Gartner, Inc. recently released their “2015: Market Guide for User and Entity Behavior Analytics” . Gartner provides an interesting take on a very hot topic in the security space across all industries in the modern day. Overall the analysis for the justification, use and value of User and Entity Behavior Analytics (UEBA) appears strong.
Gartner covers several industries in their report, showing the breadth and depth of how this new approach is penetrating security across all industries. Here are some highlights from their analysis and a couple outside observations specific to the healthcare provider ecosystem.
What is UEBA?
User and entity behavior analytics applies profiling and anomaly detection to data security. UEBA vendors use analytics to evaluate user activity to discover security infractions.
How does UEBA work?
- Profile and baseline the activity of users, peer groups and other entities such as endpoints, applications and networks.
- Correlate user and other entity activities and behaviors.
- Forms peer groups based upon common user activities, using directory groupings and human resources information only as a starting point.
- Detects anomalies using statistical models, machine learning and/or rules that compare activity to profiles.
Healthcare providers should use UEBA systems to
- Detect insider threats and external hackers, and choose vendors with solutions that align with use cases, for example, security monitoring or data exfiltration.
- Integrate UEBA with existing security applications by feeding UEBA systems with logs and other already collected data sources.
- Incorporate network and endpoint data for visibility into activity that are not available in logs.
- Send alerts to security, ticketing and workflow systems.
When implementing UEBA, start with a narrow well-defined use case and a limited set of data, and grow the use cases and dataset inclusion over time. Look for UEBA solutions that give your organization integrated visibility into on-premises, cloud-based and BYOD platforms and endpoints.
How I believe healthcare providers can get the most value from UEBA
- EHR audit logs record of all user activity, but lack context describing why activities occur. To understand user activity and identify inappropriate use, UEBA systems should analyze additional data sources (e.g. HR, medications, orders, labs, appointments, and ICD9/10 codes) to understand the context of an access.
- The EMR is not the only source of sensitive data. Accesses to other devices and applications that contain sensitive data should be logged and incorporated into UEBA initiatives.
- Manually creating rules to identify malicious use can be tedious and miss threat vectors (i.e., if you don’t check for ex-girlfriend access, how can you detect it?). UEBA systems should be able to automatically learn and differentiate appropriate and inappropriate use.
- Statistical anomaly detection only is often not enough. While outlier detection systems can help detect large scale abuse, single inappropriate accesses can slip through the gaps that a UEBA system can close.
We are interested to know how others in healthcare are using UEBA to their advantage.