Using advanced analytics that provides context to behavioral analysis makes it easier to identify internal security threats and find individual offenders, said Gartner in a recent report on User Entity Behavior Analytics (UEBA).
As traditional defenses on the network become more and more obsolete, security professionals are scrambling to find the right tools to help them recognize potential threats before they happen all while suffering from data fatigue.
“Statistical analysis and machine learning can find anomalies in data that humans wouldn't otherwise know about,” the Gartner report stated.
When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats.
Gartner projected that, “Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve.”
Behavior analytics have been around for a long time. Historically, they are used to identify threats and determine, “how people are trying to access your network from the outside,” said Ryan Stolte, CTO, Bay Dynamics.
User behavior analytic tools are different in that they shift the focus from sending alerts of potential threats from outside the network to identifying more concentrated and individualized insider threats based on user behavior.
In the older model of user analytics, the collection of data has resulted in an overload of alerts that are nearly impossible to analyze.
“Rules are based on what a human knows about the data. When rules are not tuned properly, they generate too much noise and too many alerts that are not properly prioritized,” the Gartner report explained.
“In the security space there is a lot of investment lately to collect all of this data and send it into a centralized form, but we need to do more than throwing out alerts,” Stolte said.
Combining behavior analysis with machine learning enhances the ability to determine which particular users are behaving oddly. The success, according the Gartner report, is largely because it is “Much easier to discover some security events and analyze individual offenders than it is in many legacy security monitoring systems.”
These days, attackers are getting past traditional protections by compromising legitimate users, Stolte explained.
“The way the bad guys are getting in is that they look like the good guys. Somebody has stolen my keys, but even if someone can pretend to be me, they don’t know how to walk in my shoes.”
Criminals have found ways to stay one step ahead of the security teams using signature-based behavior analysis by changing their behaviors once a signature has been identified. Does this mean attackers will be able to find a work-around for the latest improvements in the behavior analysis space?
Sign up for CIO Asia eNewsletters.