April 30, 2019 / by Siddhant Mishra / In ueba , guides /

3 Questions to Ask Your UEBA Provider

To fully understand what your existing SIEM solution can offer your enterprise in terms of cybersecurity, you’ll need to ask yourself some tough questions: Is your SIEM being used to its full potential?

  • How much has your threat hunting model matured over time?
  • How are you leveraging new detection strategies in your threat hunting process?

Most SIEM platforms today come with built-in UEBA features, which have immense potential to improve the security posture of your organization and greatly reduce insider threats. In this blog, we’ll guide you through a few important points to keep in mind when it comes to implementing and making the most of UEBA in your organization.

Before we dive in, you can read these other posts to learn why UEBA has become an integral part of the threat hunting process for any organization:

Dedicated or integrated UEBA: which is better?

Cyberthreats are growing in both complexity and volume, and security operations center (SOC) teams are already struggling to stay ahead. Meanwhile, enterprises continue to generate mountains of data at astonishing rates. Analytics-driven SIEM is a must in centralizing data and analyzing collected data sets for threats, no doubt — but is having a separate tool for user behavior analysis a good option? Think about the challenges an already burdened SOC team would have to face:

  • Separate data provisioning for the new UEBA tool
  • Dedicated analysts for monitoring

Even without these challenges, security teams won’t get a complete view of the entire infrastructure, in terms of both trusted insiders’ and malicious outsiders’ user behavior. The volume and type of data being sent into the UEBA solution would not be the same as that being forwarded to the existing SIEM solution.

A SIEM platform is built to analyze varied types of log data on a large scale, while dedicated UEBA solutions can ingest only behavior-related data and offer limited support for device integration.

In short, for user behavior analysis to be effective, the software needs access to a rich set of machine data. Tight integration with a SIEM platform reduces gaps in visibility, enabling more accurate detection of anomalies. UEBA needs to be a core function of a SIEM solution, not merely an afterthought. This means that having a dedicated, “siloed” UEBA platform is out of the question.

Challenges with existing UEBA solutions

Having thrown the idea of a dedicated UEBA tool out of the window, here are some challenges that many integrated UEBA solutions are struggling with:

  • Optimized data sets: UEBA solutions are not designed to work with raw or unstructured data. They require high-quality data preparation, normalization, enrichment and grouping.
  • Dynamic baselines: It’s important to keep tabs on the dynamic baselines that are created, in order to make sure they remain aligned with the rapidly evolving threat landscape in your organization. A “set and forget” strategy doesn’t work here.
  • The emerging need for ML: Use of machine learning (ML) is a necessity, as analyzing large volumes of data is like searching for a needle in a haystack — without ML, it’s nearly impossible. Combined with automation, ML models can go a long way in making a security team’s job easier.

Questions for your UEBA vendor

If you already have a SIEM that can includes UEBA features, the answers to the following questions will serve as a guide to help you better streamline and plan your threat hunting process. If you don’t have one, they can help you better evaluate a UEBA solution from a technical perspective:

  1. Is there a built-in data preparation process? Simply ingesting raw log data and expecting a UEBA solution to magically come up with outliers or behavioral anomalies is unrealistic. UEBA solutions work best with “rich datasets” that have been enriched with contextual information related to the organization, the threats or risks encountered over time and so on. It is crucial to understand this, and to ask your vendor if there are provisions for this kind of enrichment. For example, you may be able to import a CSV or Excel file with relevant data into a UEBA solution. Using that data, the software can append relevant information to detected events. Many solutions also feature integration with external apps via APIs.
  2. How often do detection rules or models need to be updated? The key phrase to keep in mind here is dynamic thresholds. How these are created and how often they need to be updated are factors which affect your security teams’ overall accuracy and response times. How? Suppose the software creates dynamic thresholds, but there is no provision to monitor them, such as in a report or dashboard This leaves your SOC without any insight into the detection frequencies and approximate threshold values. This would have a negative impact on your teams’ accuracy and lead to a rise in false positives. These false positives, in turn, waste your analysts’ time investigating threats that don’t exist.
  3. If machine learning is being used, what is the model updating process like? Most UEBA vendors are already using ML due to the immense benefits it offers, in terms of statistical analysis and the ability to learn from the data set itself. For these solutions, it’s crucial to understand what kind of risks the ML model is designed to detect. Some ML models may even stop at flagging outliers. Complete dependence on ML or artificial intelligence is not yet practical in the field of cybersecurity, so remember to ask vendors about how to fine-tune these models, and to what extent this can be automated. Don’t fall for slogans like “Sit back and relax — ML and AI will do everything.” While this may sound attractive, no platform can live up to these kinds of promises.

That’s all for now! Let us know in the comments if you agree, disagree or have other points to add.

Interested in an integrated, analytics-driven SIEM solution that learns from your data and users in real time? Feel free to drop us a message below!