There are multiple types of tools to monitor user activity to detect risky behavior. Start with evaluating the current tools in your organization and place them into a matrix that identifies gaps in your ability to monitor the use cases you create.
If you have a budget for a tool, start with a user activity monitoring tool that has its own agent on the endpoint (very important) and place the administrative control of this tool with your insider threat program, supporting “least privilege” for the network administrators and other IT security roles, to ensure the integrity of the investigation. Privileged users control the audit, security, and data loss prevention tools in your organization and can therefore interfere with these tool’s abilities to monitor and/or log insider risks. Placing all security tools in the hands of your systems administrators creates a single point of failure in your insider threat monitoring program. It also puts your organization at unnecessary high risk if the administrator decides to go wild.
Why an agent mages the difference
User behavior analytics without a dedicated host-based agent rely on (different) system logs that are cumbersome to manage when correlating multiple insider threat data sources, difficult to collect and analyze on a large scale, lack granularity of context to determine an insider’s intent, and can be manipulated if your administrator becomes an insider threat. The visibility it provides varies as it relies on the quality of the logs and the people who built the log ingestion - low quality logs means no visibility.
Monitoring network traffic can be used with varying success. As the traffic can not easily be assigned to a single user, the visibility is who has done what is lost. The tools can determine traffic for a single host or endpoint at best, but neither shared systems (single host with multiple sessions for many users) or user-specific. An agent can attribute network traffic and endpoint events to a single user.
Consider insider threat monitoring tools that combine an endpoint agent, case monitoring, machine learning, screenshot captures, file content inspection, multi-factor authentication, and real-time actions to simplify your insider threat monitoring into a single platform to significantly increase return on investment.