UEBA: Canary in a Coal Mine

As a chief information security officer (CISO), how do you detect a network attack, breach or a data loss scenario? For years, security teams have been using a variety of tools to examine what’s going on in their networks. Collecting and reviewing log data provides one perspective, netflow data analysis offers another, and packet transfer inspection generates a third viewpoint. The challenge has always been to use this available data to construct an integrated picture of oddities, anomalies and unexpected actions.

Webinar: How to Improve Threat Detection & Simplify Security Operations

But what about looking at all your network activities through a different lens? Many security analyses examine what the systems or network assets are doing to help us understand when something new appears or something established disappears. It’s the systems that hold the data, so it makes a lot of sense to watch what they’re doing. Nevertheless, it will inevitably be an entity or a user that initiates any unapproved behaviors, intentionally or not. So why not just concentrate on what people are doing as a primary means of defense?

UEBA Sings Like a Canary

The answer’s pretty simple: Security teams need more than a single, isolated view, because time to detection is the most important factor, and you can’t afford to wait 201 days to understand there’s a problem. User entity behavioral analysis (UEBA) can be employed as an early warning signal, sort of like a canary in a coal mine.

But tracking user data alone won’t provide the wealth of metadata required to diagnose the root cause of a breach. It takes a team of properly equipped miners to locate and plug a gas leak that causes a canary to die. Similarly, a cybersecurity team requires an aggregated and correlated view of attack activity to plug a data leak.

IBM QRadar User Behavior Analytics complements security information and event management (SIEM) analytics by scoring and aggregating point totals for risky user activities. It uses the same underlying security data as QRadar’s Sense Analytics engine processes, but QRadar UBA scores user behaviors at a more granular level, providing indicators of potentially malicious actions rather than fully vetted security offenses.

Building a Security Analytics Platform

UEBA contributes great data and perspectives, but it’s not entirely sufficient by itself. These solutions can present many challenges to uninformed security teams. When deployed improperly, techniques such as profiling, behavioral analytics and machine learning can produce false positives. Vendors promise unique and actionable insights that current SIEMs may not provide, but UEBA tools still require significant setup.

SIEM technology requires continual investments to remain viable. A solution built to perform simple log collection and reporting cannot protect your environment. Today’s elite security teams depend on new visualization technologies, late-breaking vulnerability disclosures and patches, and a rich source of threat intelligence data. We still use the term SIEM because people understand what it is, but we’re really talking about a security analytics platform.

Now consider what a new capability such as QRadar Network Insights (QNI) can bring to the table. QNI is virtually unparalleled in the market today. Using this real-time forensics technology, security analyst can spot phishing or spam attacks in progress and discover malicious malware files embedded within seemingly normal network traffic. Imagine having the ability to pull 30 new metadata fields out of netflow or packet data and use that to identify trouble before it brews.

The Next Step Toward SOC Maturity

IBM QRadar has evolved into the most advanced security analytics platform on the market. IBM’s continual investments have brought new cognitive capabilities powered by Watson as well as integrated UEBA capabilities. Using machine learning in combination with cognitive technologies, QRadar has literally leapfrogged the security analytics industry. It takes what was an overwhelming amount of events and significantly reduces false positives, providing more actionable security insights and enabling security analysts to investigate and respond to incidents 60 times faster than traditional UEBA and SIEM solutions.

Completing the end-to-end remediation activities for a network breach, IBM QRadar data can be quickly forwarded to Resilient Systems to provide the foundation for an integrated incident response capability. Properly diagnosed, the network breach can be addressed in a predictable amount of time, sort of like sending in a recovery team to repair a coal mine.

Adding more siloed tools such as UEBA is not a silver bullet for the security operations center (SOC), but it’s important to recognize the potential of these tools. Standalone UEBA solutions provide new capabilities that must be integrated into a richer security analytics platform. While they cannot help analysts document what truly happened, UEBA solutions represent the next step in security operations center maturity.

Webinar: How to Improve Threat Detection & Simplify Security Operations

Share this Article:
Jason Corbin

Director of Security Intelligence Product Management, IBM Security

Jason Corbin is the Director of Product Management for Security Intelligence for IBM Security. Jason is responsible for defining the direction of its flagship product, QRadar, and was integral in its transition from an NBAD product to a comprehensive security intelligence solution. With over 15 years' industry experience he brings an in depth knowledge of Security Event Management, Log Management, and Network Behavior Anomaly Detection. Prior to joining IBM, Jason was the VP of Product Management at Q1 Labs, Senior Product Line Manager at NetScout Systems and Product Support Engineer at Cabletron Systems