Defining a New Product Space

Every year the security market expects to see the arrival of new product categories that promise to dramatically improve existing security postures. Security Information and Events Management (SIEM), Full Packet Capture, Sandboxing, Firewalls, Next Gen Endpoints, Cloud Access Security, and Threat Intelligence have all had their time in the sun.  So what’s going to freshen up 2016?

The emergence of cheaper compute platforms have enabled us to consume, normalize, and store large amounts of data for specific use cases.  Behavior Anomaly Detection (BAD), or User Behavior Analytics (UBA) as Gartner calls it, has recently come to the forefront of “next-generation” security discussions by leveraging these newly cost effective compute capabilities.

Using data taken from logs and usually network information via a TAP/SPAN, UBA systems utilize machine learning and statistical models to create baselines for traffic, users, and computers.  By adding contextual information from HR systems and Active Directory, these products provide unique visibility to anomalies or deviations in those baselines with the goal to detect potential breaches missed by other technologies.

“Sounds like a SIEM.”

While SIEMs can be customized and built out to perform some similar use cases, manually creating correlation rules to mimic the machine-learning algorithms employed by UBA requires a large amount of configuration and customization . The amount of automation out-of-the-box in regards to creating the baselines and detecting the anomalies make UBA a much more turnkey approach to breach detection. In addition, not all UBA systems rely solely on logs. Network based UBA systems perform their baselining and detection with information collected from a SPAN or TAP, bringing a different level of context to alerts.

“So Replace my SIEM?”

Not so fast. Though some of the log base UBA systems are poised to move into the SIEM space as raw log retention time increases, a SIEM may still be necessary for log retention to meet compliance requirements.  SIEM systems are focused on tracking host activity versus user activity and are usually optimized to  provide compliance reports versus breach detection.

“Sounds like an IDS.”

Though working off much of the same traffic, an IDS is inherently signature based, making the amount of customization to accomplish similar use cases similar to a SIEM. While some IDS comes pre-loaded with signatures meant to identify malicious traffic, they are often extremely noisy and require large amounts of tuning to get any real level of efficacy to avoid alert fatigue. Also lacking in IDS is the attributes of a user or computer that can be gained from HR systems and Active Directory.

“So Replace my IDS?”

Maybe. Since any compliance requirements around IDS are loosely defined, a UBA system will likely serve to get that compliance checkbox. The automated tuning and added context may also provide value above and beyond what IDS is currently bringing to an organization. If a current IDS is in place, it makes sense to feed both systems with the same information and compare the results. If an organization is considering a new IDS deployment, I would strongly recommend looking towards UBA systems as a much more effective alternative.

“Do I need it?”

Security is the art of balancing risk acceptance or mitigation.  So what is mitigated with UBA systems? Until recently, lack of internal visibility limited the ability for an organization to detect an attack that had successfully breached perimeter defense until after the attacker’s goal was already accomplished. Thanks to their automated, turnkey, and contextual nature, UBA systems provide a low overhead means of east-west visibility that can detect not only perimeter breaches  but also lateral movement and insider threats. If an organization is lacking network visibility into the perimeter, critical systems/application traffic, or is relying heavily on a SIEM that is primarily functioning as a log collection device, a UBA system is a great way to improve time to detection, time to containment, time to remediation, and overall security posture without adding heavy administration and analytical overhead.