Security analytics is increasingly dependent on big data technologies. Platforms such as Hadoop and Spark not only continue to demonstrate their capabilities in web-scale applications and big data analytics, they are now building blocks for cybersecurity platforms. Once such example is Fortscale's User and Entity Behavior Analytics (UEBA) platform, a big data security analytics product, built upon the Cloudera distribution of Hadoop to provide a scalable user behavior analytics platform.
Understanding common user behaviors is an important element of cybersecurity monitoring. Many business processes are repeated at regular intervals and people often perform similar types of behaviors time and again in their jobs. Service accounts, for example, run batch jobs to post updates to financial systems or perform extraction, transformation and load processes for data warehouses. While interactive users check email, use collaboration tools and work with analytic tools. System administrators, meanwhile, patch operating systems, run backups and review logs.
Having a baseline understanding of typical user behavior is essential because of an often underappreciated fact: malicious insiders and compromised credentials of legitimate users are significant threats. Fortscale big data security analytics help build that baseline through the creation of profiles that can be compared to real-time events for security purposes.
The Fortscale platform incorporates machine learning, big data analytics capabilities and context sensitive alerting to identify anomalous events while mitigating the adverse effects of high false positive rates. As with other big data security analytics platforms, Fortscale also incorporates data ingestion services that scale to accommodate large volumes of security incident and event management (SIEM). Fortscale includes a connector for Splunk to capture data from the scalable log collection tool.
Machine learning techniques are applied to the data collected from SIEM systems and logs to build profiles of typical user behaviors. These profiles are baselines built at a per-employee level. Individualized baselines are essential for avoiding false positive. While it might be unusual for a sales representative to export a large number of customer records from a CRM, it could often be a common activity for a CRM application manager or service account.
Baselines are used to assess real-time events on the network. Statistical techniques can detect variations from baseline activities which are then used to generate alerts. Infosec professionals can use Fortscale's data visualization and workflow support tools to conduct investigations into the anomalous activities.
A methodical approach
The combination of data collection, analysis and investigative tools enable a more methodical approach to tracking intruder behavior than is possible with unintegrated, silos of security data and tools. This is, in essence, one of the major benefits of user behavior analytics platforms such as Fortscale.
For example, many attacks proceed following a common pattern. Attackers first breach a network and gather reconnaissance on the network infrastructure, devices, as well as operating systems and applications deployed on the network. With an understanding of the structure of the victim's network, the attackers can proceed to exploit vulnerabilities -- human as well as technical -- to establish access to accounts and devices, including gathering credentials to privileged accounts. Attackers then move laterally within the network using various accounts to extract data and compromise applications and servers. This pattern of activity can occur over extended periods of time. Events may be spread out over time to minimize the chance of triggering alerts based on simple thresholds.
Complex behavior analysis, such as used in Fortscale, is required to collect, analyze and report on malicious activity that is intentionally designed to avoid detection, as seen in the example above. This is particularly important when protecting against advanced persistent threats that occur over extended periods of time and use techniques specifically designed to minimize the risk of detection by commonly used countermeasures.
The Fortscale UEBA platform is built on Hadoop and can be deployed on to clusters suitable for the Hadoop ecosystem. The company partners with Cloudera, a leading Hadoop provider, to integrate the FortScale platform with Cloudera Enterprise. Pricing, meanwhile, is available from the vendor.
Fortscale leverages the big data capabilities of the Hadoop platform to collect and analyze large volumes of event data in order to build user behavior profiles. These are particularly useful in situations in which the risk of insider abuse or the exploitation of compromised credentials is substantial. Companies deploying Fortscale can leverage in-house resources with knowledge of Hadoop to manage and maintain the platform.
In part one of this series, learn about the basics of big data security analytics
In part two discover the business case for big data security analytics
In part three find out how to evaluate big data analytics platforms
In part four compare the top big data security analytics products