Avoiding the UBA Two Step

28 Oct

Avoiding the UBA Two Step

in Blog, Perspectives, Product

by Larry Lunetta

dancingFirst-generation User Behavioral Analytics (UBA) (which I touched on in a previous blog) took a new look at the problem with identifying specific users associated with a threat (an early pioneer was “ArcSight IdentityView”). It introduced the idea of using those identities and log data to build and track behavior baselines looking for unusual activity. They found and alerted on events such as uncharacteristic network access at 2 a.m. or a change in role or job function. More events were added to the white noise, and it didn’t help in understanding, verifying or acting on the data. This hidden but expensive opportunity cost caused analysts to miss real attacks by chasing false positives. One step forward, two steps back.

This week, Niara turned the UBA two step into two full sprints forward, delivering a completely integrated attack detection and incident investigation platform that now includes user and entity behavior analytics on data from the network (i.e., packets and flows) and security infrastructure (i.e., logs and alerts). This follows a recent Gartner Market Guide for User and Entity Behavioral Analytics (UEBA), where Avivah Litan recommends adding network activity for visibility not available in logs.

The first benefit is the reduction in false positives. By including packet and flow data in UEBA attack calculations, the underlying behavioral models are better able to separate the merely anomalous from the truly malicious. So, the first giant step forward means fewer blind alleys and more confidence in addressing real alerts.

The second leap forward comes from making material improvements to the incident investigation and response process. Log-based UBA sends raw alerts into a high-overhead process that is already overloaded with white noise, data silos, manual aggregation and limited visualization tools that stretch triage, decision making and action to days and weeks—if it happens at all. With Niara’s Entity360 profiles, the alert is automatically associated with an entity – i.e., a user or a host. In one click, it delivers all the status and history an analyst needs to instantly decide if something is worth additional attention, while also providing relevant investigation and remediation context down to the packet level.

Savvy business people know that not all costs show up in the profit and loss statement (P&L). Because the security team is still the most valuable asset in protecting an organization, the ability to focus them on the right problems and reduce the amount of effort to find and remediate attacks, is a huge win. Avoid the opportunity cost of UBA 1.0 by incorporating a UEBA solution that provides complete coverage, more precise attack detection and integrated forensics.

Tags: Blog, Perspectives, Product