There’s a real buzz in the industry around artificial intelligence, machine learning, automated network monitoring and user and entity behaviour analytics (UEBA) at the moment. Artificial intelligence (AI) is not a new concept, but it appears that the mere mention of it conjures up an immediate element of fear amongst many. The reality is that AI and skilled individuals can be combined to create the most important aspect in an organisation’s defence in the war on cybercrime and here’s why.
More on User and Entity Behaviour Analytics (UEBA)
UEBA uses advanced analytics to baseline network activity to identify malicious behaviour from external sources, as well as insider threats. It does this by automatically learning what is normal based on typical activity and then, using proprietary algorithms, assigns risk scores to potential malicious behaviour. Alerts provide close to 100% accuracy enabling the SOC to operate far more efficiently and proactively, thus protecting a business before any threat becomes a major issue.
Doesn’t SIEM already do this?
Not even close; there is a major difference between security information and event management (SIEM) and UEBA. SIEM only throws up what a security team tells it to. It assumes that the security team is always aware of everything in the continually evolving threat landscape and is able to configure the product to alert when any one of those threats occur. With an infinite number of false positives possible for what is potentially NORMAL activity, the drain that it has on resources can end up doing more harm than good for an organisation’s security strategy.
UEBA, on the other hand, is signature-less and doesn’t require the use of human input thresholds, but instead learns what is normal activity, taking feeds from all applications (or in some cases, just network traffic) and only flags when something genuinely malicious has occurred. It’s important to note that any investment in SIEM isn’t a complete waste as it serves a huge purpose in centralising security events for monitoring and alerting, but just requires extra assistance to make it more efficient. Take UEBA solution provider, Securonix, for example. It can take a feed from an existing SIEM solution, as well as replace SIEM entirely, to create a more efficient, proactive breach monitoring solution.
Looking at this in practice, for example, someone accesses a job site, which in itself may not be a threat in isolation, but it would go under SIEM’s radar. Securonix’s Security Analytics Platform, can let you know from its DLP feed that this same user has also downloaded the entire customer database and then tried to email it out or save it to USB. This now raises the risk score, as there is a potential flight risk and a genuine insider threat.
Cyglass takes a slightly different approach with the monitoring of network traffic in order to detect rogue behaviour. It’s a subtle difference, as it monitors network traffic between applications and end points. It understands roles through Active Directory integration and looks at connections between devices on the LAN and WAN to detect rogue activity. It doesn’t monitor the feeds from SIEM, DLP or the Mail Gateway to aggregate the risk, it looks purely at the traffic and with whom communications are taking place. It is a proven military grade technology that can support cloud-based analytics, as well as on premises.
SIEM is prone to human error and unimportant information overload, which can become a massive burden as it requires expensive security experts to spend thousands of man hours sifting through millions of largely pointless alerts to find the one threat to act upon. Even then there is no guarantee that they will find the threat or certainly not any time soon.
UEBA not only throws up genuine alerts with a greater degree of accuracy, but most solutions have also developed (or are developing) ways of automating the shutdown of malicious activity so that the problem is nipped in the bud in near real-time. Darktrace has stolen a march having launched its Antigena product that replicates the “human immune system by creating digital antibodies” to shutdown malicious connections. This massively reduces the timeframe in which the security team responds to threats, which in turn can help support GDPR compliance notification requirements.
Market leader, Forcepoint has also made a huge investment in its security offering with the transfer of SureView from Raytheon to become “Forcepoint Insider Threat”. Taking feeds from the existing DLP platform, the march toward a “single pane of glass” to monitor insider threats has taken huge steps forward in recent months.
Microsoft has also emphasised the importance of AI with the inclusion of an Advanced Threat Analytics (ATA) component in its recently launched Enterprise Mobility Suite.
What will happen to the workforce?
Those working in security need not fear AI; in fact, recent experience tells us that one of the most critical concerns among the UK’s leading banks is the lack of resource and shortfall of skills available in the security industry. UEBA doesn’t mean “replacing all the people”; in fact it’s quite the opposite.
UEBA frees up resource to concentrate on doing the things that humans need to do, such as working on the security strategy, applying patches, fixing vulnerabilities, responding to threats, training, skilling up, etc. UEBA helps to address some of that shortfall, while adding that extra efficiency required to bolster defence capabilities. Skilled security people are in demand, so allow them to do the jobs they were employed to do.
By working effectively together, AI and a skilled security team can be the most important tools in the war on cybercrime. By allowing them both to do the job they were designed to do will ensure an organisation’s security strategy operates more efficiently than ever before.
[su_box title=”About Danny Maher” style=”noise” box_color=”#336588″][short_info id=’101698′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.