User Behavior Analytics (UBA): Next step in proactive security operations

For effective information security operations, it is essential to understand activities taking place in your environment. This includes deploying tools ranging from log management to Security Information and Event Management (SIEM) to security operational automation. However, the challenge still remains — how to identify unusual activity in your environment? User Behavioral Analytics (UBA) is a potent tool to detect such anomalous activity. UBA marries big data, machine learning, and security analytics to understand the behavior of systems, the people using them and detect malicious events. Traditionally, UBA technology was deployed in the field of marketing, to help companies understand and predict purchasing patterns. Interestingly, UBA can be extraordinarily useful in the security industry too.

UBA tools perform two main functions: First, they determine a baseline of “normal” activities specific to the organization and its users. Second, UBA tools quickly highlight deviations from that norm that require further exploration. That is, they spotlight cases in which anomalous behavior is underway. That behavior may or may not signal a security issue: security analysts must investigate it and make that determination. The result is a sophisticated artificial intelligence platform that detects insider and cyber threats in real-time.

Cutting-edge security vendors, such as Exabeam, Varonis, Forcepoint, LightCyber, Bay Dynamics, GuruCul, Fortscale, Niarra, Sqrrl, and Securonix are deploying big data techniques to baseline the activities in an environment and detect anomalies that warrant further investigation. Traditional SIEM vendors like IBM (QRadar), LogRhythm, RSA, Solera, and Splunk are expanding their suites to deliver such capabilities too.

Why UBA ?

The 2016 Verizon Data Breach Investigations Report (DBIR) indicates that insider threats and privilege abuse continue to be a top security concern. As employees go rogue, one effective insider threat prevention technology that has been instrumental is UBA.

End user activities majorly contributing to data breaches

A user’s behavior and privileges are clear indicators for the motivation of a threat, enabling the security analyst to quickly determine whether a user is an insider threat or exhibiting account compromise. Using UBA tools, organizations can quickly detect and respond to high risk data exfiltration, misuse of privileged and service accounts, and detection of advanced, persistent threats.

If you currently use a SIEM tool to monitor user activity for threat management, and regulatory compliance, awesome! You are on the right path. SIEM is an excellent starting point for security analytics, as it monitors system events captured in firewalls, Intrusion Prevention Systems (IPS), logs, Data Loss Prevention (DLP), and more.

If you have SIEM, you might wonder why you need UBA, as at first glance they appear to be very similar products providing actionable intelligence. However, by focusing less on system events captured by SIEM products, and more on specific user activities, UBA builds a profile of an employee based on their usage patterns, and sends out an alert if it sees abnormal user behavior. Typically UBA alerts can be sent via e-mail, SMS, or even be piped into your SIEM. Thus, a big distinction between UBA and SIEM (other than the fact that they are complementary) is that UBA tools focus on users, rather than events or alerts. In other words, UBA answers the question, “Is this user behaving anomalously?” rather than “Is this an anomalous event?”, which helps optimize investigation and response time at the SOC.

“The issue SIEM customers have always had is that while they got a lot of great information, the user context was lacking, and the customer had to piece it all together,” — Ted Plumis, ‎Vice President of Channels, Business and Corporate Development at Exabeam

Trends in the UBA market

Breach discovery timeline for Insider Threats (2016 Verizon DBIR)

As per Verizon DBIR 2016, while attackers’ time to compromise is rapidly decreasing, the time to detect is not decreasing by the same factor. Moreover, discovery of compromised accounts or insiders is shifting from days to months and years (see graphic on the left). In other words, if this were a war — attackers are winning by a huge margin!

Newer, emerging technologies have arisen that offer to solve other challenges in simplifying investigation or response functions — all around the singular buyer problem of how to detect and respond quickly to a breach. To add to the confusion, most of these vendors across these different markets message around the same key themes, such as “analytics,” “machine learning,” “automation” or other similar terms, even though their application of those features is vastly different in terms of what they can perform in their specific role. In short, it’s a noisy, chaotic and crowded marketplace for providers to offer breach detection or adversary hunting technology.

Buyers in the UBA market have distinctive needs and need to be catered differently. Broadly, on the basis of their capabilities, buyers could be of three types:

• with a dedicated Security Operations Center (SOC)
• without a dedicated SOC
• Managed Security Services Providers (MSSPs)

Personally a BIG fan of predictive analytics of user behavior to rapidly detect and mitigate risks by leveraging context-enriched activity data to generate behavioral baselines from corporate users along with broader network event intelligence to triangulate to the most complex threats. — Devon Bryan, Executive Vice President and Chief Information Security Officer, The Federal Reserve System

Security buyers’ desire not only to detect breaches, but also to respond quickly and efficiently, will drive market synergies between behavior-based detection systems and SIEM systems.

Future outlook

While UBA enables SOC and incident response teams to identify insider threats and compromised accounts quickly, it needs to be augmented by defense-in-depth. The next few steps of cyber risk intelligence must include UBA and so much more. Organizations must understand their information assets’ business value, vulnerabilities and threats to their most valued assets so that SOC teams don’t waste their time on false positives and the real threats get addressed.

Nevertheless, security is the art of balancing risk acceptance and mitigation. So why is UBA the next step to proactive security operations ? Until recently, lack of internal visibility limited the ability for an organization to detect data breaches. Thanks to their automated, agile, and contextual nature, UBA systems provide an efficient means to detect not only perimeter breaches but also lateral movement and insider threats. If an organization is relying heavily on a SIEM that is primarily functioning as a log collection device, a UBA system is a great way to improve time to detect, time to contain, time to remediate, and overall security posture without adding heavy operational and analytical overhead on the SOC.