This is part 3 of an ongoing series of posts that answer “A Closer Look Inside UEBA: Top 5 FAQs.”
In the last couple posts in this series, we provided an understanding of User and Entity Behavior Analysis (UEBA) and outlined the difference of traditional UEBA solutions and Behavioral Firewalls. Now let’s dive into the top 4 benefits organizations are gaining from using UEBA in their security program.
Faster Detection of ThreatsWe’re in a day and age where we see almost daily breach disclosures. With the perimeter all but gone, businesses don’t just have to worry about the outside attackers but they need to worry about insider threats. According to the 2016 Verizon Data Breach Incident report, 63% of confirmed data breaches involved attackers posing as legitimate users (using stolen credentials) or legitimate users maliciously exploiting their access.
UEBA solutions help detect threats faster. With greater visibility and understanding of continuous user activity, its possible to more easily detect unusual behaviors.
Here are a couple of examples of how it can help better detect threats:
- Real-time detection upon occurrence of unusual activities
Because UEBA is continuously monitoring user behavior, it can detect when something is out of the norm and either respond in real-time to the possible threat by doing identity verification and/or escalating the incident to the security team
- Forensics / threat intelligence search
Machine learning allows UEBA solutions to have a multidimensional understanding about users and analysts can proactively look for, or investigate, potential threats. For example, an analyst could do a search for all users logging into a VPN from a specific country and accessing a server they have never
Real-time Response to Threats
Cyber dwell time (the time it takes to detect an advanced threat once it has breached an organization’s infrastructure) of an attacker inside an organization can be days, months or years. But in many cases, they’re getting to work as soon as they’re in there. Improved phishing campaigns and other sophisticated methods allow attackers to compromise an organization and do damage before detected.
UEBA solutions, like Behavioral Firewalls, can get ahead of that threat and actively respond to the potential incident in real-time rather than just sending an alert to go into a queue of countless other alerts for investigation. If, based on user behavior, something seems unusual or risky, a Behavioral Firewall can proactively respond to threats and stop them in their tracks without human intervention. With customizable policies, a company can respond with a set of fine grained real-time responses including Block, Modify, Notify, Re-authenticate or Multi Factor Authentication, among others. A variety of policies and response mechanisms ensure that the real threats are getting stopped while allowing legitimate users to continue with their work.
Lower Risk and Reduced Attack Surface
One of the great benefits of UEBA is the level of insights that a customer receives through interactive analytics and snapshots of the state of the network. These insights allow customers to proactively reduce their attack surface, which makes it harder for malicious attackers to compromise their network. UEBA insights allows a security team to better understand the weak points and address them before an incident occurs (as well as help accelerate incident investigation).
Some areas that organizations focus on where they can reduce risk:
- privileged users activities and their compliance with security policy
- users with weak passwords
- stale account identification
- shared endpoints or users
- high risk endpoints and users
- interactive login history
- user incident timelines
- and more.
Reduction of Events and Improved Operational Efficiency
With all of the great benefits that Big Data delivers, it can be overwhelming to security teams and negatively impact your security strategy. Teams are overloaded and understaffed. They spend time chasing down a plethora of security alerts, many of which are false positives or of unconfirmed severity which can be time consuming, repetitive and unfulfilling.
This is where more advanced UEBA solutions, like the Behavioral Firewall, can help overstressed teams by providing a layer of automation and security intelligence / insights. Upon detection of unusual behavior, it can verify and validate the threat without manual intervention. With multiple automated response mechanisms, a Behavioral Firewall can verify incidents or de-prioritize benign activity by engaging directly with your users. This level of automation allows a security team to focus on real threats and less alert chasing.
UEBA can also help more efficiently help with incident investigations by providing deep visibility and insights into user and entity behavior. These insights also can help security teams more easily identify proactive security measures they can implement to reduce the overall attack surface.
Read the next post in the series where we answer the question:
How quickly do organizations see results from UEBA? Is there a quick time to value or does it take a long time to learn user behavior and set a baseline? We also address what some of the key steps are for getting started.