As a chief information security officer (CISO), how do you detect a network attack, breach or a data loss scenario? For years, security teams have been using a variety of tools to examine what’s going on in their networks. Collecting and reviewing log data provides one perspective, netflow data analysis offers another, and packet transfer inspection generates a third viewpoint. The challenge has always been to use this available data to construct an integrated picture of oddities, anomalies and unexpected actions.

But what about looking at all your network activities through a different lens? Many security analyses examine what the systems or network assets are doing to help us understand when something new appears or something established disappears. It’s the systems that hold the data, so it makes a lot of sense to watch what they’re doing. Nevertheless, it will inevitably be an entity or a user that initiates any unapproved behaviors, intentionally or not. So why not just concentrate on what people are doing as a primary means of defense?

UEBA Sings Like a Canary

The answer’s pretty simple: Security teams need more than a single, isolated view, because time to detection is the most important factor, and you can’t afford to wait 201 days to understand there’s a problem. User entity behavioral analysis (UEBA) can be employed as an early warning signal, sort of like a canary in a coal mine.

But tracking user data alone won’t provide the wealth of metadata required to diagnose the root cause of a breach. It takes a team of properly equipped miners to locate and plug a gas leak that causes a canary to die. Similarly, a cybersecurity team requires an aggregated and correlated view of attack activity to plug a data leak.

IBM QRadar User Behavior Analytics complements security information and event management (SIEM) analytics by scoring and aggregating point totals for risky user activities. It uses the same underlying security data as QRadar’s Sense Analytics engine processes, but QRadar UBA scores user behaviors at a more granular level, providing indicators of potentially malicious actions rather than fully vetted security offenses.

Building a Security Analytics Platform

UEBA contributes great data and perspectives, but it’s not entirely sufficient by itself. These solutions can present many challenges to uninformed security teams. When deployed improperly, techniques such as profiling, behavioral analytics and machine learning can produce false positives. Vendors promise unique and actionable insights that current SIEMs may not provide, but UEBA tools still require significant setup.

SIEM technology requires continual investments to remain viable. A solution built to perform simple log collection and reporting cannot protect your environment. Today’s elite security teams depend on new visualization technologies, late-breaking vulnerability disclosures and patches, and a rich source of threat intelligence data. We still use the term SIEM because people understand what it is, but we’re really talking about a security analytics platform.

Now consider what a new capability such as QRadar Network Insights (QNI) can bring to the table. QNI is virtually unparalleled in the market today. Using this real-time forensics technology, security analyst can spot phishing or spam attacks in progress and discover malicious malware files embedded within seemingly normal network traffic. Imagine having the ability to pull 30 new metadata fields out of netflow or packet data and use that to identify trouble before it brews.

The Next Step Toward SOC Maturity

IBM QRadar has evolved into the most advanced security analytics platform on the market. IBM’s continual investments have brought new cognitive capabilities powered by Watson as well as integrated UEBA capabilities. Using machine learning in combination with cognitive technologies, QRadar has literally leapfrogged the security analytics industry. It takes what was an overwhelming amount of events and significantly reduces false positives, providing more actionable security insights and enabling security analysts to investigate and respond to incidents 60 times faster than traditional UEBA and SIEM solutions.

Completing the end-to-end remediation activities for a network breach, IBM QRadar data can be quickly forwarded to Resilient Systems to provide the foundation for an integrated incident response capability. Properly diagnosed, the network breach can be addressed in a predictable amount of time, sort of like sending in a recovery team to repair a coal mine.

Adding more siloed tools such as UEBA is not a silver bullet for the security operations center (SOC), but it’s important to recognize the potential of these tools. Standalone UEBA solutions provide new capabilities that must be integrated into a richer security analytics platform. While they cannot help analysts document what truly happened, UEBA solutions represent the next step in security operations center maturity.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…