Surescripts opts for easier, faster UBA deployment

User behavior analytics platforms can require expert consultants and take a long time to deploy, but health information company Surescripts opted for a quicker, plug-and-play solution that focused on their particular use case

Surescripts is not a data science company. But as the largest health information network in the country, they've gotten good at handling Big Data.

And their Big Data is pretty big -- the system tracks 270 million patients covering 71 percent of the US population, 3,300 hospitals, 900,000 health care professionals, 764 million medication histories, and 6.5 billion transactions a year.

The company decided to go with Hadoop and Splunk for their Big Data infrastructure, looking for evidence of fraud.

Then, a year ago, Surescripts CISO Paul Calatayud began looking at using the technology for security.

Since all the data the company processes is mighty tempting to cybercriminals, he began looking at user behavior analytics to spot attackers who may have gotten past perimeter defenses -- or suspicious behaviors by company insiders.

In particular, he looked for vendors who already had solutions in place so that he didn't have to build the technology from scratch. That would have required hiring expensive experts who wouldn't be generating revenues for the company.

[ MORE ON CSO: Catch insider threats with User Behavior Analytics ]

"I don't want to get too aggressive when lots of smart organizations with lots of resources are solving these problems," he said.

The company first ran a three-month pilot project with Los Angeles-based Gurucul about a year ago, but decided against using the platform.

"What I've learned about the UBA market is that there are two camps of products out there," Calatayud said. "One is algorithm focused and the second is a model that is adaptive in nature with targeted use cases to provide you with a turnkey solution."

With the first type, a deployment can take a couple of months and requires a team of consultants to come in and set up the technology, he said.

"They have more revenues from professional services than they do from their products," he added.

Gurucul fell in that first camp, he said.

"Gurucul is more of a platform with very high-level usage and you would have to customize it," he said.

A deployment can take a couple of months, and requires a team of consultants to come in and set up the product, he said.

Meanwhile, Surescripts was already familiar with another vendor, Interset, formerly FileTrek. Surescripts has been using the vendor's products to protect against data loss for almost three years, Calatayud said.

"They approach the market with targeted use cases for account analytics, credential analytics, and user behavior analytics," he said. "It's very targeted, very specific. So you get a product, not just an algorithm that requires engineering to work."

For the past six months, Surescripts has been using Interset's Advanced Threat Detection Platform to track user activity, such as what systems they log into, where they are authenticated from, and what they are authenticated to.

"Most people don't turn on those logs because they're very difficult to manage," he said.

Surescripts is also looking for new credentials it hasn't seen before, and credentials showing up where they're not expected.

The product is currently tracking about 3,000 credentials, he said.

According to the latest Verizon Data Breach Investigations Report, stolen, weak or default credentials were involved in 63 percent of confirmed data breaches.

Installation of the Interset product took less than two weeks, and Surescripts uses it on premises. It is also available as a cloud version.

[ ALSO: Securing big data off to slow start ]

The Interset cloud deployment is actually a hybrid approach, with an on-premises gateway appliance that collects the data. It then goes into the cloud for analysis.

"It takes about 15 minutes to deploy the software, connect the data source connectors to the data that will be ingested into our system and provision the AWS cloud," said Dale Quayle, CEO at Interset Software. "Data starts flowing within 15 minutes, so you can be up and running in 30 minutes. No other UBA vendor has that capability."

It is also easy to use the product, he said.

"This is what Paul's team really appreciates," he said. "We ingest massive amounts of data, then through machine learning and analytics, boil all that data down to the top risky things and display that very plainly in our user interface. Investigators know where to focus. With a single click, that risk incident can be opened up."

The platform provides the necessary context for the incident so that investigators can decide what to do next. That includes what accounts, machines, applications, and files were involved.

"Finally with another click, an incident response workflow can be activated that includes email and text alerts, the creation and distribution of incident reports, the collection of data for evidence and the activation of risk mitigation controls across other security systems," he said. "We take incident response from a process that takes days and even weeks and enable a security team to react to incidents in minutes and hours."

The company claims 30 of the Fortune 500 as customers, as well as the U.S. intelligence community and various other government agencies​.

Other vendors that offer ready-to-go solutions are Fortscale, which has on-premises canned analytics designed to detect rogue insiders and hackers with compromised credentials, and Niara, which has a plug and lay solution that can be deployed either on-premise or in the cloud.

In general the market is growing quickly, according to Gartner. User and entity behavior analytics market revenues totaled about $50 million in 2015, and are expected to climb to almost $200 million by the end of 2017, the research firm predicts.

According to Gartner analyst Aviva Litan, vendors will need to offer both on-premises and cloud-based options to succeed.

She also recommended that companies start with narrow, well-defined use cases and a limited set of data, then expand from there.

Another option for companies is to wait a couple of years. According to Gartner, at least 50 percent of major SIEM vendors will incorporate UEBA functionality into their products by 2018.

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedAWSCSOGartnerSplunkVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts