Consider the following: Joe, an engineer, logged into the source code repository at 10pm last night and downloaded 500MB of data. Meanwhile, the new head of the legal team, Sally, has been logging into the network from West London and Dublin—at the same time.
Pete, an analyst, is accessing a critical finance application that he has never used before, and Claire, one of your sysadmins, has been accessing the customer database after normal work hours every evening for the last two weeks.
Are you confident that all of these are legitimate scenarios, or are they anomalous behaviours that threaten the brand, reputation and finances of your organisation? Can your current security tools detect these types of insider threats, and how will your staff respond?
Understanding the difference between UEBA and SIEM
While the underlying principles between UEBA and SIEM are similar, there is an important distinction. As rules-based software, it is possible for SIEM to be evaded, if not outright manipulated by advanced hackers. If an alarm is only triggered after 10 failed attempts in five minutes, a hacker can simply wait for the sixth minute before resuming the attack. SIEM rules are designed to immediately detect threats happening in real time, but sophisticated attacks can be insidious, often playing out over a span of months or even years.
UEBA’s use of risk-scoring techniques and advanced algorithms in place of rules makes it much better equipped to detect suspicious behaviour through anomalies over time. It watches how your users and devices interact with each other and sets a baseline for normal activity. Using machine learning algorithms and statistical analysis techniques, it is capable of detecting when there is a deviation from that baseline, and any anomalies identified as a potential threat to your environment are escalated for an analyst to review manually.
The bottom line is that it is no longer practical to rely on an approach based on physical objects and systems, and that extends to matching code signatures against activities and events.
Does this mean there is no place left for SIEM?
Do behaviour analytics render SIEM useless?
The traditional methodology of working with an array of signature-based perimeter and network access control tools worked well in the past, but as attacks have continued to evolve, the approach you take to your security has to modernise accordingly. Looking for known attacks at point of entry is ineffective and doesn’t stop attacks far enough up the kill chain.
This is not to say SIEM is useless. Far from it, Gartner sees UEBA and SIEM together as the future of threat detection, and in fact this isn’t terribly controversial: the major players in the SIEM space have all either integrated UEBA tools into their products or are actively acquiring businesses in order to move with the market. Aruba themselves recommend deploying a UEBA solution alongside SIEM with bi-directional integration, so that the SOC team can continue using its existing consoles while benefiting from the attack detection and advanced threat hunting capabilities that UEBA security tools provide.
Combining UEBA and SIEM for advanced threat detection
The problem with SIEM is that as the complexity of cyber attacks has risen, security professionals have tried to mould it to deliver functionality that it was never designed for. Hopefully, you’ll see SIEM is still a very useful tool in the modern cyberdefence arsenal. If nothing else, it provides checkbox compliance with complex regulations surrounding infrastructure and critical industry, as well as acting as a place of record from a legal standpoint. It is excellent at ingesting logs and preparing them for further investigation.
Combining the two approaches to cyber threat defence reduces false positives, alleviating alert fatigue as well as eliminating the need to continuously add and manage correlation and enrichment rules in the SIEM.
It is time to adjust your information security budget accordingly.
If we go back to the scenario in the introduction, behaviour analytics would let you discern that Joe was just going above and beyond his contracted hours in order to finish a project, while Sally, who was travelling, had shared her password with her assistant in order to stay on top of her workload. Pete clicked on a link in a malicious email and had his credentials harvested, but Claire handed in her notice two weeks ago and has gone rogue, downloading the entire customer database piece-by-piece.
Powerful behaviour analytics, deployed on top of a traditional SIEM, can help you leverage intelligent situational awareness for advanced threat detection—immediate or over time.