Time to Consider User Behavior Analytics (UBA)

POSTED on January 25, 2016

In 2012, I did an extension research project on big data security analytics. My thesis was that big data tools like Hadoop, Mahout, MapReduce, and Pig would greatly enhance in-depth historical cybersecurity investigations beyond anything provided by SIEM tools. In retrospect, I believe my assumptions were correct, but the market remains in an early stage of development even today.

While general use of big data security analytics is still in its genesis phase, there appears to be an increasingly popular use case in cybersecurity: User Behavior Analytics (UBA). UBA is roughly defined as the analysis of all activities related to individual users, covering devices, processes, applications, network sessions, and data consumed and utilized. UBA builds a data analytics model where all log files, endpoint and network forensics, authentication requests, and data access actions are aligned with individual users themselves.

While few organizations have implemented UBA tools (i.e. from vendors like Caspida (Splunk), Exabeam, Fortscale, Gurucul, Rapid7, Securonix, etc.), nearly all enterprises regularly monitor user activities. According to soon-to-be-published research from ESG, 41% of large organizations always monitor user behavior (i.e. access patterns, user patterns, locations, devices used, etc.) while another 40% do so most of the time (note: I am an ESG employee). Typically this is done by aggregating logs and event within a SIEM and then building custom rules and dashboards for user monitoring.

Now, I am a big supporter of UBA technology and believe it is an essential component of the Incident Response “Fab 5,” which I recently blogged about. Nevertheless, I’m still seeing lots of market confusion. As I speak with enterprise organizations about their requirements and needs for 2016, security professionals often raise objections about UBA, like:

• “I already monitor user behavior using my SIEM.” As previously mentioned, this is probably true. I often see enterprises using correlation rules or dashboards on SIEM tools like ArcSight (HP), LogRhythm, QRadar, and Splunk. Yes, these custom rules can be used to monitor user behavior, but you have to create them, maintain them, and know what you are looking for. UBA goes a lot further to help organizations detect and respond to malicious user behavior that flies way under SIEM radar. It also helps detect the “unknown unknowns.”
• “I already collect and analyze the same data using other tools today.” Also true but misses the point. UBA takes Active Directory, device and network forensic data, and application logs and analyzes it through a different lens. Beside, UBA doesn’t need to collect the data itself. Rather, it can pull data through APIs or directly from a SIEM.
• “Isn’t UBA a feature of Cloud Access Security Brokers (CASB)?” Yes, some CASB gateways or SaaS offerings (i.e. Azure Active Directory, Elastica, Okta, Ping Identity) can track and report on user activities, but only as they related to cloud access. Pure-play UBA tools looks at the whole enchilada and are only limited by the data you feed it.
• “UBA will only introduce additional security alerts making it even more difficult to prioritize IR actions.” I get this objection as just about EVERY incident detection tool introduced over the last decade added noise to the signal. Actually, UBA is designed to reduce false positives with new types of algorithms that amass rather than report on anomalies. In other words, an anomaly in itself may not be interesting, but an aggregation of multiple anomalies rolling up to one user probably indicates a threat. The UBA tools I’ve seen do a good job at this.
• “UBA can’t really detect ‘low-and-slow’ attacks.” This is where I’m most skeptical too, but UBA can certainly be effective at detecting persistent threats as long as the security team can feed it the appropriate historical data. Analysts can then look at the data across different angles – by user, by anomalies, etc. to identify patterns more easily than through an army of individual tools and reports. Let’s face it, ‘low-and-slow’ attacks from a sophisticated adversary will always be tough to detect, but by consolidating all data through the lens of an individual user, UBA may help accelerate investigations compared to the status quo.
• “I’m already using identity analytics.” OK, this one is legitimate and really speaks to the weakness of the name user behavior analytics itself. From an IT perspective, part of user analysis is for things like identity governance rather than incident detection and response alone. Identity analytics from vendors like CA, Oracle, IBM, RSA, and SailPoint are IAM tools, and not UBA tools. There’s no reason why UBA vendors can’t add reporting capabilities for identity analytics in the future.

In my opinion, UBA can accelerate the detection of APTs that emanate from a compromised user’s system. Furthermore, UBA will become essential to weed out insider attacks a la Bradley Manning and Edward Snowden. It’s also important to note that UBA is designed to do the heavy analytical lifting – an important point given the global cybersecurity skills shortage.

Given all of its potential benefits, it’s time for vendors to cut through the hype and confusion and for users to explore proof-of-concept projects and production deployment.