Surescripts opts for easier, faster UBA deployment

User behavior analytics platforms can require expert consultants and take a long time to deploy, but health information company Surescripts opted for a quicker, plug-and-play solution that focused on their particular use case

frustrated computer user
Credit: Thinkstock

Surescripts is not a data science company. But as the largest health information network in the country, they've gotten good at handling Big Data.

And their Big Data is pretty big -- the system tracks 270 million patients covering 71 percent of the US population, 3,300 hospitals, 900,000 health care professionals, 764 million medication histories, and 6.5 billion transactions a year.

The company decided to go with Hadoop and Splunk for their Big Data infrastructure, looking for evidence of fraud.

Then, a year ago, Surescripts CISO Paul Calatayud began looking at using the technology for security.

Since all the data the company processes is mighty tempting to cybercriminals, he began looking at user behavior analytics to spot attackers who may have gotten past perimeter defenses -- or suspicious behaviors by company insiders.

In particular, he looked for vendors who already had solutions in place so that he didn't have to build the technology from scratch. That would have required hiring expensive experts who wouldn't be generating revenues for the company.

[ MORE ON CSO: Catch insider threats with User Behavior Analytics ]

"I don't want to get too aggressive when lots of smart organizations with lots of resources are solving these problems," he said.

The company first ran a three-month pilot project with Los Angeles-based Gurucul about a year ago, but decided against using the platform.

"What I've learned about the UBA market is that there are two camps of products out there," Calatayud said. "One is algorithm focused and the second is a model that is adaptive in nature with targeted use cases to provide you with a turnkey solution."

With the first type, a deployment can take a couple of months and requires a team of consultants to come in and set up the technology, he said.

"They have more revenues from professional services than they do from their products," he added.

Gurucul fell in that first camp, he said.

"Gurucul is more of a platform with very high-level usage and you would have to customize it," he said.

A deployment can take a couple of months, and requires a team of consultants to come in and set up the product, he said.

Meanwhile, Surescripts was already familiar with another vendor, Interset, formerly FileTrek. Surescripts has been using the vendor's products to protect against data loss for almost three years, Calatayud said.

"They approach the market with targeted use cases for account analytics, credential analytics, and user behavior analytics," he said. "It's very targeted, very specific. So you get a product, not just an algorithm that requires engineering to work."

For the past six months, Surescripts has been using Interset's Advanced Threat Detection Platform to track user activity, such as what systems they log into, where they are authenticated from, and what they are authenticated to.

"Most people don't turn on those logs because they're very difficult to manage," he said.

Surescripts is also looking for new credentials it hasn't seen before, and credentials showing up where they're not expected.

The product is currently tracking about 3,000 credentials, he said.

According to the latest Verizon Data Breach Investigations Report, stolen, weak or default credentials were involved in 63 percent of confirmed data breaches.

Installation of the Interset product took less than two weeks, and Surescripts uses it on premises. It is also available as a cloud version.

[ ALSO: Securing big data off to slow start ]

The Interset cloud deployment is actually a hybrid approach, with an on-premises gateway appliance that collects the data. It then goes into the cloud for analysis.

"It takes about 15 minutes to deploy the software, connect the data source connectors to the data that will be ingested into our system and provision the AWS cloud," said Dale Quayle, CEO at Interset Software. "Data starts flowing within 15 minutes, so you can be up and running in 30 minutes. No other UBA vendor has that capability."

It is also easy to use the product, he said.

"This is what Paul's team really appreciates," he said. "We ingest massive amounts of data, then through machine learning and analytics, boil all that data down to the top risky things and display that very plainly in our user interface. Investigators know where to focus. With a single click, that risk incident can be opened up."

The platform provides the necessary context for the incident so that investigators can decide what to do next. That includes what accounts, machines, applications, and files were involved.

"Finally with another click, an incident response workflow can be activated that includes email and text alerts, the creation and distribution of incident reports, the collection of data for evidence and the activation of risk mitigation controls across other security systems," he said. "We take incident response from a process that takes days and even weeks and enable a security team to react to incidents in minutes and hours."

The company claims 30 of the Fortune 500 as customers, as well as the U.S. intelligence community and various other government agencies​.

Other vendors that offer ready-to-go solutions are Fortscale, which has on-premises canned analytics designed to detect rogue insiders and hackers with compromised credentials, and Niara, which has a plug and lay solution that can be deployed either on-premise or in the cloud.

In general the market is growing quickly, according to Gartner. User and entity behavior analytics market revenues totaled about $50 million in 2015, and are expected to climb to almost $200 million by the end of 2017, the research firm predicts.

According to Gartner analyst Aviva Litan, vendors will need to offer both on-premises and cloud-based options to succeed.

She also recommended that companies start with narrow, well-defined use cases and a limited set of data, then expand from there.

Another option for companies is to wait a couple of years. According to Gartner, at least 50 percent of major SIEM vendors will incorporate UEBA functionality into their products by 2018.

Insider: Hacking the elections: myths and realities
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies