The Reveal Platform
A behavior analytics solution’s capability for the delivery of risk scores with automated risk response has become a critical component for a number of forward-looking security leaders. The acceptance of feedback and data in a closed-loop deployment, as well as a vendor’s ability to facilitate customized use case requirements are key to addressing these needs. A select number of vendors in the user and entity behavior analytics (UEBA) space have developed advanced solution competencies addressing these challenges. This white paper explores the requirements of these capabilities and insights into the use cases associated with them.
As the variety, magnitude and acceleration of identity-based threats organizations face increases, security leaders realize that not all of their needs for unknown threat detection and access analytics are being met with their existing security solutions. Given that the compromise and abuse of identity is at the core of attacks and data breaches, cleaning up identity access with risk scoring down to the entitlement level is a requirement, and even more so before cloud adoption.
Security information and event management solutions (SIEMs), by themselves, are ineffective at behavior analytics, plus they lack support for a wide timespan of data, advanced correlations, and support for a variety of critical data for context including unstructured data. Also, threat hunting for unknown threats, such as insiders, compromised accounts and data exfiltration, leads to fatigue from futility with SIEM queries, filters and pivots. There is simply too much data as it doubles every year and this leads to adopting big data for the long-term storage of data for value at a lower cost. Leveraging the context of big data with behavior analytics for risk scoring to prioritize incidents for security analysts is only half of the solution. The use of bidirectional API integrations between solutions to provide risk scores on demand and collect feedback or data provides a closed-loop deployment for automated risk response. This enables step-up multifactor authentication based on risk scores or reduced workloads with dynamic access provisioning as examples.
In addition, a select class of behavior analytics customers must have the ability to create custom models for private data and confidential use cases common with federal, military and some private industry deployments. This circumstance may exist for a number of reasons, including a unique requirement correlating with the individual customer’s environment and/or user and entity profiles. It may also involve the management of highly sensitive data with extremely restricted access, as is the case in certain government agencies. Various enterprises also have other reasons for the need to develop custom models as well. This white paper will explore both automated risk response and custom use case requirements in overview and greater detail.
The types of analytics residing within an advanced security analytics platform are:
UEBA’s threat analytics deliver systematic analysis to deter, detect, and prevent insider threats, compromised accounts and data exfiltration, with multiple machine learning models for specific use cases. Identity is a threat plane that modern threats compromise, hijack and misuse for data breaches. Machine learning clustering and outlier analysis with dynamic peer groups uniquely uncover and risk score these holistically, minimizing false positives and enabling prompt, targeted remedial or automated risk responses.
IdA’s access analytics involves detecting access risks, access outliers, excess access, shared high privileged access (HPA) accounts, as well as, orphan and dormant accounts. It reduces the attack surface area for identities with machine-learning based intelligent roles, replacing roles defined by manual processes and legacy rules. Identity analytics also reduces identity management manual processes, improves and often automates provisioning, and also cleanses identity as an access plane for compliance and audits. The key to IdA deployments is bidirectional API integration with identity access management solutions to access data for machine learning and provide risk-scored identity analytics.
“XDR creates a unique attack story with advanced analytics and machine learning techniques that combine data from endpoints, networks, cloud resources, email systems, and other relevant sources.”
– Vijay Kanade,
AI Researcher
PAA discovers privileged access often hidden within standard accounts, applications and unstructured data sources. Privileged access is defined at the entitlement level, in contrast to a coarse-grained account level for the traditional domain of risk officers, where PAA often finds more than half of privileged access is unknown to their organization. PAA enables UEBA the visibility of where to monitor privileged access abuse and is a subset of IdA for excess access and access outliers of privileged users.
CSA provides identity and threat analytics combined in an API-based CASB (cloud access service broker) deployment to monitor access and activity for identity-based access risks, unknown threats or anomalous behavior, and to dynamically provision access approvals using risk-based identity analytics. Cloud-to-cloud connectors for popular software as a service (SaaS) applications, infrastructure as a service, platform as a service and identity management as a service (IaaS, PaaS and IDaaS), ease installation and deployment to facilitate advanced security analytics.
