In our Part 1 Series we talked about User and Entity Behavior Analytics (UEBA) and its benefits for better detecting possible breaches and insider threats through user and entity behavior and risk scoring. Now let’s talk about the differences between traditional UEBA vs the newer UEBA solution, the Behavioral Firewall, which integrates adaptive responses to prevent threats.
Traditional UEBA solutions are primarily focused on log-based analytics and they are sitting on top of Security Incident and Event Management (SIEM) systems. The data does provide much greater user behavior visibility and reduces noise for organizations that have relied on SIEM alone but there are some limitations.
First, traditional UEBA solutions are backwards looking which means that sometimes logs show up 12-18 hours later by which time the hacker has already gone in and out. While there is data that supports that it takes a median of 150- 200 days for an attacker to be discovered, there are many attackers who have been there and gone before the logs show up.
Second, collecting logs from different vendors and devices is a challenge—and this applies to organizations of virtually every size. There is a level of abstraction on the logs themselves that may not have the details you want. In essence they are like third hand logs because the SIEM has already digested it.
Third, it requires 24x7 coverage. Only 1 in 4 companies has 24x7 coverage. Its expensive and hard to do and when you do detect a threat you have to respond manually. When you are the security analyst and saying this is or isn’t a false positive, it doesn’t make it more intelligent over time.
Behavioral Firewalls - Detection and Prevention
Behavioral Firewalls take a new approach to UEBA. Unlike traditional UEBA solutions, Behavioral Firewalls do not just sit on top of a SIEM and provide passive incident information. One of the key differences is that Behavioral Firewalls combine UEBA and adaptive response with a flexible enterprise friendly policy to respond to and help prevent security threats in real-time.
Some of the key capabilities of Behavioral Firewalls include:
User Behavior and Identity Verification
With the time to compromise compressing and time to discovery lengthening, automation of risk mitigation without direct intervention by security teams, while maintaining business continuity, is critical to countering attacks and preventing compromises. Detecting suspicious changes in the network and user behavior is the starting point.
Verifying if they are genuine user events or attackers trying to access resources, is a path to prevention.
Behavioral Firewalls continuously analyze user behavior and develop risk scoring and insights. It learns what users are doing, when they are doing it, where they are doing it from, what endpoints they are coming from, what servers they are going to, what services they are accessing and provides, and more. Fine grained real-time response then allows organizations the ability to choose how they want to validate suspicious behavior and confirm the identity of the user.
For example, when a user tries to access multiple servers on the network within a short period of time, and has never done so before, a Behavioral Firewall can confirm the identity of the user instantly, and without engaging the security analyst. A successful verification does not interrupt business while also ensuring security. If the user verification fails, the user is prevented from accessing the servers, again without the involvement of the security analyst.
Policy Based Adaptive Responses
Policy based active responses can both resolve whether suspicious activity is just abnormal activity that doesn’t require security team intervention, as well as escalate when the response identifies a tangible risk fed back by the user. This allows security professionals to focus their attention on elevations and not anomalies.
When abnormal behavior is detected, a Behavioral Firewall automatically applies an action to users such as allow, block, notify, isolate or challenge with 2 Factor or Multi-Factor Authentication, all in real time. Resolving suspicious activities isn’t just about stopping attackers, it also critical for business continuity with valid users.
Having flexible policies allows organizations to adjust policies based on an organization’s specific needs. For example, policies can be tied to different threat vectors such as risk score, type of asset, type of threat, type of user, confidence level of incident, etc. These adaptive security controls that are context aware overcome traditional firewall limitations of simple allow or block. The value further comes into play when considering how to respond to changes that could constitute a lateral movement by an attacker. To detect more complex scenarios, adaptive policies can respond with a combination of prevention techniques. This helps organizations challenge the potential attacker and avoids security professionals have to expend time and resources on false positives.
Where are Behavioral Firewalls Deployed?
Unlike traditional UEBA that sits on top of a SIEM, a Behavioral Firewall is a virtual appliance that can either be deployed inline in front of Domain Controllers or in sniffer (near real-time / best effort) mode to learn user behavior so that it can provide actionable insights and incidents. In either mode, adaptive responses can be leveraged. The different deployment methods are very similar to how things worked in the early days of Intrusion Prevention Systems. Customers would often deploy in sniffer mode until they had the confidence to deploy inline and leverage the blocking capabilities.
The next post in this series answers the following:
What benefit do organizations achieve from using UEBA? Some of the things we discuss are around visibility and infrastructure protection as well as how it can reduce risk and lower an organization’s attack surface.