ABCs of UEBA: W is for Watchlist

Cybersecurity can be a complicated beast, with a lot of moving parts and different ways to prioritize the different parts in flight. A watchlist is a tool to narrow your focus on known potential risks. While risk assessments like the ones Gurucul provides with the Gurucul Risk Analytics platform can help make it a lot more manageable, it can still be a challenge to focus on what is most important to an organization’s security.

A User and Entity Behavior Analytics (UEBA) software product can take in a mass of telemetry data and draw useful meaning from it to reveal the riskiest users in the environment. There can be times when you need to adjust thresholds for specific users without changing parameters across the board.  Whether it’s an individual, a certain user group, or even an entire department, there can be cases where you need additional focus.  That’s where the concept of Watchlists comes into play.

Special Scrutiny as Needed

UEBA does a great job of highlighting the risky outliers in the environment, whether they are a user or any other entity, like a host.  But it can’t know, without help, what user and entity groups are of special interest to the organization.

For example, your organization’s field engineers, and sales teams, tend to have wildly variable behaviors because they spend a lot of time travelling to different locations and working at all hours of the day and night to meet customer demands.  For them, abnormal is normal and the behavior analytics engine will come to recognize it.  Even then, it can still identify aberrant behavior and percolate risky users to the top of the stack.  But your organization also has users whose behaviors should be a lot more predictable.  Which means any aberrations there are cause for concern.  These are users who should be put on a watchlist, so you can keep tabs on them.

But You Guys Don’t HAVE Outliers

Take, for example, the accounting or document management teams.  They’re trusted with the business’s finances and maintaining the organization’s crown jewels of intellectual property.  They are professionals with a relatively narrow scope and a lot of responsibility.  From a daily activities’ standpoint, they should be quite predictable.  That means deviations that are barely a blip for someone on the Engineering or Logistics teams are much more unusual here.

This is a case where putting everyone in those departments on a watchlist helps the Security Operations team see when something is amiss.  Here, the watchlist serves to break out a group that’s highly trusted so smaller deviations from the norm become apparent.  You trust them.  But because of the sensitivity of their duties due diligence means keeping a bit more focus on the teams.

The Thermostat Is Talking to What?

The same thing can apply to hosts too.  Most devices in the environment have relatively predictable behaviors.  They do certain things at certain times, moving with the ebb and flow of the Humans in their environment.  But there are always some systems that justify paying extra attention.  Ones that may seem ubiquitous, but any variation from normal behavior is notable.  By putting them on a watchlist, it’s easier for the SecOps team to keep tabs on them.

From a different angle, there are users who may justify putting onto a watchlist for more obvious reasons.  For example, someone who’s just had a poor review from HR may start looking for a way to lash out or to simply leave.  While Gurucul’s platform can already take HR information into account when analyzing user risk, it’s also a simple matter to add that user to a watchlist so the SecOps team can use a lower threshold when reviewing user risk scores.

People Are People

There’s nothing saying for sure that a user who’s at odds with management is a risk, as a lot of people can maintain a perfectly professional relationship even when they’re disgruntled.  But the watchlist makes it easier to keep an eye out because these are known risks.

There are a number of similar situations where adding a user to a watchlist may make sense.  Home life crisis, for example, may justify a little extra scrutiny.  Or, along a similar line, if one user has come under investigation for any of a wide range of reasons, it’s not unreasonable to add their associates to a watchlist to help focus in on any related activities.

Watchlist Does Not Equal Bad Actor

Putting a user or entity on a watchlist doesn’t automatically mean something bad is going on.  It just means the Security Operations team wants to be aware of activities that may be below the usual risk threshold that would normally get their attention.  For example, while a Sales Engineer’s risk score might bounce around between 20 and 80 on a weekly basis, that check printer down in accounting should never swing above about 15.  If it does, it’s worth taking a look.

Watchlists are there to make it easier for SecOps to watch specific individual entities, users, or groups, without needing to adjust models or other assumptions about the rest of the environment. And that can be really useful.

Prev: ABCs of UEBA: V is for Vulnerability Next: ABCs of UEBA: X is for eXfiltration