With cyber threats constantly evolving and becoming more advanced, public and private sector entities trying to protect their assets must evolve their methods of protection and defense. When signature-based threat detection methods are no longer enough to combat highly advanced cyberattacks, User Behavior Analytics (UBA) can be a strong alternative, according to a recent study by IT solutions firm Trace3.
Trace3’s Innovation Research Team presented a study from a customer’s perspective, meaning it included opinions from genuine users, product presentations, advertised specifications and data directly from vendors. The respondents represented approximately 12 Fortune 100 companies that use one or multiple Security Information and Event Management (SIEM)-Centric User Behavior Analytics (SCUBA) products, and believe their organization has already experienced a breach or will soon.
Signature based threat detection is designed to scan systems in search of attributes from known threats; however, it will then only work in detecting those characteristics. This means it may not be an effective method of detection if an intrusion is new and comes with unknown source content.
UBA overcomes some of the deficits of signature-based security through the use of machine learning to identify internal and external threats, and is available in several varieties based on customer needs.
In an exclusive interview with Homeland Security Today, Mark Campbell, Director of Innovation Research for Trace3 said, “Specifically for our study, we defined machine-learning as unsupervised and/or supervised machine learning, which enables computers to learn without exact programming, performed by an underlying deep learning platform (e.g., convolutional neural network). We also looked at the products’support of adaptive learning after baselining as this was a key feature we found common in customers’ selection/buying process.”
Government security networks face similar threats as those experienced by the private sector, which means similar detection and prevention security capabilities could be mutually beneficial.
“UBA offers an adaptive alternative to signature-based solutions which, I believe, would be a perfect fit for homeland security efforts whether domestic or abroad, as these must adapt and evolve to today’s ever-changing and ever-growing threat vectors,” said Campbell.
UBA reviews data statistics from current SIEM in place and adds these specifications to an internal log. A baseline is then created which can be used to detect anomalies, which could be a sign of breach.
“It is critical that the entire lifecycle of security operations—from prevention, detection, response and mitigation, to the ongoing feedback loop—must be unified by continuous monitoring and advanced analytics to provide context aware intelligence,” said Campbell in the report findings. “There is a burgeoning array of UBA solutions on the market today, but many are actually traditional signature-based solutions that have been re-branded with buzzwords like machine-learning or deep-learning.”
For the study’s purposes, five SIEM-centric products were selected for review: Exabeam, Fortscale, Niara, Securonix, and Splunk (UBA). Each was compared to 57 different industry standards to gauge its effectiveness. Trace3 predicts that in the future UBA will either enhance or completely substitute signature-based detection solutions, as the private and government sectors cannot afford to utilize outdated means of data protection or try to independently fill the gaps UBA was designed to address.
Cybersecurity leads do, however, need to be careful that when selecting a UBA tool that is in line with industry standards, and not simply a rebranding of outdated technology.
“The number one criteria we found to separate the machine-learning wheat from the chaff was the nature and depth of the UBA solution’s machine learning. AI is not easily retrofitted into a traditional solution,” Campbell continued.“Questioning what forms of machine-learning (supervised/unsupervised) they support and detailing the underlying AI [Artificial Intelligence] engine is very telling. Any instance of signature databases, attack profiling or algorithmic approaches being called ‘machine-learning’ should raise red flags.”
Campbell explained there are still times when current signature-base solutions can add value, especially when utilized along with certain UBA products; however, only for certain circumstances, such as a means of migration between legacy systems and newly introduced signature-based systems.
As data protection technology and cyber intrusion protection continue to evolve, Trace3 believes the data points to a continued effort by organizations to harness their data to provide baseline statistics.
The company said budget sensitivities could lead to implementation roadblocks, and a delay in integrating signature based threat detection, but noted that with proper attention to the most sensitive issues, UBA may still be integrated in some form to create a more secure environment.
“…We expect to see SCUBA products add more data sources and, in doing so, merge with the other two UBA spaces (i.e., network-centric, endpoint agent-centric UBA)… So our recommendations are for customers to select UBA products that merge nicely with other solutions already installed (e.g., ArcSight + Securonix or Splunk + Splunk UBA). And stay tuned because this space is changing/maturing/consolidating quickly,” said Campbell.