Understanding a new security market: User behavior analytics
We know that tracking enterprise log data to discover suspicious activity from hackers or malicious insider threats is not a new idea. Five to 10 years ago, we saw the SIEM (security information and event management) industry spike in popularity. The idea that large enterprises could systematically analyze countless security alerts in real time meant that security operations center (SOC) teams could do their jobs better.
While SIEM served (and still serves) a valid purpose in the market, our teams were still missing alerts that led to significant data breaches. Enterprises were creating more data than ever before, hackers were getting smarter and making strategic hires in the security market was getting tougher.
Enter: user behavior analytics (UBA). By 2017, Gartner expects that at least 20 percent of major security vendors that already focus on user monitoring will incorporate advanced analytics and UBA into their products.
UBA solutions, sometimes looked at as next-gen SIEM, are defined by their ability to focus more on user-specific activities and behaviors, rather than systematical events and alerts. At first glance, focusing only on user behaviors seems too limited for catching hackers in action. Over the years, however, attack strategies have changed, and hackers are stealing credentials to pose as valid users in 76 percent of all attacks. Instead of looking for alerts pointing to a hacker or malware, our SOC teams are now using UBA to identify the suspicious behaviors that denote a hacker.
While UBA is a security tool at its core, it requires that the teams using it pull from three areas of expertise: data science, platform engineering and security analysis. The understanding of these components allows SOC teams to support and succeed with their UBA solution.
Security analysts aren’t data scientists, and with support from UBA, that’s OK. UBA requires that the analysts monitoring its outputs understand the behavioral modeling and machine learning techniques. The longer UBA tools are in our networks, the smarter they get. They will compare users’ behaviors to their own behaviors in the past, to coworkers in their department and to coworkers in their office location.
While UBA tools point out the anomalies, security analysts should also start recognizing these patterns and prioritizing investigations of users that appear riskiest. By understanding the data science behind UBA, our SOC teams can focus on the most severe risks, not necessarily those that FireEye pulls up first.
Modeling for possible breaches, connecting identity switches by hackers and identifying infected machines all require extremely efficient platform support. An in-memory stream-based platform like Apache Spark will allow security analysts to work in real time to discover these breaches.
Instead of waiting for a FireEye alert of an infected system, real-time platform analytics will help analysts detect account takeover by a hacker long before they are able to steal any information. All advancements in platform engineering will work side-by-side with advancements in the UBA space, making the security analysts’ jobs as seamless as possible.
Our security teams are often a combination of data scientists, experienced security professionals and analysts who are still very new to the industry. The data scientists are new to security industry’s common threats, while experienced security professionals are not terribly familiar with the math behind threat detection. Analysts completely new to the industry are being exposed to both challenges for the first time.
The possibility of hiring additional staff is often limited (currently more than 209,000 cybersecurity jobs in the U.S. are unfilled due to a staffing, not budgeting, gap). We need to aid our staff in doing its best work by encouraging team member to work together closely. By promoting collaboration between cybersecurity professionals and data scientists, each group will better learn how to identify trends that lead to a threat. Instead of having new analysts blindly look for signs of a breach, teach them to use UBA tools to better identify the warning signs of an attack.
User behavior analytics may seem daunting at first, but by bringing together the insight used in data science, a real-time backend platform and a diverse security team, UBA can become a crucial threat detection method for your organization.