Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to UserEntityandBehaviorAnalyticsFriedman
Similar to UserEntityandBehaviorAnalyticsFriedman (20)
UserEntityandBehaviorAnalyticsFriedman
- 1. Running head: USER ENTITY AND BEHAVIOR ANALYTICS 1 Even the most well-developed business continuity/disaster recovery (BC/DR) plan contains hidden and/or unknown threats that can compromise an organization’s IT systems. When threats strike, they can have a high-profile and sustained impact on an organization and organizations are adopting IT security products to get on the offensive to detect and containing the threats. According to Gartner research director Eric Ahlm, many IT security teams have used security information management (SIM) or security information and event management (SIEM) technologies, which are able to collect and analyze data. (Paredes, 2015). Using rule-based technology, SIEMs can provide real-time alerts whenever an abnormal event is detected. While SIEM sounds like it would be the only threat detection tool needed, this is simply not the case. According to Bussa, Kavanagh, and Rochford (2016), having SIEM by itself will not improve threat detection rate or reduce the window of discovery. 1 Moreover, SIEMs, are just one piece of the burgeoning security analytics (SA) market. In their SA vendor analysis, Forrester describes a security analytics ecosystem (depicted in the graphic to the right) depicting a market of a variety of technologies, some that of which can be used independently as a platform, while others are complementary products (Blankenship, et. al, November 15, 2016). The term security analytics is often misused and it is important to note that not all products in this market qualify as an SA platform. (Blankenship, et. al, May 9, 2016). SAs use that use data science and machine learning instead of rule-based technology that many SIMs or SIEMs use. Some vendors in the market focus exclusively on the SA techniques, such as network analysis and visibility (NAV) and security and user behavior analytics (SUBA) rather than the standalone SA platform. According to Blankenship et. al (November 15, 2016). NAV provides capabilities to study network forensics, malicious behavior detection, packet capture, and other network-based situational awareness capabilities. SUBA collects user data from a variety of data logs to set a user activity baseline, then using the baseline to detect threats, assess risk scores and allow behavior anomalies to be studied in real time in real time. By using these advanced analytic capabilities, SUBA make profiles of users and traffic patterns, creating a picture of their behaviors and activities over time, and shaping the behaviors as new data sources are provided. (Bussa, Kavanagh, and Rochford, 2016). Expanding on SUBAs, IT security professionals are increasingly turning to User and Entity Behavior Analytics (UEBA) as an analytical technique to discover some of these threats. 1 Illustration provided by Forrester in Blankenship, et al., November, 15, 2016
- 2. USER ENTITY AND BEHAVIOR ANALYTICS 2 In addition to user behavior, UEBA vendors, such as Fortscale, study entity behavior, studying behavior at the application, device, and server levels. Aside from security management, Litan (2015) identified several other use cases for UEBA. Data exfiltration detection allows companies to monitor anomalies in data transfer; identity access management can be used to monitor user and account behavior against access rights; analyzing contextual behavior information in to assess malicious intent from an insider; as a specialized security tool to manage Software as a Service (SaaS) usage (Litan, 2015). So why are IT executives looking at UEBA? Both Gartner and Forrester describe in detail of the difficulty to detect insider threats. Insider threats are often unexpected, and can emanate from a variety of motivations and intentions. The National Counterintelligence and Security Center states that the most damage U.S. counterintelligence failures over the last century were a result of trusted insider with ulterior motives. At the government level, all federal agencies are being required to institute a insider threat program in place by November 30, 2016 (Blankenship, August 17 2016). On a global level, insider threats were responsible for 39% of all data breaches in 2015 (Blankenship, August 17, 2016) The UEBA market is expected to grown dramatically over the next few years, going from $50 million in market revenue in September 2015 to about $200 million by the end of 2017 (Litan, 2015). Litan notes that may of the UEBA vendors have varying capabilities, and vendors may offer different combinations of Litan’s UEBA functions. Some vendors in this space focus exclusively on insider threats, like Lockheed Martin’s Insider Threat Identification (ITI) tool, which combines unstructured and structured data, performing word searches and other analytics to identify employee risk levels. (Litan, 2015). Other vendors, like Bay Dynamics are more varied in their offerings. Bay Dynamics’ Risk Fabric product inputs from multiple data feeds and then provides alerts of anomalies in privileged user access, vendor behavior, and security policies among others (Litan, 2015). E8 Security also studies anomalies in behavior through the use of multidimensional modeling, and correlating behaviors and relationships (Cser & Blankenship, 2016). Some vendors, like Fortscale and Niara even use unsupervised machine learning algorithms (Litan, 2015). Niara is also somewhat unique in that they offer network forensic techniques like deep packet inspection. Another key differentiator are employee monitoring capabilities. Dtex Systems and SpectorSoft are both able to monitor employee desktop activity providing their client organization with visibility into system activity (Litan, 2015) UEBA vendors even have cloud capabilities. Rapid7’s agentless, SaaS-only, Insight IDR allows companies to investigate security incidents and provide visibility into intruder activities. Insight IDR is compatible with some of the cloud market leaders such as Office 365, Salesforce, and Box (Cser & Blankenship, 2016). Gurucul, which has both cloud and on-premise solutions, uses a cloud analytics engine and is also able to integrate to Office 365, Salesforce, and Box (Cser & Blankenship, 2016). Speaking of Microsoft, they have their own UEBA product: Advanced Threat Analytics, which provides deep packet inspection of Active Directory traffic As an aside, this author is participating in a Business Continuity/Disaster Recovery (BC/DR) course where he is creating a BC/DR plan for convenience food company Acme, Ltd.
