Most large organizations have made a significant investment in trying to prevent cyberattacks from taking place. They have installed numerous detection, monitoring and collection solutions to prevent malicious insiders and external hackers from being able to steal sensitive customer data and valuable corporate IP. What they are now beginning to realize, is that their existing big data repositories are concealing valuable information on potential sophisticated attacks and other security threats.
Most large organizations have made a significant investment in trying to prevent cyberattacks from taking place. They have installed numerous detection, monitoring and collection solutions to prevent malicious insiders and external hackers from being able to steal sensitive customer data and valuable corporate IP. What they are now beginning to realize, is that their existing big data repositories are concealing valuable information on potential sophisticated attacks and other security threats. More specifically, as companies turn their attention from prevention to “detection and response,” they realize that if they can unlock the information stored in their user-related data repositories, they can offer security analysts the much needed context to better understand the alerts and threats they face on a daily basis.
User Behavior Analytics (UBA) is rocking this year’s security conferences. Rather than trying to build an ever stronger perimeter, the discussion has changed substantially. Security professionals are investing more resources than ever before into collecting and analyzing vast amounts of user-specific event and access logs which holds the promise of major security benefits including the opportunity to:
- Quickly identify anomalous user behaviors.
- Investigate a prioritized list of potential threats.
- Leverage machine learning techniques to isolate evolving threats.
- Minimize reliance on pre-defined rules or heuristics.
- Detect and respond to Insider Threats much faster.
The future of UBA is promising, however, with significant interest and hype surrounding the benefits of UBA for both enterprises and large organizations, how can someone begin to incorporate UBA into their existing security infrastructure? Here are three simple steps to get you started:
DEFINING THE PROBLEM
The first step is to define the problem.While every organization suffers from the ongoing threat of an external attack or rogue insider usage, few organizations take the time to identify their unique organizational security characteristics. For example, an organization that has created a “crown jewel” proprietary application that is a critical resource required for their business operations must be sure to capture the behavior of employees who use this application. Determining what are the most important company assets up front, helps ensure that their UBA solution will safeguard the company’s most important resources.
Many UBA prospectors are hoping that after deploying a UBA platform, all of their unanswered questions will miraculously appear as high-rated security alerts. The truth is that UBA works as well as we plan it to work. Planning and defining the problem means that by forming an exact array of questions we plan our UBA to answer, we create a more powerful and precise threat mitigation machine.
The second step is to identifythe groups of users and the types of information you want monitored. That’s why organizations with well-deployed and defined SIEM appliances are finding UBA a natural fit. Combining a SIEM’s ability to gather all data in one place, and then leveraging UBA to correlate, cross-reference and enrich that data, improves chances of gaining swifter results.
The third and final step is implementation. There are numerous ways to utilize the collected data into valuable security insights:
- Visualization – You will need a range of graphic tools to gain quick insight into the anomalies the numbers are hiding. A simple bar chart might be the best way to visualize employee access attempts and see which accounts are the victim of brute force login attempts. For more complex challenges, link graphs are often used to identify abnormal relations between users and machines. In most cases, a picture is worth a 1000 words.
- Drill-Down – Create a linear investigation process, enabling analysts to ‘grab’ a lead and search pre-defined locations for more relevant data. Defining several investigation processes that yield useful security insights can then develop into a routine monitoring practice.
- Aggregate – Achieve even better results by forming summarized data schemes. For example, group security events by different user identities, different time frames and different usage patterns to learn how, when and where users are accessing their data.
- Profile – Though requiring more meaningful development and computational resources, profiling is the first step at automating detection and investigation. A functioning profiling engine could save hours in manual investigation and dramatically reduce the number of leads requiring manual inspection.
UBA is not simply something that you set and forget like an appliance, it’s an entirely different way to view and analyze security data. Think of your problem, collect the appropriate data, and establish the relevant tools to gain visibility to the unseen threats lurking inside your network.