Earlier this month, Niara was named a 2016 cool vendor by Gartner. Getting recognition from the “gold standard” of technology analysts allows you to cut through the marketing hype. But that’s just the first step in choosing a User Behavior Analytics (UBA) solution that’s right for you. You could try the incredibly cumbersome feature-by-feature comparison across vendors but most vendors use similar words to describe vastly different capabilities. A far simpler and more meaningful selection mechanism is to consider these questions:
- Is the UBA solution multidimensional?
- Is the UBA solution scalable?
- Does the UBA solution integrate human and machine intelligence?
A UBA solution should be multi-dimensional, i.e., it should apply a set of multivariate models to multiple data sources. Why? Because this is the most effective way to bridge the gap between "anomalous" behavior and "malicious" intent. As the Russian Foreign Minister succinctly stated when asked by CNN to define a terrorist: “if it looks like a terrorist, if it acts like a terrorist, if it walks like a terrorist, if it fights like a terrorist, it's a terrorist”.
In the same way, a multidimensional UBA solution can provide various lines of evidence that together paint a more compelling picture of malicious intent than any single indicator could. For example, if behavioral analytics modules are applied against:
- badge logs that reveal that user “Bob” is entering the office 1) at abnormal times, and 2) more frequently than usual;
- network packets that show that Bob is 1) accessing a large number of internal servers that he has never accessed before, and 2) downloading more data than is normal for him; and
- endpoint logs that reveal that Bob is 1) downloading the files containing sensitive confidential information that is not permitted to be downloaded to local endpoints, and 2) transferring an unusual volume of data to removable USB storage,
then an analyst can posit that all these anomalies tied to Bob are likely leading indicators of malicious intent. If an analyst had to make a decision based on only one of the above anomalies, he couldn’t have that same level of confidence. Only UBA solutions that are multi-dimensional can provide analysts with confidence that they aren’t chasing ghosts.
A UBA solution must be scalable. Today, most large enterprises collect and store terabytes of data every day, with data coming in from tens of different data sources. Buried within the data are many interesting behavior patterns (i.e., feature vectors) that machine learning models will use to detect the abnormal behaviors that traditional rule-based and signature-based systems can’t find.
Modeling many behavior patterns simultaneously enhances detection accuracy and also the visibility into different data sets that all security analysts need for incident investigation. So an effective UBA solution needs to monitor hundreds or even thousands of the behavior patterns from this giant data pool in order to automatically detect and correlate anomalies to find real threats.
Obviously, this requires a lot of computing power. Only a UBA solution that is architected for scalability – i.e., built on a modern big data platform and carefully designed with performance and elasticity in mind – can satisfy the needs for increased compute and storage that comes as an organization grows.
Human Driven, Machine Assisted
A UBA solution must also integrate human and machine intelligence. Although more and more machine learning-based smarts are being utilized to solve challenging security problems (e.g., detecting multi-stage APT attacks), human intelligence – including knowledge of both enterprise local context and security heuristics – is still a very crucial component that determines the overall effectiveness of a UBA solution.
Enterprise security is a hunting game between security analysts and attackers or malicious insiders. The role of machine learning is like the weapon in the hunter’s hands: it can shoot down anything, but what the hunter gets at the end – a hippo or a squirrel – totally depends on where the hunter points the weapon.
It’s the same case for UBA based detection. UBA can detect any anomalous behavior, but whether the anomaly caught by UBA is valid highly depends on what behavior it monitors. For example, take the case of using UBA to detect abnormal internal server access behavior (e.g., time, volume, etc.). It can be used across all internal servers together which may add random noises into the feature space, or on a more focused, limited set of high-value servers which normally yields more valuable findings. Defining meaningful behavior use cases requires good knowledge of enterprise local context.
In addition, most UBA solutions use unsupervised or semi-supervised machine learning models due to lack of labeled training data. Both techniques are naturally prone to generating more noise in detection than supervised techniques, so it’s important to use all three. Mated with human knowledge of genuine malicious behavior patterns will not only accelerate the convergence of these models but also improve their accuracy in detecting the anomalous behaviors that warrant analyst investigation.
It’s as simple as that. Multidimensionality, scalability and the ability to integrate human and machine intelligence. If your UBA solution can do that, you are well positioned to thwart risky behaviors and advanced attacks.