author photo
By Tim Scargill
Fri | Jul 21, 2017 | 4:29 AM PDT

With cyber attacks now an almost daily news story, no one can ignore or accept the impact they are having. Downtime and data breaches are hitting businesses hard across all sectors—costing the healthcare industry alone $5.6 billion a year. And as public awareness of these attacks grows, so does the demand for a response from the cybersecurity community. Why are we losing the battle against hackers? What can we do to minimize the damage caused by their attacks? Thankfully, User and Entity Behavior Analytics (UEBA) has some answers.   

The need for detection

We have to face up to the uncomfortable fact that cyber criminals seem to be one step ahead, at least for the foreseeable future. While those responsible for protecting our systems are doing fantastic work developing new technologies and protocols to try and stop them, such are the rewards that hackers are constantly inventing creative new methods of attack. Breaches appear to be getting more, not less common; it is clear that prevention alone is not an effective strategy.

While we should of course continue to pursue more sophisticated protection, we also have to expect attackers to sometimes gain access to our systems. That means that enterprise has to invest in techniques to minimize the damage they can cause once inside—and we can only do that if we detect their presence as quickly as possible.

Behavior analytics

In order to detect attacks, we need to detect abnormal network activity, anomalies that indicate the presence of malware or a user engaged in suspicious activity. It follows then, that to establish what constitutes abnormal activity, we need an accurate baseline of normal activity. And that’s where behaviour analytics comes in. These software tools are able to create a detailed profile of system activity, so those anomalies can be detected more easily. 

One of the features of UEBA solutions is that they are able to automatically discover baselines of activity and even continue to update profiles over time to maintain their accuracy; by using machine learning algorithms they can adapt if deviations are consistent and permitted. This automation is one of the key differences between UEBA and what should be considered a complementary solution, Security Information Event Management (SIEM). While SIEM is very useful for a high-level overview of all network events, UEBA is more powerful for deep insights and faster responses.

Beyond users to entities

This field of behavior analytics was initially focused on monitoring network users, and as such it was termed User Behavior Analytics (UBA). That’s fine for detecting internal threats like fraud, but the problem is that many external threats come not through users but through entities such as managed and unmanaged endpoints, and cloud and mobile applications. So in 2015, Gartner updated their definition to include entities (UEBA), to reflect the fact that security technologies had now developed to profile and correlate both user activity and those other entities which may be used in an attack.

The additional benefit to monitoring entities is that it actually feeds back into prevention. UEBA tools should also be used to analyze your environment and identify vulnerabilities, so infrastructure and security can be upgraded where needed. It can evaluate the potential impact of attacks depending on the entry point, meaning resources can be prioritized accordingly.         

Implementation

The UEBA market is predicted to grow to over $900 million by 2021, and an increasing number of vendors are offering solutions. The main differentiators to look out for are the data sources they connect to and the type of data they collect, how long and how automated the baseline establishment process is, the flexibility of the user interface they provide (how technical an operator needs to be), and the service delivery method (on-premises or cloud). Whether a tool employs machine learning or not should also be a factor, as this appears to be the direction the field is moving in.

The next generation of products even offers automated responses (through integration with firewalls etc.) to further reduce manual effort and response time. Hewlett Packard Enterprise recently acquired Niara Inc., a California-based UEBA provider, and Niara will work with their Aruba ClearPass network to that end; if Niara’s platform detects an incident, then ClearPass can automatically disconnect the user or device from the network.  

Before choosing a solution, IT professionals should be aware of which assets in their company need the most protection, define a few key use cases which highlight their objectives, and identify which data sources will be needed. This will enable them to narrow down the list of vendors significantly and find the product that is most suited to the business.

An evolving technology

Gartner’s Top 10 Strategic Technology Trends for 2017 noted that “use of user and entity behavior analytics will become a requirement for virtually every enterprise”, and the adoption of this technology is set to increase rapidly over the next few years. From a broader perspective, as criminals continue to move from traditional crime to cybercrime, crime analysts will increasingly work with the data from online systems as well as "real-world" data. Crime analyst job opportunities are predicted to grow 19% by 2020, and it is likely that a significant proportion of those roles will include employing UEBA tools to detect attacks on government agencies.

It is actually argued by some that the standalone UEBA market will eventually disappear because it will become combined with other technologies, and it is certainly true that UEBA features are being integrated into existing SIEM solutions (as in the case of IBM QRadar). However, whatever the state of the market, that does not diminish the importance of the underlying technology. And the good news from a security standpoint is that UEBA tools are still evolving and becoming more powerful; advances in machine learning will further improve analytics performance and be incorporated into more and more products, while increased integration with infrastructure will facilitate more automated, faster responses. So if you haven’t yet acquainted yourself with UEBA, then now is the time; it should be an essential part of your security strategy going forward.

Comments