- 3. USER ENTITY AND BEHAVIOR ANALYTICS 3 As part of the plan, UEBA functions would be a great resource for Acme to have. Since Acme is a global company, user access is a concern, especially when it comes to deprovisioning users, so UEBA can be used to check for rogue system or user access. Additionally, the data exfiltration tools would be valuable to ensure that data is not leaving Acme unless authorized by the Office of the CIO and the Security Committee. As with any company, Acme is susceptible to insider threats, which can have devastating consequences for a corporation. According to Blankenship (2016), insiders can use their access for financial gain, to steal intellectual property, or to cause sabotage and destruction. As powerful as the aforementioned capabilities are, UEBA has its limitations. According to Litan (2015), the anomaly detection is not advanced enough to detect filter out suspicious behavior from a user with privileged access. Insider threat detection has to go beyond the technology. Blankenship (2016) states that treating the insider threat issue as a technology problem ignores the human elements of motivation and behavior. . Most importantly, UEBA is not a cure-all product, it needs to be part of a security analytics platform. For IT security professionals exploring UEBA, make sure it can integrate with your existing SA platform. References Blankenship, J. (August 17, 2016) . Hunting insider threats. Forrester. Retrieved from Northwestern University Library access to Forrester on November 18, 2016.
- 4. USER ENTITY AND BEHAVIOR ANALYTICS 4 Blankenship, J., Balaouras, S., Pollard, J., Kindervag, J., Blackborow, J. & Dostie, P. (May 9, 2016) . Counter cyberattacks with security analytics. Forrester. Retrieved from Northwestern University Library access to Forrester on November 18, 2016. Blankenship J., Balaouras, S., Cser, A., Kindervag, J., O’Malley, C., Barringham, B. & Dostie, P. (November 15, 2016). Vendor analysis: Security analytics (SA). Forrester. Retrieved from Northwestern University Library access to Forrester on November 18, 2016. Bussa, T., Kavanagh, K.M., and Rochford, O. (June 30, 2016). Use SIEM for targeted attack detection. Gartner, G00308086. Retrieved from Northwestern University Library access to Gartner. Cser, A. & Blankenship, J. (September 2, 2016). Vendor landscape: Security user behavior analytics (SUBA). Forrester. Retrieved from Northwestern University Library access to Forrester on November 18, 2016. Litan, A. (September 22, 2015). Market guide for user and entity behavior analytics. Gartner, (G00276088). Retrieved from Northwestern University Library access to Gartner. Paredes, D. (2015) Gartner: Are security analytics key to breach detection - or just hype? CIO (13284045). Retrieved from Northwestern University Library access to EBSCO Academic Search Premier on November 4, 2016.(2015). http://www.cio.co.nz/article/574166/gartner-security-analytics-key-breach- detection-just-hype/ Sqrrl. User + entity behavior analytics (UEBA): The heart of next-generation threat-hunting [eBook]. Retrieved from https://sqrrl.com/media/UEBA- eBook.pdf?submissionGuid=3318e663-e39a-4a33-ba5b-64c7f3800dce on November 4, 2016. Sqrrl. User and entity behavior analytics. Retrieved from Sqrrl’s website on October 25, 2016. URL: https://sqrrl.com/product/user-and-entity-behavior-analytics-ueba/