How UEBA Overcomes 5 Hurdles to Achieving Effective Security and Incident Response

Most cybersecurity pros know that the threat volume has increased and its severity is getting worse. A recent annual report by CyberEdge echoes this trend. While it was holding fairly steady from 2015 – 2016 at roughly 23%, the percentage of 2017 respondents who’ve been hit by six or more cyberattacks has jumped 10 points—to 32.9%.

Fortunately, organizations are showing the will to fight such threats with more security funding. Gartner has predicted global security spending will increase by 8% through 2018, to reach $96 billion by year’s end. Gartner attributes this to regulatory changes, a collective business mind-set, and growing cyber threat awareness.

How will organizations spend their increased cybersecurity budgets? Most need to invest in new technology to achieve effective network security and incident response (IR). Yet they face five major challenges:

User and entity behavior analytics UEBA) addresses all of these hurdles. A cybersecurity technology that’s seeing significant growth, UEBA streamlines overall security operations while alleviating the ever-increasing pressures on teams that stem from chronic security issues.

What is UEBA?

UEBA uses machine learning, behavioral modelling, and statistical analyses. It combines data from multiple tools, then automatically identifies in real-time when user and machine patterns deviate from established behaviors. These notifications can indicate credible security threats—as opposed to security teams manually chasing down the overwhelming and growing number of false positives.

What can UEBA do for your organization?

Let’s look at five of the most common roadblocks to effective security, and how UEBA can help remove them.

1) Lack of contextual information from conventional security tools

A big issue with conventional security tools, such as firewalls and anti-malware, is that they operate in silos. When analysts receive alerts, these lack the context, visibility, and data from the other tools that make up their organization’s security program. This data is critical for  security teams to understand the true nature of the security threat.

For example, consider an anti-malware alert from a source IP address or malware name/URL. Not having answers to the contextual questions makes both responding and containing the incident extremely difficult.

Important questions include:

• Who was using the asset at the time of infection?
• Which host had the IP address at that time?
• Which other systems are affected?

UEBA supplements every alert with important environmental and situational information:

• Environmental – Such information can include whether the user at the time of the incident was an IT admin or highly privileged user, or if they’re the owner of the asset in question.

• Situational – By creating user session timelines, UEBA answers the critical Who?, What?, and When? questions, in addition to answering Has this happened before? and Is this normal? Answers to these questions is incredibly useful when investigating a security incident.

2) Too much data

More than 1TB of data per day typically flows into a security information and event management (SIEM) system—that’s over 100,000 events per second (EPS). Most of the collected data is of little value, but analysts often struggle in a futile attempt to make it useful. Given the impracticality of manually reviewing such huge volumes and alerts, critical threats are regularly missed.

Because UEBA is machine and big data-based, it can handle large volumes of data and the velocity of its collection. The more volume, the more data points it can analyze. This results in a more granular picture of what’s really going on across an attack surface, and whether a given alert is credible.

3) Lack of effective solutions

Multiple security tools operating in silos is problematic. It’s like the parable about the blind men and the elephant—each tool only relates data to its specific function or a single piece of a larger attack. But today’s cyber threats aren’t one dimensional—they’re typically complex and often involve lateral movement.

UEBA breaks down the barriers of mitigating complex attacks. It can ingest data from all the disparate sources like Juniper, Imperva SecureSphere, and Ironport. It then associates all the log data with the system users, analyzing their behavior in context. While comparing each user’s behavior to their baseline, it can continuously look for anomalous and risky activity. UEBA bolsters your security tools, turning them into data points that weave together the big picture and the complete story. It reveals the entire elephant.

4) Too many false positives

This all-too-common problem also results from numerous tools working independently, without visibility into what’s going on in other parts of the organization. Huge volumes of low-priority data—like firewall logs, proxy logs, DNS logs—are dumped into a SEIM.

By themselves legacy SIEMs tend to add many false positives, resulting in a mountain of information and alerts—but not much value. The reason is that conventional, legacy SIEMs rely on correlation rules. They have no understanding of users and groups, nor the difference between normal vs. abnormal behavior.

UEBA overcomes this weakness—in part by using behavioral analytics to discern users and their roles to help eliminate or minimize false positives. For example, Bill is in accounts payable; UEBA has evaluated his normal behavior, as well as that of the AP group. In this situation, UEBA knows it’s not uncommon for Bill to upload n MBs of data within a set duration.

This is very different from a correlation rules approach, which typically establishes generic rules. For example, Bill performs another similar upload. But since correlation rules can’t ID who’s performing this activity and whether it’s normal, a false positive most likely will be generated.

Using a holistic approach, UEBA looks at data sources from across your organization and its entire security infrastructure. It performs behavioral analysis based on baseline user and group behavior, eliminating false positives in the process. It ensures your security teams have a highly prioritized workflow—such that they invest their time on highest risk incidents first. And because they aren’t chasing ghosts all day and can instead focus on real work, UEBA can make your incident response (IR) teams more effective.

5) Global shortage of skilled security experts

Problems from having too much data and too many false positives also correlate with the chronic shortage of skilled analysts to effectively respond to incidents in a timely manner.

In the same CyberEdge survey, nine out of ten respondents indicated the IT security talent shortage is a challenge. Even when organizations have the budget, talent often isn’t available. Many SOCs and CIRT teams remain chronically understaffed.

While UEBA can’t replace skilled IT security pros, it can optimize existing team output. Reduced false positives, coupled with environmental and situational context for alerts, can significantly speed up investigations. Queries that previously took hours can be answered in seconds. Even more, alerts can be more accurately prioritized based on each perceived threat. This means your security team can invest its limited time and energy on the most critical threats.