UEBA” have evolved to describe this laundry list of potential threats which can make it difficult to understand how they are different and how to select security tools to prevent them.

What is APT?

APT, or Advanced Persistent Threat, refers to an attack that is almost certainly malicious in nature and typically initiated by a skilled attacker or group with the goal of gaining access to data or resources. APTs enter an organization’s network from the outside in the form of phishing, malware, or viruses and use long-term expert methods to move through the network via communications and endpoints before removing targeted items. In this sense, “insider” and “UEBA” is referring to behavioral indicators of the attack moving inside the organization. This is accomplished by analyzing activity from firewalls, network communications, unknown endpoint processes, or components that could indicate malware or trojans or signs of threats like SQL injection.

How is User Activity Monitoring or User Risk Different?

innerActiv’s system is specifically built to identify and analyze threats created by the internal users themselves rather than APT threats from third parties or malware. While equally as dangerous, risks caused by the end-user or employee require a vastly different detection system. This requires gathering data directly regarding the endpoint user’s activity rather than from network resources or logs. Insider threats, whether malicious or accidental, cause billions of dollars of damage per year and can consist of incidents as simple as accidentally emailing sensitive information to an unapproved party, broken workflow causing insecure data storage or even malicious incidents such as users removing bulk data to provide to a third party. innerActiv’s behavioral analysis (UEBA) refers directly to the behavior of the employees handling your sensitive data and your files on a daily basis and the analysis of where the risk to that data exists.

In today’s threat landscape, each of these types of threats and, therefore, types of monitoring are equally as critical to protecting data and information. It’s vital to understand the capabilities of the software in your arsenal and the potential threats that could be hiding within your own network.