Breaking down barriers to effective security with user and entity behavior analytics

by Orion Cassetto, senior director of Product Marketing at Exabeam

The global cyber threat landscape is growing and evolving all the time – but fortunately, so are the technology solutions available to combat it. Several new advancements can be combined to give organizations an edge over the threats they face.

These new security technologies can streamline overall security operations and alleviate some of the pressures associated with longstanding security issues, such as the global shortage of skilled personnel.

One technology seeing significant growth is user and entity behavior analytics (UEBA).

What is UEBA?

UEBA is a cybersecurity technology that uses a combination of machine learning, behavioral modeling, and statistical analyses to identify when a user or machine patterns deviate from established behavior, indicating a real security threat. This article will look at three major barriers to effective security for modern businesses and explain how UEBA technology can be used to help remove them.

1) A lack of contextual information from conventional security tools

One of the biggest issues with many conventional security tools such as firewalls and anti-malware is that they operate in silos. As a result, when alerts are raised, they lack the context, visibility and data from other tools within a security program that would help an analyst understand the incident in more detail.

For example, if an anti-malware alert is raised from a source IP address or malware name/URL, without answers to key questions–such as “Who was using the asset at the time of infection?”, “What host had the IP address at the time of infection?” and “What other systems are affected?”– containing the incident can be extremely difficult.

UEBA can help to provide this missing context by supplementing the alert with both environmental and situational information:

• • Environmental: This may include information such as whether the user at the time was an IT admin or high privileged user, or if they are the actual owner of the asset in question.
  • Situational: By creating user session timelines, UEBA can not only provide answers to the critics who, what and when questions, but also to questions such as “Has this happened before?” and “Is it normal?,” which can be incredibly useful when investigating a specific incident.

2) Too much data to analyze effectively

In a modern data environment, security information and event management (SIEM) deployments regularly gather more than 1TB of data a day, or more than 100,000 events per second (EPS). Most of this data is high volume, but low value. Nevertheless, analyst teams often have no way to manually review this amount of data or the alerts which result from it, meaning that key information is regularly missed.

Being machine-based, UEBA thrives on this level of data. The higher the volume, the more data points can be analyzed, resulting in a more granular picture of what’s really going on. To make use of high data volumes, nearly all UEBA vendors use big data architecture such as Hadoop and Mongo, which are horizontally scalable, so that processing and storage can be added as needed.

3) A lack of skilled IT security personnel available

The global shortage of skilled security personnel is a well-documented and troubling issue. Nine out of 10 respondents to CyberEdge’s recent research indicated a shortage of IT security talent at their organizations at the time of asking. Furthermore, a recent State of the SOC study among IT professionals found that just under half (45 percent) believe their security operations center (SOC) is understaffed, and of those, nearly two-thirds (63 percent) think they could use an additional two to 10 employees.

While UEBA can’t replace skilled IT security professionals, it can greatly amplify the output of existing team members. The ability to analyze incoming data more efficiently reduces false positives, while the provision of environmental and situational context to alerts can significantly speed up investigations. Queries that previously took hours can be answered in seconds. Not only that, but alerts can be prioritized more accurately, based on the perceived threat posed, meaning the team is spending its time on the right things.

In short, UEBA is a security technology made for today’s organizations, cutting through the sea of data that all companies grapple with to identify the information that matters most and pick out events that are out of the ordinary, and therefore, require attention. It allows organizations to significantly improve security without adding personnel, allowing them to stay one step ahead of cyber threats.

About the Author

Orion Cassetto, senior director of product marketing at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize Technologies. He is a security enthusiast and frequent speaker at conferences and tradeshows, with recent speaking engagements including SXSW interactive and Joomla World Conference.