The riskiest project for most security teams is insider risk management. In my experience, most of these initiatives will drag on as a science project for a few years before being scrapped by new leadership. That’s reflected in industry stats like 88% of insider threats taking over a month to detect. The problem? We’ve mixed up insider threat detection, user behavior analytics, and machine learning. By now, we should recognize that catching malicious insiders is hard and that anyone counting on an AI/ML magic solution is dangerously optimistic. That’s why this week’s post channels one of the 20th century’s most famous pessimists. It presents an approach to insider risk detection that is much more likely to succeed and has applications beyond insider risk. Introducing “Mencken’s Law of Threat Detection”: Never rely on machine learning to detect a threat you haven’t modeled. Read on at the link below.
Karthik Kannan
1mo
Amen. I have lived this exact life before.
Principal Security Architect @ IBM | CISSP, AWS, Python
1moI've done 100's of SOC Maturity Reviews and I've helped modernize some of the largest SOC's in the US. I wouldn't say that UBA is a complete miss. I would counsel SOC teams to investigate whether their UBA is a modeling engine, or if its a correlation engine masquerading as a modeling engine. If its the former, then it will be somewhat successful as a compromised credential detection platform. However, what I've seen quite often is that SOC teams (large and small) expect a comprised credential attack to look the same as in insider threat incident. Understanding that the approach and analytics are different is key.