Advanced automated response use cases draw from the robust and often integrated capabilities of UEBA and IdA solutions, which employ advanced machine learning leveraging the context of big data. This delivers the invaluable context of a given identity’s access and activity behavior and continually verifies the status of these activities: legitimate or anomalous, through risk scores and response codes. When these two are integrated jointly within the cloud environment, targeting the challenges residing there, cloud security analytics (CSA) is the resulting solution. When UEBA and IdA are applied to the challenge of privileged access discovery and entitlement abuse, privileged access analytics (PAA) is the associated solution.
Gartner recently introduced a security model for the digital age entitled CARTA (continuous adaptive risk and trust assessment). Its goal is to manage emerging risks and embrace change with adaptive security architecture, leveraging increased context for automated response. Any effective advanced security analytics solutions today should align with the CARTA model.
Gartner recognizes “ambiguity is the new reality,” that bad and unknowns are already inside our environments with far too much complexity and noise, where rules-based prevention systems and monitoring capability by human resources has been unequivocally eclipsed. Gartner’s adaptive information security and risk management approach has three components:
Run: Runtime threat and access protection, supported by automation and analytics driven by true machine learning, extracting context from big data, should be standard elements of today’s security array.
Build: Development and ecosystem partners must be continually assessed at the ecosystem level with vetting via periodic security and risk assessments, where a risky rating may result with removal from the ecosystem.
Planning: A continuous enterprise level assessment of security compliance and governance to evaluate new vendors and assure they provide basic criteria including open APIs, support of modern IT practices and adaptive security postures, as well as multiple detection methods.
Automated risk response, deployed using risk scoring and response codes through UEBA and IdA, is an effective way to remove inefficient and time-consuming human analyses from an enterprise’s security strategy. It facilitates more timely responses to questionable risk, activities and potential threats that may be taking place within an organization’s environment (both on-premises and in the cloud). The risk scoring used to determine an automated risk response is generated from a combination of both access (IdA) and activity (UEBA) data sources.
A numerical risk score depicts the relative risk of a user, identity or entity and selected activity. Normalized scores (i.e., between 0 and 100) make it easier to rank or prioritize them and to develop matrices to facilitate management of users’ access and activities. For example, a security operations center (SOC) uses a color-coded display dashboard to analyze activities and to drill down into the details on what caused an alert. Risks are not always red (bad), or green (good). A vast gray area exists between the two; hence the need for standardization of scores which allow consistent automated risk responses to take place. With the standardization of scoring established, a finite number of responses are defined, depending on the score and response code. As a result, the ability to automate risk responses is made possible, thereby minimizing human approval cycles and accelerating response time.
The various use case applications define their utility within behavior analytics. The functionality of automated risk response includes cleaning up access, modifying access of outliers, granting or denying access quickly to users, both with respect to normal access, as well as assessing activities and requests from outliers. This also includes denying access for suspect internal people or outsiders who may have hijacked or compromised access to a user’s account.
Automated risk responses help a company to quickly identify the outliers, the anomalies, and activities that suggest that something suspect may be occurring, requiring an immediate response. However, not every anomaly signifies a malicious activity. While some incidents require immediate attention, others are a lower priority. Any responses to a risk-scored alert that can be prioritized and automated optimize efficiencies of a security team by saving time and resources.
Two types of closed-loop deployments exist for automated risk response. The first, and most common, is the bidirectional type traditionally found in API integrations between security solutions. Here, when an incident of a user’s anomalous behavior risk score crosses a designated threshold within the behavior analytics solution, another security solution is alerted via API with the risk score, response code and incident details. The integrated security solution also provides important contextual data and has the option of sending back status information (e.g., model feedback) to update future risk scoring, for example when a risk has been remediated.
The second type of closed-loop risk response is process related, such as the generation of a self-audit report based on a triggered risk score. In this instance, the high-risk scored incident and profile is sent to the user, or project leader of a user, to provide insight and leverage their context that a SOC team would not normally have, especially within large organizations. These risk score driven reports may focus on contextual feedback for one incident and differ from recurring self-audit reports that are traditionally scheduled and periodic (i.e., weekly, monthly, etc.), and are generally much broader in scope and report focus. Examples of closed-loop response via API and process are:
Risk scores identify high privileged access (HPA) account abuse by leveraging a combination of data sources for accounts, access and activity data (i.e., IAM, PAM, directory services platforms, SIEM or log aggregators, application events). The type of behaviors that generate an alert include detection of suspicious behavior and misuse such as: assigning special or elevated privileges to the user’s own account followed by an activity or transactions outside the window of password value checkout and check-in timeframe. Suspect activities also include access to resources and transactions outside normal peer behavior profiles, abnormal access to classified or sensitive documents, as well as multiple concurrent sessions from the same account, different IPs, devices, locations, etc.
