By Peter Draper | EMEA Technical DIrector at Gurucul | SC Magazine UK
Many companies are doing themselves a disservice by using SIEM solutions to detect & prevent the most severe threats facing their organisations. User & entity behaviour analytics is an alternative solution.
Over the past decade, attack vectors have shifted dramatically and, more commonly, cyber-threats aren’t coming from outside the company, but from within. The insider threat is one of the biggest issues facing organisations today. According to the Verizon 2019 Insider Threat Report, Privilege Misuse (also called Insider and Privilege Misuse) represents 20 percent of all cyber-security incidents and nearly 15 percent of all data breaches in the 2018 DBIR
As cyber-threats have evolved, the techniques through which we detect and prevent them have too. Many organisations employ Security Information and Event Management (SIEM) tools. However, SIEM has many drawbacks when attempting to detect insider threats and companies are putting themselves in danger by not utilising more comprehensive solutions.
SIEM solutions are an excellent blend of security information management (SIM) and security event management (SEM). As such, they are exceptionally useful as a log collection and aggregation platform, as they can identify and categorise incidents and events.
The problem is, because they provide point-in-time analysis of event data, SIEM solutions are generally limited by the number of events that can be processed in any given time frame. Furthermore, SIEMs do not correlate physical security events with logical security events and event logs are only able to provide aggregated information for known security threats, which proves to be less than ideal when dealing with unknown threats such as malicious insiders.
User and entity behaviour analytics (UEBA), an alternative solution to a traditional SIEM, utilises machine learning algorithms, enabling it to analyse patterns of human and entity behaviour in real-time. UEBA automatically tracks and analyses behaviour to identify anomalous and suspicious activities, making it possible to not only log known security threats but uncover anomalies that are indicative of unknown threats. It works in real-time to detect threats based on contextual information and enforce immediate remediation actions. This type of behaviour analysis enables companies to quickly detect patterns of behaviour that are likely to result in insider threat incidents before they can escalate to a critical level.
Many organisations build their security infrastructures around threat intelligence, whether internal or external. When it comes to threat hunting, SIEM solutions are very good at providing IT departments with the data they need for manual threat hunting. These details can include: what happened, when it happened and where it happened.
However, human eyes are always required to analyse the data and detect any potential threats or anomalous activity. The obvious flaw in the plan here is that detecting threats after they’ve happened is often too late. UEBA, with its ability to perform real-time analysis, allows threat hunting to become predictive, anticipating what will or might happen in the future. UEBA also has the ability to log multiple data types with ease. SIEM solutions generally ingest structured logs and adding new data types often requires upgrading existing data stores and a significant amount of human intervention. Similarly, SIEM solutions do not correlate data on users and their behaviour, nor do they make connections across applications.
The long and short of it
When it comes to analysing threats, whether known or unknown, history plays a pivotal role. Being able to look back at historical data can be beneficial when building up internal threat intelligence. While SIEM is invaluable when it comes to compiling valuable, short-term snapshots of events, it is less effective when it comes to storing, finding and analysing data over time. UEBA, by design, allows for real-time visibility into virtually any data type, short or long-term. As a result, UEBA can generate insights that can be applied across various use cases, such as risk-based access controls, insider threat detection and entity-based risk detection that may be associated with IoT, medical or any other device.
What’s more, false positives are often a massive bugbear for IT departments analysing threat intelligence. Many hours are frequently wasted sifting through alerts that turn out to be insignificant. SIEMs are notorious for firing off alerts based on events that may or may not be malicious threats. As a result, false positives are a regular occurrence with SIEM solutions. UEBA circumvents the false positive pandemic by providing risk scoring, which provides granular ranking of threats. By risk ranking all users and entities in a network, UEBA enables enterprises to apply different controls to different users and entities, based on the level of threat they pose. The number of false positives that are generated is dramatically reduced.
Mike Small, analyst at KuppingerCole, sums it up perfectly in a recent research note: “While SIEM is a core security technology, it has not been successful at providing actionable security intelligence in time to avert loss or damage.”
Many companies are doing themselves a disservice by using SIEM solutions to detect and prevent against the most severe threats facing their organisations. Many are likely to be unaware of the pitfalls that traditional SIEM solutions deliver and it’s imperative that organisations take a proactive approach when it comes to threat detection, particularly with the insider threat. With the proper security measures in place, organisations can easily and effectively catch insider threat behaviour before it manifests into something more serious.
Contributed by Peter Draper, Technical Director EMEA at Gurucul
External Link: Insider Threat: Is your SIEM failing you?