UserEntityandBehaviorAnalyticsFriedman

Running head: USER ENTITY AND BEHAVIOR ANALYTICS 1
Even the most well-developed business continuity/disaster recovery (BC/DR) plan
contains hidden and/or unknown threats that can compromise an organization’s IT systems.
When threats strike, they can have a high-profile and sustained impact on an organization and
organizations are adopting IT security products to get on the offensive to detect and containing
the threats.
According to Gartner research director Eric Ahlm, many IT security teams have used
security information management (SIM) or security information and event management (SIEM)
technologies, which are able to collect and analyze data. (Paredes, 2015). Using rule-based
technology, SIEMs can provide real-time alerts whenever an abnormal event is detected. While
SIEM sounds like it would be the only threat detection tool needed, this is simply not the case.
According to Bussa, Kavanagh, and Rochford (2016), having
SIEM by itself will not improve threat detection rate or reduce
the window of discovery.
1
Moreover, SIEMs, are just one piece of the burgeoning
security analytics (SA) market. In their SA vendor analysis,
Forrester describes a security analytics ecosystem (depicted in
the graphic to the right) depicting a market of a variety of
technologies, some that of which can be used independently as a
platform, while others are complementary products
(Blankenship, et. al, November 15, 2016). The term security
analytics is often misused and it is important to note that not all
products in this market qualify as an SA platform.
(Blankenship, et. al, May 9, 2016). SAs use that use data science and machine learning instead of
rule-based technology that many SIMs or SIEMs use.
Some vendors in the market focus exclusively on the SA techniques, such as network
analysis and visibility (NAV) and security and user behavior analytics (SUBA) rather than the
standalone SA platform. According to Blankenship et. al (November 15, 2016). NAV provides
capabilities to study network forensics, malicious behavior detection, packet capture, and other
network-based situational awareness capabilities. SUBA collects user data from a variety of data
logs to set a user activity baseline, then using the baseline to detect threats, assess risk scores and
allow behavior anomalies to be studied in real time in real time. By using these advanced
analytic capabilities, SUBA make profiles of users and traffic patterns, creating a picture of
their behaviors and activities over time, and shaping the behaviors as new data sources are
provided. (Bussa, Kavanagh, and Rochford, 2016).
Expanding on SUBAs, IT security professionals are increasingly turning to User and
Entity Behavior Analytics (UEBA) as an analytical technique to discover some of these threats.
1
Illustration provided by Forrester in Blankenship, et al., November, 15, 2016

USER ENTITY AND BEHAVIOR ANALYTICS 2
In addition to user behavior, UEBA vendors, such as Fortscale, study entity behavior, studying
behavior at the application, device, and server levels.
Aside from security management, Litan (2015) identified several other use cases for
UEBA. Data exfiltration detection allows companies to monitor anomalies in data transfer;
identity access management can be used to monitor user and account behavior against access
rights; analyzing contextual behavior information in to assess malicious intent from an insider; as
a specialized security tool to manage Software as a Service (SaaS) usage (Litan, 2015).
So why are IT executives looking at UEBA? Both Gartner and Forrester describe in detail
of the difficulty to detect insider threats. Insider threats are often unexpected, and can emanate
from a variety of motivations and intentions. The National Counterintelligence and Security
Center states that the most damage U.S. counterintelligence failures over the last century were a
result of trusted insider with ulterior motives. At the government level, all federal agencies are
being required to institute a insider threat program in place by November 30, 2016 (Blankenship,
August 17 2016). On a global level, insider threats were responsible for 39% of all data breaches
in 2015 (Blankenship, August 17, 2016)
The UEBA market is expected to grown dramatically over the next few years, going from
$50 million in market revenue in September 2015 to about $200 million by the end of 2017
(Litan, 2015). Litan notes that may of the UEBA vendors have varying capabilities, and vendors
may offer different combinations of Litan’s UEBA functions. Some vendors in this space focus
exclusively on insider threats, like Lockheed Martin’s Insider Threat Identification (ITI) tool,
which combines unstructured and structured data, performing word searches and other analytics
to identify employee risk levels. (Litan, 2015).
Other vendors, like Bay Dynamics are more varied in their offerings. Bay Dynamics’
Risk Fabric product inputs from multiple data feeds and then provides alerts of anomalies in
privileged user access, vendor behavior, and security policies among others (Litan, 2015). E8
Security also studies anomalies in behavior through the use of multidimensional modeling, and
correlating behaviors and relationships (Cser & Blankenship, 2016). Some vendors, like
Fortscale and Niara even use unsupervised machine learning algorithms (Litan, 2015). Niara is
also somewhat unique in that they offer network forensic techniques like deep packet inspection.
Another key differentiator are employee monitoring capabilities. Dtex Systems and SpectorSoft
are both able to monitor employee desktop activity providing their client organization with
visibility into system activity (Litan, 2015)
UEBA vendors even have cloud capabilities. Rapid7’s agentless, SaaS-only, Insight IDR
allows companies to investigate security incidents and provide visibility into intruder activities.
Insight IDR is compatible with some of the cloud market leaders such as Office 365, Salesforce,
and Box (Cser & Blankenship, 2016). Gurucul, which has both cloud and on-premise solutions,
uses a cloud analytics engine and is also able to integrate to Office 365, Salesforce, and Box
(Cser & Blankenship, 2016). Speaking of Microsoft, they have their own UEBA product:
Advanced Threat Analytics, which provides deep packet inspection of Active Directory traffic
As an aside, this author is participating in a Business Continuity/Disaster Recovery
(BC/DR) course where he is creating a BC/DR plan for convenience food company Acme, Ltd.

