User entity behavior analytics, next step in security visibilty

Advanced analytics that focus on identity predicted to offer more visibility than logs.

Using advanced analytics that provides context to behavioral analysis makes it easier to identify internal security threats and find individual offenders, said Gartner in a recent report on User Entity Behavior Analytics (UEBA).

As traditional defenses on the network become more and more obsolete, security professionals are scrambling to find the right tools to help them recognize potential threats before they happen all while suffering from data fatigue.

“Statistical analysis and machine learning can find anomalies in data that humans wouldn't otherwise know about,” the Gartner report stated.

[ ALSO ON CSO: Behavioral analytics vs. the rogue insider ]

When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats.

Gartner projected that, “Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve.”

Behavior analytics have been around for a long time. Historically, they are used to identify threats and determine, “how people are trying to access your network from the outside,” said Ryan Stolte, CTO, Bay Dynamics.

User behavior analytic tools are different in that they shift the focus from sending alerts of potential threats from outside the network to identifying more concentrated and individualized insider threats based on user behavior.  

In the older model of user analytics, the collection of data has resulted in an overload of alerts that are nearly impossible to analyze.

“Rules are based on what a human knows about the data. When rules are not tuned properly, they generate too much noise and too many alerts that are not properly prioritized,” the Gartner report explained.

“In the security space there is a lot of investment lately to collect all of this data and send it into a centralized form, but we need to do more than throwing out alerts,” Stolte said.

Combining behavior analysis with machine learning enhances the ability to determine which particular users are behaving oddly. The success, according the Gartner report, is largely because it is “Much easier to discover some security events and analyze individual offenders than it is in many legacy security monitoring systems.”

These days, attackers are getting past traditional protections by compromising legitimate users, Stolte explained.

“The way the bad guys are getting in is that they look like the good guys. Somebody has stolen my keys, but even if someone can pretend to be me, they don’t know how to walk in my shoes.”

Criminals have found ways to stay one step ahead of the security teams using signature-based behavior analysis by changing their behaviors once a signature has been identified. Does this mean attackers will be able to find a work-around for the latest improvements in the behavior analysis space?

People that are trying to get away with something are going to fly below the radar, said Stolte. “Just writing a rule to detect certain activities should catch it, but the problem is that people know where those lines are.”

Behavior analysis takes security beyond rule writing by looking at activities and behaviors so that even if someone is able to compromise a user’s identity, they still have to be able to act like the user, which is when the alarms start to go off.  

Saryu Nayyar, CEO at Gurucul

“We need to use these analytics capabilities as an indicator to see the change in behavior not just did they cross a certain line or not,” Stolte said.

Saryu Nayyar, CEO at Gurucul, said that there is a difference between a user and an identity. UEBAs can determine, “This user is risky” Nayyar said, “But what matters more is, who is the identity, what is the access, and what is the activity being done?”

Once a user is compromised, the criminal then has to be able to behave in accordance with the normal daily activities of that identity.  Failure to do so will trigger anomalies in the system.  

“Our role through UEBA is to model all good behaviors to surface unknown bad behavior. When we are called in, we look for the unknown unknown,” she continued.

The unknown unknown differs from enterprise to enterprise, which is what makes the element of human interpretation and interaction with UEBAs so critical. The rules and models are contingent upon the risks and threats of each organization, which demands that they remain private and confidential.

Tomer Schwartz, director of security research, Adallom Labs, said the security team performs proactive research and builds intelligence back into the UEBA solution, thereby making the security tool a living, breathing, and evolving system that relies on the human element.

One of the benefits to a security team bringing a human interpretation to the solution, said Schwartz, is that there is, “A cycle of constantly improving and tuning the algorithms used for the UEBA engine, based on research and the results of their performance.”

When the problem is insider threats, which means the enterprise is looking at an employee who has all the credentials and technology to access everything, UEBAs can be useful in determining what activities are legitimate versus potential threats.

Having the flexibility to change specific data sources or provide more information, allows enterprises to “tune the likelihood of a particular event to correlate with a suspicious activity, to develop completely new algorithms to solve specific use cases,” said Schwartz.

The result is a security system that will hopefully provide the right signal to noise ratio which addresses both the problem of big data and identifying internal threats, but will that ratio come at the cost of employee privacy concerns?

[ ALSO ON CSO: A secure employee departure checklist  ]

“It is absolutely a conversation that everybody should have. The reason we are doing behavior analytics is on behalf of the person. On behalf of everyone, we are watching you and then telling you when you are not acting like yourself,” Stolte said.

In many ways UEBAs work like a credit monitoring service in that no one is sitting and watching each purchase an individual makes. However, when an oddity shows up that doesn’t seem in line with a user’s normal activities, it sets off an alert.

The success of these capabilities relies on the collection of a lot of information. Right now, the companies that can afford the innovation teams and have the financial structures to adopt UEBAs are seeing the benefits, said Nayyar.  

Gartner predicted, “By 2017, at least 20 percent of major security vendors with a focus on user controls or user monitoring will incorporate advanced analytics and UEBA into their products, either through acquisitions, partnerships or internal development.”

Over the next few years, enterprises of all sizes and across all industries should expect to see these service packages expand and evolve into more affordable and available products.   

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place