Gartner’s latest Market Guide on User Behavioral Analytics was published recently and SURPRISE! It’s not about user behavior analytics (UBA) anymore, but user and entity behavior analytics (UEBA). Avivah Litan outlines the reason for the change:
“The letter "e" in the term UEBA recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior.”
Said differently, profiling user behavior is necessary, but alone, is not sufficient enough to satisfy the rapidly growing market. As customers encounter products that only deal with users, the myopia leaves them looking for more.
For example, there are many types of networked devices (e.g., servers, dropcams, etc.) within an organization that are not associated with a user. During a multi-stage attack these “headless” devices could become compromised. By profiling only users and not devices, organizations are leaving themselves exposed.
At the center of Niara’s security analytics platform is the Entity360™. Think of it as the place where anyone on the security team – from L1 analysts to threat hunters to investigators – can go to see a consolidated summary of all the security-relevant information about users, hosts, IP addresses and more – i.e., entities. From day one, Niara’s architecture generalized the idea of profiling the behavior of key entities to find not only anomalous behavior, but malicious behavior as well. As Avivah accurately points out, there are plenty of important signals that come from network traffic, endpoint information, logs, etc., and not all of them map directly to a user.
For example, Niara profiles multiple different server features and uses machine-learning models to find anomalous behavior. This is then integrated with other analytics (e.g., protocol analytics, remote access analytics, etc.) and correlated to an entity. Hence the concept of a “360°” view of an attack. A single action may not be enough to validate a threat, but combined with the aggregated view of user interaction with a server along with the server’s own behavior, anomalous behavior becomes malicious behavior and the attack becomes clear.
Moreover, there are various levels of user visibility. Niara’s Entity360 profiles natively deliver what an analyst needs to quickly verify the seriousness of the attack and start the response. Out of the box Entity360s provide for each entity a complete timeline of:
- Devices used and the associated MAC addresses
- IP address history
- Authentication history
- Port and protocol history
- Web activity
- Attack score by threat indicator by kill chain stage over time
- Network conversation history and trends
One click, and what normally takes hours or even days to assemble is available instantaneously.
The technology to natively do the “e” part of UEBA cannot be added after the fact. Moving from a user-only view of the threat environment to the n-dimensional world of entities requires a fundamental overhaul of everything from data formats, data storage, compute scale, analytics modules, etc. Think of UBA alone as the equivalent of listening to a song with only the bass turned on. You’re hearing lots of volume, but it’s not until all the notes are enabled that the true nature of the piece becomes clear.
Now that UEBA is validated, the “we do that too” marketing will kick into overdrive. There are two choices when considering Big Data Security Analytics solutions designed to find attacks that have eluded real-time defenses: start with last year’s UBA, or invest in a long-term architecture and solution designed for UEBA.