Author: Nilesh Dherange, CTO, Gurucul
The range of predictive security analytics use cases a UEBA-IdA (user and entity behavior analytics – identity analytics) vendor offers fundamentally defines the maturity of their solution offerings and the breadth of their capabilities. Are the vendors established players in the UEBA-IdA market, or are they relative newcomers? Understanding a vendor’s qualifications is critical to any organization considering adopting a UEBA-IdA solution.
A starting point for understanding the essential requirements for UEBA-IdA use case offerings is with Gartner’s recent Market Guide for User and Entity Behavior Analytics (December 2016)*. In it, Gartner lists the core use cases for UEBA. They include:
- Account compromise by external hackers
- Insider threats
- Data exfiltration
- Employee monitoring
- Identity access management
- Cloud security
That all seems pretty straightforward, yet the devil is always in the details. Take, for example, “cloud security”. Within Gartner’s single and general use case notation, there can actually be a host of different cloud security use cases that an organization might need to employ to ensure their security requirements are covered. They can include:
- Cloud privileged access abuse
- Cloud self-audit and ID theft detection
- Cloud step-up authentication
- Cloud anomalous behavior and watch lists
- Cloud to SIEM integration for alerts
- Cloud to on-premises DLP closed-loop
- Cloud access outliers and excess access
- Cloud risk-based access compliance
- Cloud dormant and orphan accounts
- Cloud application license metering
Then there are the cloud use cases related to Gartner’s first four bullets above for insider threats, account compromise, data exfiltration and user monitoring. Does the solution require downloading cloud data for on-premises analysis, which can be expensive, or does the solution provide a hybrid architecture with solution elements in cloud and on-premises? As a customer, can your deployment of big data infrastructure be used to compute and store, or does the data have to be read and re-ingested into a vendor’s solution as an additional expense?
Add to the fact that various organizations (government is one example) have unique use case requirements and confidential data, some of which mandate that the use cases must be developed outside a UEBA-IdA’s vendor’s visibility and involvement. Does the vendor have custom use case model development capabilities, that organizations can use, that do not require heavy data science knowledge or coding?
Also, are these use cases driven by mature machine learning, drawing from big data for context, to find anomalies? Or do they only deal with known indicators and are driven by rules, patterns and signatures? In a proof of concept (POC), some prospective buyers expect to see results in a few hours or days. Yet machine learning models for use cases take at least 30 days to mature and self-learn and self-train on customer data to provide actionable results. These are all factors prospective customers should consider when they’re shopping for a mature predictive security analytics solution.
To learn more about predictive security analytics use cases, read chapters 8 and 9 of “Borderless Behavior Analytics – Who’s Inside? What’re They Doing?” These chapters cover requirements and over 30 use cases for UEBA, IdA and cloud security analytics (CSA). Or, to get the big picture of predictive security analytics, you might want to read the entire book. The book is available on Amazon.com.