ABCs of UEBA: T is for Time

You may have thought that T would be for Threat and not Time in this ABCs of UEBA blog series… but time is too important in modern threat detection and response to ignore. Through history time has been measured with ever increasing granularity, from the passage of seasons and days to, more recently, time measured in Zeptoseconds.  That’s a trillionth of a billionth of a second, or in scientific notation 10-21.  That’s a decimal point followed by 20 zeroes and a 1.

Now, according to Einstein, time is relative, measurements depending on where you are and how fast you’re moving.  In the world of cybersecurity time is also relative and, often, in short supply.

There are a lot of times we consider important.  Mean Time To Detect (MTTD) measures the how long it takes to detect an intruder once they’ve gotten into the network.  That’s a number we’d ideally like to see as low as possible.  Zeptosecond detections will never be possible, but a few tenths would be good.  The other related metric we care about in cybersecurity is MTTR, which, depending on who you ask, means Mean Time To Respond or Mean Time To Remediate.   Take your pick.  The difference is subtle. Basically, respond is to start cleaning up the mess and remediate is to finish cleaning up the mess.

Cyber Time Means Seconds Rather Than Seasons

Together, MTTD and MTTR are middle and end points on the Dwell Timeline, which is the total time from when an attacker first gets into your environment and the point where the Security Operations team finally punts them out.

Since it can be hard to know just when an attacker got into the environment, the start point for measuring dwell time can be a little fuzzy.  To make it more complicated, different studies have delivered different values for the average time between breach and detection.  Which means you can’t say for sure what the average time is other than “way too long.”

Is There Time to Kill Today?

Reducing MTTD and MTTR, and with that, Dwell Time, should be high priorities for any security operations team.  The faster you can identify an attacker and get them out of your environment, the less damage they can do.  Of course, keeping the attacker from getting in in the first place would be ideal.  If they never get in, you never have to find them and kick them out.  But we know that keeping them out 100% of the time isn’t going to happen.  There is a reason the Assume Breached paradigm exists, after all.

Since we have to admit the bad guys may get in, we have to plan our defenses to deal with it.   It doesn’t matter whether it’s by exploiting a Zero-Day in one of our applications, having a user fall for a phishing email or social engineering scheme, or by one of our users going rouge and becoming a genuine insider threat, it still leads to the same place – there’s a malicious actor in our environment.

Yes, Time Can Be on Our Side.

That said, we want to minimize the time from when they first get their toehold to the point where we identify them.  That reduces the MTTD, so we can in turn reduce the MTTR and the dwell time along with it.  Give them less time in our house, and they can make less of a mess.

That’s where Gurucul User and Entity Behavior Analytics (UEBA) comes into play.  Gurucul UEBA analyzes user and entity behaviors in real-time to proactively detect and stop risky, anomalous activity.   The idea being regardless of the specific tools an attacker’s using, there are certain behaviors that are going to give them away.  Some things will throw up an immediate red flag, while other activities are more subtle and easier to miss.  But in either case, the behaviors are there to be seen.  Users, the organic parts, and Entities, the inorganic parts, act.  And those actions can be seen, analyzed, and used to identify abnormal behaviors that indicate a threat.

Move Fast, Think Faster

Another advantage with Gurucul UEBA is prioritizing risk.  SecOps teams aren’t just seeing the individual events associated with the users and entities they’re shepherding.  They see the aggregate risk, in context, that those users and entities represent.  They can still look at the individual events, but their initial presentation is a risk score.  So rather than having to wade through a hundred separate events that may, or may not, be important on their own, they get to see a unified score.

The challenge in cybersecurity is often one of time.  Improving reaction and response times.  Reducing dwell times.  Catching the bad guys in time, every time.  Having enough time in the day so we don’t lose our minds trying to protect our users, and still have the time to have a life.

Fortunately, we have the tools to help us do just that. Contact us for to learn more about how Gurucul UEBA can help your organization detect and stop malicious insiders and cybercriminals in time – before they can make off with your IP and data.  It’s high time you reached out!  We can help.

Prev: ABCs of UEBA: S is for Sabotage Next: ABCs of UEBA: U is for User