By Gareth Cox, Exabeam
Best-in-class security technology complements great expertise, and vice versa. To significantly improve security posture requires both.
User and entity behaviour analytics (UEBA) technology is a game-changing development for the cybersecurity industry. These tools allow security policies to evolve beyond the application of static rulesets and detect a far wider range of suspicious activities in the enterprise.
Correlation rules have been synonymous with security information and event management (SIEM) since the very first SIEM 1.0 solutions appeared on the market in the mid-2000s. Over time, new features like improved log management and better alert categorisation made these tools more valuable for enterprise IT leaders, but static rulesets remained the norm.
Cracks in SIEM 1.0 technology have begun to show. Even the most sophisticated set of security rules regularly fails to detect insider threats and compromised accounts. It’s easy to see why: how do we catch someone who’s behaviour appears to be normal?
Next-generation UEBA platforms offer a complete break from SIEM 1.0 capabilities. Instead of relying on rules, these tools build baseline profiles of every user and device in a network, and then generate alerts when their activity deviates from the established norm.
Behavioural insights are enhanced with machine learning. This new approach would be prohibitively costly, time-consuming, and near impossible without emerging technologies like machine learning.
Requiring security experts to design, implement and maintain behavioural profiles manually simply isn’t cost-efficient or effective at the enterprise scale. It would require diverting thousands of employee hours per month away from other critical security tasks.
Next-generation UEBA platforms automate many of these tasks. Instead of painstakingly configuring threat indicators and mapping out specific scenarios by hand, users can simply design a core set of indicators and let the algorithm construct and score all the possible permutations.
Automatically generating behavioural risk scores and prioritising alerts accordingly improves risk coverage and reduces the amount of time spent on alert configuration and maintenance. It eliminates the need for manual risk score assignment and empowers analysts to make quick, informed decisions.
The experience and professionalism of those analysts matters. You’ve equipped them with modern tools, but it takes human insight to use those tools correctly.
The value of detection and response expertise
Cyberattacks don’t always follow a strictly defined pattern. Every organisation presents a unique risk profile, with a surface area defined by its network architecture, IT equipment and even company culture. A broad variety of tactics, techniques, and procedures (TTPs) exist for navigating all these variables.
Investigating security incidents is a uniquely human challenge. The log records and other data received from a UEBA solution play a critical role in that investigation, but they can’t complete it on their own.
It takes a security professional to collect that data, analyse it, independently verify it, and orchestrate the appropriate response. The better qualified this person is, the faster and more accurate the investigation will be.
For example, consider an insider attack scenario. A UEBA platform can alert an organisation when a legitimate user upgrades their own permissions and starts interfering with files they’ve never touched before. But this information can’t disclose much about that individual’s intentions or motives, or whether they’re working alone or as part of a group. Someone needs to interpret the data before arriving at these conclusions.
This is where the value of a highly qualified managed detection and response (MDR) vendor truly shows itself. Experienced analysts spend time adjusting UEBA algorithms to meet the specific needs of the organisation itself. They improve their analytical models continuously to meet the security needs of the day and communicate their insights with greater effectiveness using customised data visualisation solutions.
Castra is a reputable managed service vendor that uses next-generation UEBA solutions like those from my own company, Exabeam, to detect suspicious activities, conduct thorough investigations, and mitigate security threats.
Castra has built more than one hundred custom visualisations, dashboards and reports for Exabeam, and developed more than fifty unique rules and detection models to serve their customers’ needs. Organisations’ detection and response needs may be trusted to their team of qualified industry experts.