As part of the plan, UEBA functions would be a great resource for Acme to have. Since Acme is
a global company, user access is a concern, especially when it comes to deprovisioning users, so
UEBA can be used to check for rogue system or user access. Additionally, the data exfiltration
tools would be valuable to ensure that data is not leaving Acme unless authorized by the Office
of the CIO and the Security Committee. As with any company, Acme is susceptible to insider
threats, which can have devastating consequences for a corporation. According to Blankenship
(2016), insiders can use their access for financial gain, to steal intellectual property, or to cause
sabotage and destruction.
As powerful as the aforementioned capabilities are, UEBA has its limitations. According
to Litan (2015), the anomaly detection is not advanced enough to detect filter out suspicious
behavior from a user with privileged access. Insider threat detection has to go beyond the
technology. Blankenship (2016) states that treating the insider threat issue as a technology
problem ignores the human elements of motivation and behavior. . Most importantly, UEBA is
not a cure-all product, it needs to be part of a security analytics platform. For IT security
professionals exploring UEBA, make sure it can integrate with your existing SA platform.
References
Blankenship, J. (August 17, 2016) . Hunting insider threats. Forrester. Retrieved from
Northwestern University Library access to Forrester on November 18, 2016.

Blankenship, J., Balaouras, S., Pollard, J., Kindervag, J., Blackborow, J. & Dostie, P. (May 9,
2016) . Counter cyberattacks with security analytics. Forrester. Retrieved from
Northwestern University Library access to Forrester on November 18, 2016.
Blankenship J., Balaouras, S., Cser, A., Kindervag, J., O’Malley, C., Barringham, B. & Dostie,
P. (November 15, 2016). Vendor analysis: Security analytics (SA). Forrester.
Retrieved from Northwestern University Library access to Forrester on
November 18, 2016.
Bussa, T., Kavanagh, K.M., and Rochford, O. (June 30, 2016). Use SIEM for targeted attack
detection. Gartner, G00308086. Retrieved from Northwestern University Library
access to Gartner.
Cser, A. & Blankenship, J. (September 2, 2016). Vendor landscape: Security user behavior
analytics (SUBA). Forrester. Retrieved from Northwestern University Library
access to Forrester on November 18, 2016.
Litan, A. (September 22, 2015). Market guide for user and entity behavior analytics. Gartner,
(G00276088). Retrieved from Northwestern University Library access to
Gartner.
Paredes, D. (2015) Gartner: Are security analytics key to breach detection - or just hype? CIO
(13284045). Retrieved from Northwestern University Library access to EBSCO
Academic Search Premier on November 4, 2016.(2015).
http://www.cio.co.nz/article/574166/gartner-security-analytics-key-breach-
detection-just-hype/
Sqrrl. User + entity behavior analytics (UEBA): The heart of next-generation threat-hunting
[eBook]. Retrieved from https://sqrrl.com/media/UEBA-
eBook.pdf?submissionGuid=3318e663-e39a-4a33-ba5b-64c7f3800dce on
November 4, 2016.
Sqrrl. User and entity behavior analytics. Retrieved from Sqrrl’s website on October 25, 2016.
URL: https://sqrrl.com/product/user-and-entity-behavior-analytics-ueba/

UserEntityandBehaviorAnalyticsFriedman

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to UserEntityandBehaviorAnalyticsFriedman (20)

UserEntityandBehaviorAnalyticsFriedman