As you begin mapping out your security defense strategy for 2017, you’ve undoubtedly seen a relatively new acronym on your radar—UEBA, or User and Entity Behavior Analytics. This game-changing innovation promises to connect the dots of an attack to provide advanced levels of detection and to unify security. UEBA solutions accomplish this by taking into account users who are involved, the assets that are at risk, and how the attack is unfolding.
The first products in this market were called User Behavioral Analytics (UBA). Then in August of 2015 (1), Avivah Litan at Gartner introduced the term “entity” into the title creating “user and entity behavioral analytics” (UEBA). This change came as vendors began to support machine learning and analytic models that tracked and risk scored more than just user accounts. To understand and give context to risks and threats, vendors added the ability to visualize not just user accounts, but also machines and servers, files and other data assets, IP addresses, and even applications. These capabilities are critical to detecting and giving context to sophisticated threats and build on the capability to ingest and correlate multiple data classes. More importantly, the ability to calculate risk to critical files and assets creates a “data centric” threat detection capability answering questions like; what files or digital assets are under attack? What critical files or digital assets are located on highly risky machines? An analytics based data centric view of risk compliments DLP deployments and offers a new kind of threat visibility.
As with any emerging technology, it’s risky to assume that all UEBA vendors offer the same level and range of capabilities. To help clear up any confusion you might have, we interviewed Stephan Jou, Chief Technology Officer, with Interset, an Intel Security Innovation Alliance partner. As a starting point, Stephan suggests that you consider some key criteria as you investigate potential vendors.
Q. You stress the importance of scalability and having a true “Big Data” architecture in a UEBA solution. What should buyers look for?
A. Just about every UEBA vendor today claims that they support Big Data and Hadoop, but we’ve seen scalability issues at some customer deployments. The open source, Java-based framework Hadoop does indeed support the storage and processing of large data sets in a distributed environment, but, on its own, it’s not a Big Data platform. Supporting only a few components of a Big Data platform, but not a complete set, will result in scalability issues and bottlenecks. You need to ask UEBA vendors to clearly explain their architecture and all its components. If you have access to a Big Data expert, have them review the vendor’s architecture. Finally, contact customer and analyst references and ask them about any scalability issues they might know of.
Q. Why is it critical for UEBA solutions to support multiple data classes?
A. Today’s UEBA solutions should support ingestion and correlation of multiple classes of data. Why? Because this will provide you with visibility and contextual understanding of threats across a broader threat surface—strengthening your detection capabilities. If the UEBA product can provide this capability, security analysts can quickly identify the attack, its target, and its methods. When you’re evaluating a UEBA solution, ask your vendor about what data classes are supported from what data sources and whether they are available out of the box. And, to avoid expensive customizations, make sure the products; analytic models work with your required data classes.
Q. Why is it important for a true UEBA solution to include analytics for both users and “other entities”?
A. Early products in this market tracked only user behavior. Today, true UEBA solutions that incorporate machine learning and analytic models track both user accounts and computing resources, such as desktops, laptops, servers, files and other data assets, IP addresses, and even applications. This is critical to detecting and providing context around complex threats. By including entities, a UEBA solution can calculate risk to critical files and assets. This helps answer important questions, like “What files or digital assets are under attack?” and “What critical files or digital assets are located on highly risky machines?” When you’re looking at UEBA solutions, make sure that they support multiple entities and ask the vendor to demonstrate a risk score for each entity type.
Q. Why is mathematics so important in differentiating UEBA solutions?
A. You’ll often see vendors tossing out sophisticated math terminology—like the Monte Carlo method, Gaussian profile estimation, and Recursive Bayesian Estimation—mostly to impress you. But really, what’s most important is how well their mathematical methods help you detect threats. The math used is important in three critical ways: it completely eliminates the need for rules and policies, it determines the accuracy and speed of detection, and it determines the breadth of entity visibility and threat detection coverage. When you’re reviewing UEBA products, be sure that the product does not require rules or thresholds—ever—and that it uses more than one type of math for machine learning and analytic detection. Also, the vendor should be able to explain the mathematical models and how they are applied to each type of threat or use case. Above all, ask vendors to prove their claims of use case coverage and detection accuracy. They should be able to run tests with your own data sets.
Q. When it comes to UEBA, why is having an extensible engine so important?
A. Investing in a UEBA solution can significantly improve threat detection and response over the long term. The UEBA engine can literally become the automated threat detection brain of your security architecture if the analytics engine is extensible. This means it needs to cover multiple use cases and can be easily expanded to cover even more in the future—including unknown threats. How can you determine whether the solution is capable of this before you make a purchase commitment? Follow these four steps:
- Share your threat detection and use case coverage roadmap with the vendor and find out if their roadmap matches yours.
- Ask the vendor what it takes to add new use cases and whether they have ever done that previously.
- Find out if the vendor has a repeatable process for threat coverage expansion.
- Inquire as to whether customized projects around new data classes, new analytics, and new threats coverage are planned for future releases.
- Finally, when selecting a UEBA product, ensure that the product supports multiple entities including user/account, machine/servers, files/digital assets, and application. Require that the vendor demonstrate a representation of each entity with associated risk scores – “most risky” report for each entity type.
Market Guide for User and Entity Behavior Analytics, Avivah Litan ID: G00276088
Stay up to date on the latest news and developments regarding the Intel Security Innovation Alliance. Subscribe to D.J. Long’s blog