Enterprises using big data analysis to determine UEBA threats in real time

Big data platforms are upping the ante on UEBA functionality by allowing them to analyse petabytes worth of data to detect insider threats and advanced persistent threats. We look at how big data can be used to identify insider threats as they happen or even before.

By Shirley Siluk

Tue 25 Apr 2017 @ 16:19

Organisations of every kind today are using automation, big-data analytics and machine learning to tackle a wide range of challenges. Businesses, for example, are deploying ever-smarter cloud-based systems to improve customer service, supply chains, product development and IT security.

Solutions for faster, easier and more automated security in particular are more important than ever for today’s enterprises. Security professionals are in short supply, while the number and scale of cyberthreats just keep growing. Fortunately, that’s where UEBA – for user and entity behaviour analytics – can step in to help.

How? By automatically monitoring how users and devices are acting within an organisation’s systems and staying alert to anomalies... that is, any behaviour that’s out of the ordinary.

It’s important to quickly identify cyberthreats and act effectively to minimise damage. But it’s even better to find attacks just as they are starting to happen and prevent damage before it occurs. Whenever problems arise, there are usually data warning signs. But many organisations aren’t watching that data or, if they are, aren’t analysing it in the right ways to enable fast responses.

Managing threats in real time

That’s what UEBA solutions are designed to do, automatically, and in real time. They can monitor vast streams of user and entity data that humans can’t easily handle or understand so businesses can identify threats as they start to happen, rather than afterward.

“Standalone UEBA tools attempt to improve threat detection by improving the quality of the analysis, rather than relying on increasing the volume and variety of log and data sources,” a recent UEBA market guide from the analyst firm Gartner noted. “The quality of the predefined analytics is more critical to success than the variety of data sources fed to the UEBA tools.”

Such solutions are vital at a time when enterprises are facing threats that are increasingly evolving, smart and hard to detect, according to Patrick Moorhead, founder and president of the analyst firm Moor Insights & Strategy.

“Today’s cybercriminals are far more cunning, breaking in and then remaining on the inside for days, weeks or even months before they are detected,” Moorhead wrote in Forbes this February. “This pattern makes their business impact infinitely greater, requiring more sophisticated tools to profile and protect enterprises.”

Unlike human IT security teams, UEBA systems can also work around the clock, monitoring many gigabytes’ and more worth of activity without ever taking a break.

As analytics and other information technologies grow ever-smarter and more powerful, the UEBA market has expanded dramatically. According to Gartner, the market has been doubling annually and is expected to reach $200m in 2017. What’s more, it’s just one part of the even larger market for SIEM (security information and event management).

“Bottom line – security is getting smarter with the integration of advanced analytics and user and entity behavioural profiling,” Gartner analyst Avivah Litan wrote in January. “That’s good for users and good for vendors who can keep up with this trend.”

Here’s how UEBA works: once a company has established a baseline of what’s normal behaviour for its users and systems, UEBA enables it to immediately recognise when something is out of the ordinary.

Implemented correctly, UEBA technologies enable users to “breathe new life into enterprise security,” ABI Research analysts Dimitrios Pavlakis and Michela Menting wrote in a recent report on “Machine Learning in Cybersecurity Technologies”.

Next steps in UEBA, big data and machine learning

UEBA lets companies gain deeper insights from the structured and unstructured data they already have that often goes unnoticed: for example, data about network traffic, endpoints, web crawlers and more, Pavlakis and Menting said.

This not only helps already-stretched-thin IT teams better deal with a “rising tide” of cyber-threats but also allows the development of better, more predictive models for fighting such attacks, they said.

ABI recently forecast that the use of machine learning to fight cyber-attacks will boost spending in big data, intelligence and analytics to $96bn by 2021.

“Recently, machine learning has been hailed as the brand-new weapon emerging from the multi-layered discipline of data science to enter the arsenal of cybersecurity,” Pavlakis and Menting wrote at the start of their report.

“Although AI technology is certainly not ‘new,’ data science aided by a fervent increase in computing power has made astonishing strides over the past few years, allowing machine learning to be used profusely in almost every aspect of IT security.”