User behavior analytics is not a silver bullet

The security industry has a knack for spinning up new solutions and repurposing old tools to solve new use cases. While the race to commoditize new solutions helps drive the industry forward, misconceptions about user behavior analytics show why teams and vendors may want to consider a more measured approach for packaging and implementing tools.

data analytics - statistical analysis - charts, graphs, strategy planning

Think of the term user behavior analytics, or UBA. What went through your mind? Did you recall a conversation about insider threats? Or did you travel back to a meeting with a vendor, trying to convince you that machine learning will solve everything? Or was it a discussion with colleagues about taking a new approach because your security information and event management (SIEM) technology wasn’t cutting it?

For most of us, when we think of UBA, we see a word cloud of buzzword bingo. Insider threats, analytics, peer groups, machine learning, modeling, data science, contextualization. Part of the reason for this lies in the emergence, the expectation, and practical application of user behavior analytics use cases. I want to share some views on UBA – many of them gathered from conversations with colleagues and peers across the public and private sector.

What is this UBA you speak of?

About six years ago, research and incident response-driven publications began to recognize that credentials were being leveraged in major breaches. Some asserted that 100 percent of breaches involved compromised credentials. Simultaneously, some well-known breaches were determined to be the work of insiders, employees or contractors. Most notably, the Edward Snowden case.

The security industry responded with solutions to serve insider threat programs in commercial and government sectors. And thus, “user behavior analytics” was born.

Technologists quickly realized that some initial UBA use cases could be implemented, with confidence, using machine learning (ML). Some applications of machine learning were well understood. But the understanding of ML for security use cases was still nascent. Nonetheless, there was promise. So UBA vendors took to ML and soon began to differentiate each other with what amounts to, “my ML is better than your ML.” As a result, the consumer equated UBA to machine learning. This is where we started to go wrong.

I invite you to recall, that UBA are use cases. And machine learning is a technique to implement the use cases. Also, machine learning is NOT the only way to identify user behavior. Statistical rules, or outlier detections or thresholds can sometimes be sufficient to understand user behavior. Indeed, many vendors touted their machine learning capabilities, while simultaneously discrediting others as primitive and rules driven, used statistical rules under the hood too. I point this out because UBA isn’t a silver bullet resting on a specific technique. To properly understand user behavior, one needs a variety of techniques.

Fast forward to today and many security teams and security leaders are left wondering: what do I do about my SIEM? If UBA technologies are so awesome, maybe I can just use UBA technology and ditch my SIEM. In parallel, security industry analyst firms are challenging vendors and encouraging consumers to think of UBA as an additional capability, part of the SIEM. The rationale is, regardless of the underlying implementation detail, understanding user behavior is an important part of threat detection and response.

So where does that leave the security teams and the security leaders? First and foremost, it is important to take stock of your organization’s risk priorities. If dealing with insider threats is a high priority, then you want to consider a UBA solution. And practically speaking, insider threat doesn’t always mean an intentional, malicious insider. You’ll want to consider compromised credentials in the broader context of your risk.

Once you have decided that you want a UBA solution, there are a couple things you’ll need to be firm on:

  • Start with the use cases: You are buying UBA to reduce risk. Identify the use cases to reduce the risk. What new decisions and actions will you be able to take?
  • Your UBA solution must be integrated technologically. It must be part of the processes and workflows of your overall security program. This means that UBA is NOT a substitute for your SIEM. It’s a feature. And UBA should accelerate detection, triaging and investigation and response.
  • Hygiene, hygiene, hygiene. Implementing a UBA solution, stand alone or as part of a SIEM, is part of your operations maturity journey. You still want a robust vulnerability management program. You still want to implement multi-factor authentication.

UBA deployments will become an increasingly common component of SIEM offerings going forward. The best things organizations can do to help themselves, is to evaluate UBA as part of their overall security operations. Companies who understand that it is a specialized capability with a scope of use cases, will find value in their implementations.


Copyright © 2018 IDG Communications, Inc.

21 best free security tools to make your job easier