Why UEBA Might Have Sent Johnny to Jail

May 23, 2017 by Franklyn Jones
Why UEBA Might Have Sent Johnny to Jail

Strange title, I know. But hang with me.

In my previous blog, I mentioned three research projects that Cyphort recently completed, which revealed growing dissatisfaction among SIEM users. Their two primary concerns are that SIEMs are productivity-draining tools, and they don’t make it easy to quickly identify and solve critical security problems. Again, that’s not me talking–that’s nearly 1,000 SIEM users across the US (learn more by downloading one of the reports on www.cyphort.com).

One of the emerging features generating some buzz for its ability to solve the SIEM problem is Security Analytics, an umbrella term that covers various technologies designed to automate threat detection and accelerate incident response. And within this broad category, the analytics technology that seems to have captured the attention of some analysts is UEBA (User and Entity Behavioral Analytics).

Specifically, Gartner is one example. They came up with the term UEBA, and here is their definition, published in their Market Guide for User and Entity Behavior Analytics, December 2016:

“User and entity behavior analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning)”.

Blah, blah, blah. Let me offer a simpler definition:

“UEBA provides circumstantial evidence of a possible security incident based on detected changes (anomalies) in the normal behavior of users or devices.”

For example, consider UEBA’s role in this scenario: Johnny usually goes to the market every day at 10 a.m. But two nights ago, Johnny went to the market late at night, at 11 p.m. Coincidentally, two nights ago the market was robbed. Therefore, UEBA says Johnny must be considered a potential suspect because his behavior suddenly changed.

Yup, Johnny would be flagged because of this crazy, insane “behavioral anomaly.” But the only anomaly that Johnny is guilty of is changing his job shift, which meant he had to start going to the market later at night. Oops. Sorry Johnny.

Here’s the EEBA conundrum.

The good news is that UEBA certainly adds contextual value to the overall data set and saves some time by automating the discovery of anomalies. But do the anomalies indicate malicious behavior? Sometimes yes, sometimes no. And answering that can be a labor-intensive task that leads to a lot of dead ends. That’s why UEBA should not be considered an effective tool for direct threat detection or a solution to the SIEM productivity problem.

Back to the market robbery scenario, a better solution would have been to have 24×7 cameras providing continuous visibility of traffic flowing in and out of the market (i.e., direct threat detection). If you have real-time monitoring of that traffic flow, the actual threat (robber) can be identified and mitigated very quickly. No guesswork-–there it is.

Then, by correlating direct threat detection with UEBA, we discover it was actually some guy named Ted who robbed the store. UEBA noted that Ted had been visiting the market every week over the past year, sometimes during the day and sometimes at night. His behavioral was unpredictable but not necessarily an anomaly.

Not to make this a commercial, but that’s an important difference between the Security Analytics capabilities of UEBA (circumstantial evidence) versus what Cyphort delivers with its Anti-SIEM (direct threat detection in near real-time + analytics that correlate the threat with data from multiple sources, including UEBA).

If you want to go deeper on this, there’s a good webcast on BrightTalk that examines the Cyphort research and discusses analytics based on direct threat detection.