Risk scores per user or entity from a UEBA solution determine access login challenges for a multi-factor authentication (MFA) solution via bidirectional API integration. For example, high-risk scores result in multiple challenges and increased security awareness for end users, while low-risk scores result in one challenge, or none, to remove friction from business process flows. The API integration is bidirectional as the authentication solution is also a data source. Also known as Adaptive Authentication.
Risk scoring of DLP alerts automates delivery of high-scoring alerts to project leaders and managers with project context to help determine alert validity. Feedback also provides training to machine learning models on detections and false positives. Bidirectional API integration delivers valuable DLP data to UEBA solutions while responding with risk scoring on DLP alerts for prioritized delivery and heightened awareness.
Risk scoring of SIEM alerts provides a point of reference for SOC analysts with limited time and the need to avoid fatigue from alert overload and dead ends. Via bidirectional API integration, SIEMs are a data source for UEBA solutions, and risk-scored alerts can be sent back to SIEM solutions to focus ‘find-fix’ resources.
The context of employees, partners and customers is more relevant for risk-scored access and activity review than for SOC analysts lacking knowledge of a user’s environment. While risk scoring itself provides prioritization and focus, the value increases dramatically via self-audits when combined with the context of end users. This provides a collaborative closed-loop process flow between users and IT security that normally does not exist, and also provides increased deterrence and security awareness.
Via continuous monitoring of access and activity data sources, risk-scored access outliers are sent to IAM systems to trigger a certification request by the account owner or manager. If revoked, the IAM system is updated and feedback via API informs the UEBA solution that the access outlier has been removed and to re-score the user or entity.
Rather than getting a list of access requests to certify with a checkbox, or a check-all-of-the-above box, each access request has a risk score assigned to it. This enables the account owner or manager to approve low-risk scores and investigate access requests with high-risk scores leading to more revocations and less access risk. Bidirectional API integration between a UEBA solution with IdA and an IAM system are the foundation of the third generation or phase for IAM.
Reduction of workload by eliminating the need for account owners to perform manual access approvals is a huge benefit to process flows and reducing wait times. This greatly improves the access request certification process; access requests with low-risk scores are automatically granted by the IAM solution via bidirectional API integration with a UEBA solution providing IdA. This can approve upwards of 30% to 40% of access requests via automated risk response.
At times, IT security teams need the ability to build custom machine learning models that detect identity-based unknown threats and access risks. This circumstance may be for a number of reasons. It may include a unique requirement correlating with the individual customer’s environment or user and entity profiles. It may also involve the management of very sensitive data with highly restricted access, as is the case in certain government agencies. Other organizations, such as financial enterprises, have the need to develop custom use case models as well. The fundamental requirement is for organizations to be able to create behavioral models without the solution vendor’s input or involvement. This requisite would include having a step-by-step graphical interface that requires no coding, a minimal knowledge of data science, a flexible data connector for desired attributes from any data source, and which supports big data of customer choice. Additional requirements for custom machine learning model development include:
An advanced analytics framework – Delivers a complete behavior-based machine learning model framework where no coding and only a minimal knowledge of data science are required. Guidance is provided at each step for attribute selection, training and baselining parameters, prediction thresholds and scoring, along with providing feedback on detected anomalies in production. Models are self-learning and self-training to optimize over time, with the ability to update baselines as desired.
Decoupled big data – Custom machine learning model development should also support the ability to compute and store data from an open choice of big data infrastructures including: Hadoop, Cloudera, Hortonworks, MapR or Elastic (ELK Stack). Hybrid environments are driving the deployment of data lakes on-premises, and in the cloud, to store data for value, reducing data transfer and indexing fees. Hybrid models, with 360-degree visibility of an identity, accounts, access and activity for anomaly detection and risk scoring, should be supported across a customer choice of big data to avoid reading and storing data multiple times.
Flexible data connections -This enables any custom or unique data source with desired attributes to be ingested for custom model development. This capability provides the ability to access data with known methods, to map fields to attributes without coding, solution software updates or vendor support. A flexible metamodel also allows the customization or addition of new attributes. Popular scenarios are for mainframe data, new SaaS applications, or proxy-based CASBs as new desired data sources for machine learning model analysis.
