krishnacreations - Fotolia
As an information security professional, you've probably invested quite a bit of time and money trying to understand what's going on in your environment. You've deployed tools ranging from log management to security information and event management (SIEM) to security operational intelligence. And you're still struggling with the key question: How can I tell when something's happening in my environment that shouldn't?
Enter the new world of security user behavioral analytics (UBA). A host of emerging vendors, such as Bay Dynamics, ClickSecurity, GuruCul, Fortscale and Securonix, are deploying big data techniques to quickly baseline the performance of an environment and detect anomalies that indicate attacks. And existing vendors like Lancope, Solera and Splunk are extending their suites to deliver such capabilities, too.
This guide tackles reasonable expectations and deployment strategies for user behavioral analytics tools. You'll learn what you can expect when deploying such tools and how they integrate into your existing environment.
User Behavioral Analytics Explained
If you attended the recent RSA security conference, you probably heard the new buzz phrase user behavioral analytics. The use of analytics is at the forefront now in security architectures, as InfoSec professionals are increasingly encountering the needle-in-a-haystack problem: Security systems provide so much information that it's tough to uncover information that truly indicates a potential for real attack. Analytics tools help make sense of the vast amount of data that SIEM, IDS/IPS, system logs, and other tools gather.
UBA tools use a specialized type of security analytics that focuses on the behavior of systems and the people using them. UBA technology first evolved in the field of marketing, to help companies understand and predict consumer-buying patterns. But as it turns out, UBA can be extraordinarily useful in the security context too.
How User Behavioral Analytics Works
UBA tools perform two main functions. First, they determine a baseline of "normal" activities specific to the organization and its users. Second, UBA tools quickly discern deviations from that norm that require further exploration. That is, they spotlight cases in which abnormal behavior is underway. That behavior may or may not signal a problem: InfoSec pros must investigate it and make that determination.
The big distinction between UBA and other forms of security analytics is that UBA tools focus on users (rather than events or alerts). In other words, UBA answers the question, "Is this user behaving anomalously?" rather than "Is this an anomalous event?"
The distinction is subtle, but important. An event may be benign in one context and prove nefarious in another. For example, an accountant accessing a tax system at midnight on April 14 may be behaving in a perfectly reasonable manner but not when he accesses that system on, say, August 14.
User Behavioral Analytics Features
Although many companies are beginning to claim UBA capabilities for their products, there are a small but growing number of pure-play UBA providers. These vendors' products all function roughly the same way: There's a core engine, running proprietary analytics algorithms, that takes in data feeds from existing sources and analyzes the data. The tools then display their findings in a user dashboard. The goal is to provide InfoSec pros with actionable information.
At present, these tools don't take defensive action themselves but merely provide security operators with the insight to determine whether action is needed. However, it's reasonable to anticipate the availability of tools integrated with firewalls and other defensive systems to enable automated response within the next 6 to 24 months.
The analytics algorithms are the "special sauce" that powers these tools. When assessing UBA products, InfoSec professionals should be sure to ask for the details of how these algorithms work. Other important differentiators between UBA products include the following:
- Data sources, which refers to the types of data the tool integrates with, including the supported formats (CSV, Excel, others) and types of log files (from routers, firewalls, VPNs, file systems, others). Ask about whether it comes preconfigured to integrate with other tools and its integration mechanisms.
- Partnerships, which provide a measure of the tool's plug-and-play ability with existing infrastructure.
- Timeframe and degree of automation of baseline establishment, which relates to whether the tool establishes the baseline in an entirely automated and dynamic fashion, or requires the user to tune and tweak it. Note that some tools make determinations based on just a few days of historical record; others can review weeks to months. Longer records tend to provide for more accurate baselines, because they can take into consideration seasonal variations such as the end-of-quarter close, tax season and Christmas sales.
- Time to results (TTR) refers to how quickly after initial integration the solution begins to produce actionable results. Note that this is not an obvious metric: A clear definition of "results" is required; a good one is "delivering previously unknown insights" following the initial configuration and establishment of a baseline.
- Dashboard flexibility concerns whether or not the UBA tool was designed with the assumption that the dashboard operator will be an InfoSec professional. Other UBA tools can be customized to provide business-level reporting.
- Delivery mechanism refers to how the tool is delivered. That is, providers typically offer an on-premises version of the product (either software-only or an appliance). Most vendors also offer, or are planning to offer, a cloud-based version as well. One major challenge with cloud products is that UBA tools require close integration with many data sources that companies consider proprietary or sensitive (e.g., HR feeds) and don't wish to expose this data to the cloud. However, in the next 3 to 5 years, even this sensitive data will increasingly move to the cloud, and so cloud-based delivery of UBA tools is likely to become more palatable to enterprises.
The Bottom Line
Gathering data isn't enough: You need to invest in tools that make sense of that data and that can find those critical indicators of a potential security breach—"needles in a haystack." UBA tools can effectively provide early indications of questionable behavior by users, systems and devices, and give InfoSec professionals valuable direction in determining whether there is a security problem that requires attention.
About the author
Johna Till Johnson is CEO and founder of Nemertes Research, where she sets research direction and works with strategic clients.
Learn more about the growth of big data security analytics
Put big data security analytics to work