Securing the Digital World

Behavior Analytics: The Key to Rapid Detection and Response?

Jan 21, 2016 | by Amy Blackshaw |

The use of detective analytics is now a central piece of security architectures, as security professionals are increasingly encountering a needle-in-a-haystack problem. Security tools - especially rule based ones - as well as systems, applications, and infrastructure, create so much data that it's tough to uncover the signal of a real attack. Analytic tools help make sense of the vast amount of data that these systems generate.

User and Entity Behavior Analytics (UEBA) technology is one type of these analytic tools. UEBA-based analytics systems search for patterns of activity that indicate unusual or anomalous behavior of identities or systems - regardless of whether the activities are coming from an external threat actor, malicious insider, or even malware or other processes. According to Gartner, "UEBA brings machine learning and statistical analysis to security monitoring, generating risk scores for evaluated events and entities. These scores indicate the likelihood of data breach, compromise or other abusive behavior, and are in stark contrast to binary "yes" or "no" outputs generated by rules". The promise of UEBA goes well beyond that of preventive analytics - it may not prevent threat actors from getting into your systems, but it can quickly detect their activities and minimize damage by enabling a rapid response.

The reality is that real threats don't openly advertise themselves, just the opposite they tend to hide their activities among all the other things that are happening in today's typically complex IT environments. However, an attacker is going to do something outside of the normal eventually - so if you can understand what normal is, high risk activities can quickly rise to the surface. Evaluating the activity of users, entities and threat actors through profiling their TTPs (Tactics, Techniques and Procedures) and machine based analysis identifies known and unknown threats by focusing on their behavior, rather than just evaluating static rules. This type of analytics transforms security operations practices by making it much easier for organizations to gain visibility into behavior patterns, detecting high risk anomalies and ultimately finding bad actors.

The key to this "new" market is going to be applying machine learning and other advanced analytics capabilities on top of a broad and deep data set (hint - it requires access to the right data - much more than just logs!). When organizations can combine log, network, endpoint, identity, and other data with the the right analytics, they can not only speed detection to known and unknown attacks, but also prioritize actions based on risk to help speed investigation and response.

Rapid detection of high risk actions using behavior based analytics and threat actor TTP profiles that strongly indicate an active compromise in an organization is the best path forward. For example, by using machine data and behavior analytics techniques to spot the use of covert channels, such as command and control, security teams can spot sophisticated threats faster, and reduce the likelihood that an attack ultimately harms the organization.