Analytics response code – This capability provides a numerical value alongside a risk score for bidirectional API integration with other security solutions such as authentication, data loss prevention, SIEM or IAM solutions. The risk score and numerical response code enable programmatic steps for integrated security solutions. The numerical value also links to a business-friendly risk and threat description for security analysts to view within a dashboard for drill-down analysis. This facilitates the growing demand among customers for a closed-loop bidirectional API deployment for automated response between security solutions when possible. Popular uses are for step-up authentication, risk-ranked DLP and SIEM alerts, and access outlier certifications.
Model optimization per environment – This functionality enables the development of custom models for UEBA, IdA or cloud security analytics, inclusive of hybrid behavior analytics. Customers can develop multiple model variations in a lab environment to: determine which models risk score, which models detect the desired anomaly or use case the best; adjust risk weightings; provide model feedback and review behavior profile comparisons. The most effective models can be moved to a test environment for staging into production. This process also validates data source continuity, as well as cleanliness and quality between environments. Often, special projects require privacy in development and production where the solution provides role-based access and data masking through workflow, plus tokenization and encryption of data at rest.
“XDR integrates a range of investigative tools, behavioral analytics and automated remediation capabilities – which have traditionally been point security products – into a single platform with a strong focus on advanced threat detection and tailored responses.”
– TechTarget Article,
“SIEM vs. SOAR vs. XDR: Evaluate the differences”
Reduction of workload by eliminating the need for account owners to perform manual access approvals is a huge benefit to process flows and reducing wait times. This greatly improves the access request certification process; access requests with low-risk scores are automatically granted by the IAM solution via bidirectional API integration with a UEBA solution providing IdA. This can approve upwards of 30% to 40% of access requests via automated risk response.
Empowered security and access capabilities – The mature capabilities of UEBA and IdA, integrated and accelerated through automated response, provide robust and optimal behavior analytics across a range of hybrid environments and use cases. Normalized and standardized risk scoring of the gray areas of unknowns minimizes false positives. This maximizes the time of security analysts and access managers making operations and people more productive.
Optimized, discovery, monitoring and visibility – This includes the baseline ability to view the full context of a user’s access entitlement risks and anomalous activities. This also includes the prime threat plane of privileged access with the risk scoring of privileged access entitlements and user activity for any incident in question. A mature solution also provides automated risk response
and custom cases for cloud security analytics for hybrid environments, providing a combined 360-degree view for identity, and risk-scored behavior anomalies, driven by advanced machine learning models out of the box, or custom developed.
Improved productivity and cost savings – By having holistic visibility across all an organization’s environments, users and devices, and enhanced by automated risk response and custom model use case capabilities, SOC teams and access manager efficiencies are maximized, delivering cost savings and improved orchestration. In addition, as enterprises migrate to cloud applications, appropriate licensing becomes more critical to minimize costs. Removing orphan and dormant accounts saves on licensing fees for SaaS cloud applications.
Broadened security capabilities – Customized model use case development capability enables all conceivable requirements within advanced security analytics to be addressed for any data source and desired attributes. Additionally, the self-audit feature leverages the context of employees, partners and customers in a collaborative process to detect unknown anomalous access and behaviors while increasing deterrence and security awareness.
The effective depth and range of advanced security analytics use cases increases with automated risk response and custom model use case capabilities drawn from IdA and UEBA functionalities. Closed-loop deployments for automated risk response are a critical component of comprehensive behavior analytics solutions. Having an advanced and broad selection of use cases provides customers with the assurance that their advanced security analytics requirements will be addressed comprehensively. Automated risk response closed-loop use cases include:
Having the capability to develop custom model use cases is a critical advantage for customers seeking to create confidential use cases outside the vendor’s visibility. This is often the case with government agencies and organizations (including financial enterprises) dealing with highly sensitive data sources. Custom model use case capabilities should include: having a step-by-step graphical interface process that requires no coding, a minimal knowledge of data science, as well as: an advanced analytics framework, decoupled big data, flexible data connections, analytic response codes, and model optimization for each environment. Along with an evolving alignment to Gartner’s CARTA security model, customer innovation and thought leadership for the use of automated risk response continues to develop for advanced security analytics. Through customer advisory board members and project reviews, new uses will surface and be shared in updates to this paper.
