If nothing else, the recent RSA Conference confirmed that user behavior analytics (UBA) is one of the hottest security markets in tech. In fact, we watched with humor as new UBA vendors magically appeared from other parts of the ecosystem to claim a piece of the pie.
There’s also a trend where existing UBA vendors have suddenly realized that collecting and analyzing a single data source (pick from this list: AD logs, VPN logs, alerts, threat feeds, network flow records, etc.) makes them more of a feature than a solution. And a fragile feature at that.
UBA on a single log source is prone to producing a deluge of alerts and events, due to the lack of cross-correlation with other sources of data, thereby causing analyst fatigue. Niara uses data fusion for logs and activity from multiple data sources ensuring that the fidelity of the analytics is something that one can hang his hat on, thus making the alerts and events actionable. Combining these alerts with the ability to triage, investigate and remediate all in a single platform is priceless; and that is what Niara platform does.
Today we announced an integration with Carbon Black, the leader in next-generation endpoint security. This is significant for several reasons:
- We now incorporate the entire range of relevant IT security data by adding endpoint intelligence to network, log, alert, identity and external threat information. By adding endpoint visibility and combining it with Niara's complete network visibility, we help answer the most important questions that keep the security analysts up at night.
- Where did the attack come from?
- Did the attack succeed on the endpoint?
- What was the traffic post infection?
- Who else in my enterprise was attacked in a similar fashion?
All these are questions that can be better answered as a result of this integration.
- This partnership enables us to have full access to Carbon Black intelligence across our value chain of attack detection, incident investigation and threat hunting.
- Our attack detection analytics just got a boost in precision by virtue of now being able to see security-relevant activity inside an endpoint. For example, in addition to knowing a suspicious file has been downloaded, we now know if it was opened and what executed as a result.
- In addition, endpoint status and context will now add to our Entity360 risk profiles. Entity360s deliver integrated, highly graphical summaries of both the risk score and associated security behavior at any point in time. And, just as we use Entity360 as a portal into deeper levels of forensic data such as network flows and packets, we now make endpoint details such as registry changes, file opens, and network connections available for analyst investigations and threat hunting.
Unless UBA is architected with the goal of fully integrating any source of security-relevant data to drive analytics, investigation, and response, single-source UBA products will always be on a re-implementation treadmill to track the inevitable changes in the IT ecosystem. The speed and ease with which Carbon Black became a fully functional partner with Niara ensures that enterprise customers are never left behind.