As a chief information security officer (CISO), how do you detect a network attack, breach or a data loss scenario? For years, security teams have been using a variety of tools to examine what’s going on in their networks. Collecting and reviewing log data provides one perspective, netflow data analysis offers another, and packet transfer inspection generates a third viewpoint. The challenge has always been to use this available data to construct an integrated picture of oddities, anomalies and unexpected actions.

But what about looking at all your network activities through a different lens? Many security analyses examine what the systems or network assets are doing to help us understand when something new appears or something established disappears. It’s the systems that hold the data, so it makes a lot of sense to watch what they’re doing. Nevertheless, it will inevitably be an entity or a user that initiates any unapproved behaviors, intentionally or not. So why not just concentrate on what people are doing as a primary means of defense?

UEBA Sings Like a Canary

The answer’s pretty simple: Security teams need more than a single, isolated view, because time to detection is the most important factor, and you can’t afford to wait 201 days to understand there’s a problem. User entity behavioral analysis (UEBA) can be employed as an early warning signal, sort of like a canary in a coal mine.

But tracking user data alone won’t provide the wealth of metadata required to diagnose the root cause of a breach. It takes a team of properly equipped miners to locate and plug a gas leak that causes a canary to die. Similarly, a cybersecurity team requires an aggregated and correlated view of attack activity to plug a data leak.

IBM QRadar User Behavior Analytics complements security information and event management (SIEM) analytics by scoring and aggregating point totals for risky user activities. It uses the same underlying security data as QRadar’s Sense Analytics engine processes, but QRadar UBA scores user behaviors at a more granular level, providing indicators of potentially malicious actions rather than fully vetted security offenses.

Building a Security Analytics Platform

UEBA contributes great data and perspectives, but it’s not entirely sufficient by itself. These solutions can present many challenges to uninformed security teams. When deployed improperly, techniques such as profiling, behavioral analytics and machine learning can produce false positives. Vendors promise unique and actionable insights that current SIEMs may not provide, but UEBA tools still require significant setup.

SIEM technology requires continual investments to remain viable. A solution built to perform simple log collection and reporting cannot protect your environment. Today’s elite security teams depend on new visualization technologies, late-breaking vulnerability disclosures and patches, and a rich source of threat intelligence data. We still use the term SIEM because people understand what it is, but we’re really talking about a security analytics platform.

Now consider what a new capability such as QRadar Network Insights (QNI) can bring to the table. QNI is virtually unparalleled in the market today. Using this real-time forensics technology, security analyst can spot phishing or spam attacks in progress and discover malicious malware files embedded within seemingly normal network traffic. Imagine having the ability to pull 30 new metadata fields out of netflow or packet data and use that to identify trouble before it brews.

The Next Step Toward SOC Maturity

IBM QRadar has evolved into the most advanced security analytics platform on the market. IBM’s continual investments have brought new cognitive capabilities powered by Watson as well as integrated UEBA capabilities. Using machine learning in combination with cognitive technologies, QRadar has literally leapfrogged the security analytics industry. It takes what was an overwhelming amount of events and significantly reduces false positives, providing more actionable security insights and enabling security analysts to investigate and respond to incidents 60 times faster than traditional UEBA and SIEM solutions.

Completing the end-to-end remediation activities for a network breach, IBM QRadar data can be quickly forwarded to Resilient Systems to provide the foundation for an integrated incident response capability. Properly diagnosed, the network breach can be addressed in a predictable amount of time, sort of like sending in a recovery team to repair a coal mine.

Adding more siloed tools such as UEBA is not a silver bullet for the security operations center (SOC), but it’s important to recognize the potential of these tools. Standalone UEBA solutions provide new capabilities that must be integrated into a richer security analytics platform. While they cannot help analysts document what truly happened, UEBA solutions represent the next step in security operations center maturity.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today