Orion Cassetto, senior director of product marketing at Exabeam discusses the growing popularity of User and Entity Behaviour Analytics (UEBA).and how it can help organisations achieve effective data security.

 The volume and severity of cybersecurity threats faced across the business world are growing at a steady rate. Fortunately, this fact is no longer lost on most organisations. Gartner has predicted worldwide security spending will increase by 8pc in 2018 to reach a value of $96bn by the end of the year because of regulatory change, mindset and a growing awareness of threats.

Central to this growth is the identification and adoption of new security technologies, designed to streamline overall security operations as well as alleviate some of the pressures associated with longstanding security issues, such as the global shortage of skilled personnel. One technology seeing significant growth at present is User and Entity Behaviour Analytics (UEBA).

 An intro to UEBA 

UEBA is a cybersecurity technology that uses a combination of machine learning, behavioural modelling and statistical analyses to identify when user or machine patterns deviate from established behaviour, indicating a real security threat. This article will look at three major barriers to effective security for modern businesses and explain how UEBA technology can be used to help remove them.

The need for context 

One of the biggest issues with many conventional security tools such as firewalls and anti-malware is that they operate in silos. As a result, when alerts are raised, they lack the context, visibility and data from other tools within a security programme that would help an analyst understand the incident in more detail.

For example, if an anti-malware alert is raised from a source IP address, or malware name or URL, without answers to key questions such as ‘Who was using the asset at the time of infection?’, ‘What host had the IP address at the time of infection?’ and ‘What other systems are affected?’, containing the incident can be extremely difficult.

UEBA can help to provide this missing context by supplementing the alert with both environmental and situational information.

• Environmental: This may include information such as whether the user at the time was an IT admin or high-privileged user, or if they are the actual owner of the asset in question.
• Situational: By creating user session timelines, UEBA can not only provide answers to the critical who, what and when questions, but also to questions such as ‘Has this happened before?’ and ‘Is it normal?’, which can be incredibly useful when investigating a specific incident.

Too much data – a double-edged sword

In a modern data environment, security information and event management deployments regularly gather more than 1TB of data a day, or more than 100,000 events per second. Most of this data is high-volume, but low-value. Nevertheless, analyst teams often have no way to manually review this amount of data or the alerts that result from it, meaning that key information is regularly missed.

Being machine-based, UEBA thrives on this level of data. The higher the volume, the more data points can be analysed, resulting in a more granular picture of what’s really going on. In order to make use of high data volumes, nearly all UEBA vendors use big-data architecture such as Hadoop and MongoDB, horizontally scalable so that processing and storage can be added as needed.

Cybersecurity skills shortage 

The global shortage of skilled security personnel is a well-documented and troubling issue. Nine out of 10 respondents to CyberEdge’s recent research indicated a shortage of IT security talent at their organisations at the time of asking.

Furthermore, a recent State of the SOC study among IT professionals found that just under half (45pc) believe their security operations centre (SOC) is understaffed. Of those, nearly two-thirds (63pc) think they could use anywhere from an additional two to 10 employees.

While UEBA can’t replace skilled IT security professionals, it can greatly amplify the output of existing team members. The ability to analyse incoming data more efficiently greatly reduces false positives, while the provision of environmental and situational context to alerts can significantly speed up investigations.

Queries that previously took hours can be answered in seconds. Not only that, but alerts can be prioritised more accurately based on the perceived threat posed, meaning the team is spending its time on the right things.

The global cyber-threat landscape is growing and evolving all the time. Fortunately, so are the technology solutions available to help combat this. In the past, organisations often went for quantity over quality when compiling security programmes, but a large number of disparate systems rarely makes for an effective solution and often causes more problems than it solves.

UEBA not only helps to break down many of the legacy barriers that organisations find themselves with, it can also help alleviate issues that they have less control over, such as the global IT security skills shortage. As a result, its popularity has skyrocketed as more and more organisations realise it is the key they have been searching for.