Derek Lin, Chief Data Scientist at Exabeam discusses the important role that user and entity behaviour analytics will play in the development of security solutions for today’s cyber threat landscape.
The seemingly unstoppable growth of cyber-attacks, both in terms of volume and variance, is a cause for significant concern throughout the business world. On a near-daily basis the world’s media carries headlines relating to the latest major breach, but perhaps the greater concern should be the many breaches that will never be read about, because they haven’t been discovered. In fact, according to Verizon, up to 85 percent of all data breaches are never detected, despite billions of pounds of annual expenditure on security products.
A large part of this is down to where budgets are being spent. The evolving nature of today’s cyber threats, combined with changing business practices, means focusing solely on threat prevention or a reactionary approach to threat-management is no longer a viable strategy. Effective security now lies in the ability to efficiently analyse the large quantities of data coming in and out of a business network, quickly identifying major threats and stopping them before they can cause serious damage.
Using analytics to stay ahead of cyber crime
In the majority of modern networks, every action that takes place is recorded and logged. The larger the enterprise, the more logs are generated, often resulting in huge stores of data on events, actions, files, and users on the network. Naturally, this creates significant infrastructure demands and requires efficient processes for querying the data.
This is where analytics solutions designed to monitor processes and movements based on big data come to the fore. Through analysing every activity that takes place, they are able to establish ‘normal’ benchmarks for network activity. If activity deviates too far from these acceptable patterns, the network security team is notified so closer inspection can take place. Security teams typically receive thousands of network alerts every day, many of which are harmless, so implementing a system capable of accurately assessing activity before triggering an alert can be highly beneficial. Not only does it mean they can spend more time focussing on genuine threats, it can also significantly cut the number of false positives being generated.
Fortifying network security with solutions that improve threat management, as well as recruiting the right individuals with expertise in platform support and security, makes these User and Entity Behaviour Analytics (UEBA) solutions a highly effective method of detecting and stopping many of the cyber threats faced today.
Machine learning helps continually improve capabilities
UEBA solutions assess a wide variety of network activities. After establishing behavioural benchmarks, they compare account activity against that of similar accounts in order to identify anomalous activity. However, the benefits don’t end there. Current security protocols primarily focus on responding to alerts as quickly as possible. However, without any context, it can be extremely difficult to accurately sort genuine threats from the many false positives generated each day. Analytics provides security teams with the much-needed contextual evidence in order to eliminate time spent chasing false positives, helping to conserve resources and keep the focus on the right areas.
Furthermore, many UEBA tools also utilise machine learning to further bolster security. Complex data-mining processes applied to VPN and activity logs detect developing problems in infrastructure access from compromised accounts. Use of database and file-level access logs help to detect more granular threat activities by identifying anomalous behaviour relating to specific accounts and assets. The complex algorithms built into UEBA tools constantly learn and self-improve, helping businesses to stay one step ahead of the evolving cybercrime landscape.
In the past, a security strategy built around preventing cyber-attacks might have made sense. Today, it does not. The modern threat landscape requires a modern approach, which means equipping security teams with the necessary tools to protect networks, alert users and shut down any successful attacks as quickly as possible.
The threat landscape will continue to evolve at an alarming pace for the foreseeable future and companies need to keep up. Putting user and entity behaviour analytics at the heart of security solutions can give businesses the edge they need to truly protect their most sensitive data assets.