Security analytics may hold promise. The reality is a ways off. One area ahead of the curve, however, is tracking inside-user behavior.
User behavior analytics (UBA) relies on statistical modeling, machine learning and data science to identify patterns of behavior and compare them against other human or machine activities.
These technologies develop normal versus abnormal behavior profiles by collecting information on users' activities across IP addresses, accounts and devices. Unlike signature-based threat technologies, user behavior analytics creates a baseline for each individual user and then uses categorical, numerical and contextual information to identify anomalies and flag risky behavior. User and entity behavior analytics, or UEBA, also looks at machine activities -- individuals, devices, assets and applications.
User behavior analytics is not new. The failure to thwart insider threats (compromised credentials and data), innovations from startups and a growing need to store and sift through massive amounts of enterprise and security-related data have drawn attention to this segment of the security analytics market. Part of the promise of these technologies is speed for security teams: halting a problem before it happens. Do these behavior technologies connect the dots and help security analysts find serious threats? Many tools likely help. Securonix, Gurucul, Bay Dynamics, Fortscale, Exabeam, Microsoft and Splunk are just some of the players in a crowded space.
Not playing by the rules
Bay Dynamics offers proprietary UEBA as a component of its Risk Fabric analytics platform. The company revealed a technology partnership in July 2017 to integrate its user behavior analytics software with Symantec Corp.'s Data Loss Prevention and other products.
In a Security Current podcast with IBM's global CISO David Cass, published in August, Bay Dynamics CEO Feris Rifai described the company's UEBA technology as unsupervised machine learning that could help companies with the security skills shortage.
"The threats that are identified by UBA are there whether you have UBA in place or not. In other words, [in] the absence of UBA, analysts are left to manually pore through the data to try to figure out what is going on," Rifai said. "That is not only inefficient and highly error prone. It is also not scalable."
Security platforms like data loss prevention, identity and access management, endpoint security and more will increasingly layer or incorporate UBA features to help analyze alerts and make underlying technology more useful, according to analysts.
In January, Avivah Litan, a Gartner research vice president and analyst, blogged: "By 2022 -- there will be no more UEBA market." Like many standalone products in security, Gartner forecasts that UEBA will become a feature of different security platforms, mainly SIEM -- even though the user and entity behavior analytics market is on track to reach $200 million in 2017, doubling from $100 million in 2016.
Some UEBA vendors will move in the direction of next-gen SIEM, maintained Litan: "SIEM plus smarter advanced analytics, plus user and entity behavior analysis, plus cognitive computing-based (i.e., smarter) orchestration and response."
SIEM in many environments is notoriously hard to manage. The centralized log management technology, which has to be implemented correctly and then repeatedly tuned to remain effective, is the basis for most security operations centers. In a May 2017 SANS survey, 77% of respondents indicated that their security operations centers (SOCs) were using SIEM tools to correlate and analyze event-, security- and threat-related data.
Legacy SIEM aggregates system and application logs and other contextual data, and sends a stream of alerts to security analysts, who then have to sift through the noise -- false positives and duplicates -- to prioritize security incidents and attempt to connect the dots. With massive amounts of enterprise data, correlating events with indicators of compromise and threat intelligence takes time and effort -- especially historical data analysis, information that some companies may not store. Lack of end-to-end visibility can impede investigations and remains a top concern for security decision-makers.
"SIEM is a data lake; it is where you collect all of your data," said Barry Shteiman, head of research and innovation at Exabeam. "Modern SIEM of today needs to support volumes. The data lake is a commodity. The whole point of the SIEM today is to collect as much as possible and to retain as much as possible."
Can UBA succeed without a million-dollar SIEM deployment? Companies like Exabeam argue that user and entity behavior analytics is beginning to offer a replacement for SIEM tools. The technology offers some of the same functionality without the alert exhaustion and tediousness of manually retrieving data to piece together history and timelines. In January 2017, the UBA startup released its Security Intelligence Platform, which adds two major SOC components: SIEM and incident response. The new log management system is built on the open source data management architecture Hadoop and parts of Elastic Stack (Elasticsearch). The automated incident response platform helps analysts take appropriate actions after something has been detected -- for example, credentials or files stolen -- and documents the issue in accordance with compliance regulations or cyberinsurance requirements.
With a variety of UEBA products to choose from, CISOs are encouraged to focus on use cases. Does the user behavior analytics tool support the required data sources?
"First, look at why you want it. What is the motivation and use cases you want to cover?" said Anton Chuvakin, research vice president and analyst at Gartner. Time to value varies between tools and scenarios, he added. "For a simpler use case -- finding the use of compromised credentials on a VPN -- and a decent product, you will have a working setup in a few weeks or less. For hard use cases, such as finding malicious IT-savvy insiders, time to value would be in months, provided you actually succeed."
Some vendors are providing prepackaged user behavior analytics tailored for specific uses. Security analytics provider Securonix offers a signature-less, behavior-based threat detection technology. The Securonix UEBA, already in version 6.0, correlates and analyzes events from multiple sources: user, device, asset, application. It then uses unsupervised and supervised machine learning and statistical modeling to build profiles of normal behavior and detect anomalies. The analytics involves clustering, fuzzy correlation, predictive and sequential learning, detection of robotic patterns and domain generation (DGA), among other techniques. The technology also includes data masking and encryption capabilities to help companies meet data privacy requirements. In addition, Securonix offers the UEBA as a service as well as pre-packaged products for specific use cases -- such as fraud security, privileged accounts and patient data.
The UEBA technology is also available as part of Securonix SNYPR, which uses the Hadoop open data platform and machine learning to provide a big data security analytics platform, described by the company as a next-gen SIEM security analytics framework.
"Check with your existing SIEM vendor. If they are building a UEBA, and it is almost ready, you are very likely to get a decent deal out of them, provided it has the required functions," Chuvakin said. "It is very possible that it will not. Then look at the UEBA vendors -- but when talking to them, ask what they think of SIEM 'eating their lunch.' Beware of 'fake UEBA' -- traditional rule-based technology, essentially legacy SIEM or legacy [intrusion detection systems], rebranded as UEBA."
What's coming next in security analytics and user behavior analytics? Gartner expects 10% of UEBA products to introduce predictive analytics by 2018. In the next few years, 60% of "major" cloud access security brokers and 25% of SIEM and data loss prevention products will offer security analytics and UEBA, many through partnerships and acquisitions.
Advanced analytics in consumer marketing -- to explain why beer is placed next to diapers in the supermarket, for example -- may offer some clues.
"We find a lot of algorithms that are not applied to security, and we do a lot of work to see how they can be," Shteiman said.
Analyst's take: How to evaluate UBA tools
Building an enterprise business case for UBA
Learn more about deployment strategies for UBA