The range of predictive security analytics use cases a vendor offers fundamentally defines the maturity of their solution offerings and the breadth of their capabilities. A number of vendors offer only a limited selection of use cases, while others are more inclusive and comprehensive in their offerings. This blog provides an optimal list of use cases for predictive security analytics. Use cases are organized in three categories: User and Entity Behavior Analytics (UEBA), Identity Analytics (IdA), and Cloud Security Analytics (CSA). Also keep in mind the need and ability to create custom models for private data and confidential use cases common with federal, military, and private industry deployments.
User and Entity Behavior Analytics (UEBA)
UEBA use cases are focused on detection of unknown risks and threats beyond the capabilities of rules, signatures and patterns. Using machine learning models to detect anomalous behavior, minimizing false positives, these use cases result in predictive risk scores which drive alerts, actions, and case tickets. To assure optimal and comprehensive capabilities, UEBA vendors’ use cases should draw from big data utilizing hundreds of attributes leveraged in over 2000 machine learning models.
This solution model should include data ingestion available via flat file, database, API, message or streaming inputs with ready-to-use data connectors for common enterprise systems and platforms (i.e., HR, IAM, PAM, SIEM, AD, databases, networks, vulnerabilities, DLP, threat intelligence, cloud applications/SaaS, authentication, physical ID badge systems, file storage, endpoints and more). This level of advanced solution should support an open choice for big data with Hadoop, Cloudera, Hortonworks and MapR.
UEBA Use Cases:
- Insider Threat Detection and Deterrence
- Account Compromise, Hijacking and Sharing
- Privileged Access Abuse
- Data Exfiltration and IP Protection
- Cyber Fraud Detection and Deterrence
- Trusted Host and Entity Compromise
- Stateful Session Tracking
- Anomalous Behavior and Watchlists
- Hybrid Infrastructure
Identity Analytics (IdA)
Identity and access management (IAM) is the Achilles heel of organizations. It is a key concern for security leaders understanding the role of identity compromise and misuse as the core of modern threats. IdA is the proactive side of advanced security analytics, enabling the reduction of excess access, access outliers, and orphan or dormant accounts, before they are compromised or abused, plus providing risk-based certifications and defining intelligent roles. UEBA systems are the detection and response side, using machine learning models to detect unknown risks and threats via predictive risk scoring early in the kill chain. IdA is the data science that improves IAM and privileged access management (PAM), leveraging machine learning models surpassing human capabilities to define, review and confirm accounts and entitlements for access. If the goal of UEBA systems is to profile an identity and its accounts, access and activity, then the goal of IdA is to assure this access plane is reduced as much as possible with the removal of any access risks, access outliers, orphan or dormant accounts, etc.
Machine learning models provide 360-degree visibility for an identity, accounts, access and activity with the ability to compare to peer groups, using baselines to determine normal and anomalous access, and nature of activity. The impact of machine learning with IdA can radically reduce accounts and entitlements for an organization. This often represents the first phase in a project plan when adopting UEBA and IdA. The objective is to clean up the access plane with IdA for access only where it should be provided. Analysis with UEBA would follow that step to detect risks and threats beyond rules, patterns and signatures. These two steps work holistically together to address identity as an access risk and threat plane.
Identity Analytics (IdA) Use Cases:
- Privileged Access Discovery
- Risky Account Discovery & Cleanup
- Risk Based Access Certifications
- Risk Based Authentication
- Dynamic Access & Role Modeling
- SoD Intelligence
Cloud Security Analytics (CSA)
CSA utilizes an API-based cloud access security broker (CASB) architecture to deliver advanced security analytics for SaaS cloud applications, including IaaS, PaaS, and IDaaS. The advantage of API cloud integration, versus proxy-based CASB gateways, is that it provides users with a transparent experience in any location or network, with any device. A proxy-based CASB has the advantage of being a chokepoint to monitor shadow IT for unsanctioned cloud applications not providing API visibility, plus cloud DLP monitoring and controls. However, device access control must be in-line for CASB proxy monitoring. CASB proxy gateways are a crucial data source into UEBA and IdA models as part of the solution architecture to deliver predictive risk scores for cloud environments where API visibility is not provided. In addition, web, email, and network cloud gateways are also data sources for machine learning behavior models.
Cloud environments differ from on-premises, as SaaS cloud applications deliver less data variety via API. They are, however, more consistent in data quality. Whereas on-premises data variety can be much wider, the data quality is lower, and this impacts machine learning behavior models. Using a security model originally developed for on-premises is generally incompatible, and requires adjustments for cloud environments.
Cloud Security Analytics (CSA) Use Cases:
- Cloud Privileged Access Abuse
- Cloud Data Exfiltration and IP Protection
- Cloud Insider Threat Detection and Deterrence
- Cloud Step-up Authentication (Adaptive Authentication)
- Cloud Anomalous Behavior and Watch Lists
- Cloud Application License Metering
- Cloud to On-Premises DLP Closed-Loop
- Cloud Access Outliers and Excess Access
- Cloud Risk-based Access Compliance
- Cloud Account Compromise, Hijacking and Sharing
- Cloud Dormant and Orphan Accounts
Having a broad selection of advanced security analytics use cases provides customers with the assurance that their behavior security analytics requirements will be addressed. Assuring a vendor can support these use cases across both on-premises and in the cloud, as well as being vendor agnostic, provides the strongest assurance that objectives are achieved. Contact us to learn more about how Gurucul addresses these predictive security analytics use cases.