To fully understand what a SIEM solution can offer your enterprise in cybersecurity, it is vital to understand the tools and capabilities that comprise it. And few tools are as currently captivating and misunderstood as user and entity behavior analytics (UEBA).
To learn more about UEBA we spoke to Samir Jain, Senior Product Manager of Security Analytics at SIEM vendor LogRhythm. He answered our 5 most pressing questions on the role of UEBA in SIEM and where it could be heading in the future.
Here’s our conversation, edited slightly for readability:
1. Solution Review: How are user and entity behavior analytics (UEBA) utilized for SIEM? What does UEBA provide that other technologies don’t?
Samir Jain: User and Entity Behavior Analytics (UEBA) provides visibility into user behavior to prevent theft or corruption of company information by both trusted insiders and entities and by malicious outsiders masquerading as insiders. To detect these threats, a UEBA solution needs to be able to analyze a rich set of machine data. Tight integration with a SIEM platform helps reduce gaps in visibility, enabling more accurate recognition of behavioral anomalies that might represent a threat, the central function of a UEBA solution. A tightly integrated UEBA solution enables:
- Improved detection of threats rather than mere anomalies
- Precise prioritization of true threats
- More efficient and effective operation than is possible with bolt-on solutions
- Centralized forensic visibility via a single pane of glass
- Faster incident response
- Analysis of a broader set of threats
2. SR: How has the technology evolved to accommodate the ever-changing threat landscape?
SJ: Cyberthreats are growing in both complexity and volume, and SOCs [security operations centers] are struggling to stay ahead. Meanwhile, enterprises are generating machine data at an exponentially growing rate. Finding the needle in the haystack requires behavioral profiling with machine learning and AI. AI/ML can help with anomaly detection by going through TBs [terabytes] of logs to detect signature-less and hidden threats. AI/ML will ultimately enable autonomous automation of a wide range of SOC tasks.
3. SR: Has the widespread corporate transition to the cloud in any way changed how UEBA operates? Has it changed the way solutions providers designed their UEBA algorithms?
SJ: Yes, in big ways:
We are no longer constrained by the HW [hardware] available on premise. The nearly limitless availability of processing and memory allows UEBA vendors to use the cloud to deploy a diverse mix of machine learning algorithms that are computationally fast, memory efficient, and able to operate in parallel.
Operating from the cloud allows us to innovate rapidly without having to worry about patching, et cetera. The threat landscape is ever changing and using cloud delivery facilitates rapid innovation.
Cloud also helps with rapid time to value so the SOC can focus on their mission instead of spending valuable time implementing and maintaining a new tool. Cloud-based architecture also helps ensure that your team is prepared to address not just today’s threats but also the advanced threats coming your way.
4. SR: What are the best practices for utilizing UEBA in SIEM solutions? Is there a way that enterprises can misuse the data gleaned from UEBA?
SJ: Algorithms get a lot of the attention, but data scientists will tell you that that old saying, “garbage in, garbage out” is 100% true. Before ML can be applied, you need to collect diverse enterprise data and optimize it for effective analysis. These functions are often performed best by your SIEM. Effective UEBA, made possible through high-quality data preparation, complements your SIEM by generating insights that allow you to drive down your time to detect and respond.
5. SR: Where do you see the future of UEBA, in general and in SIEM? Are there any technologies on the horizon which may supplant it?
SJ: UEBA complements SIEM with advanced analytics and these technologies have a bright future. That’s our thesis, anyway—we wouldn’t be investing so heavily in this area, otherwise. That said, we’re already seeing advanced analytics capabilities subsumed within other markets, chiefly SIEM, and I think that’s natural. Both SIEM and UEBA depend on collecting and preparing data from across your environment. And no matter how much automation you build around them, both require hands-on use by an analyst.
Security teams will push for these functions to be built into SIEM, DLP, etc., not just introduced as an adjacent function. We’ve been investing in our platform’s analytics capabilities for several years, as have the other leading vendors, so soon enough I’d expect only a handful of pure play UEBA vendors will be left. This is a very competitive market so the leaders in advanced analytics will continue to rise to the top. That bodes well for customers who need these capabilities.
Thanks again to Samir Jain of LogRhythm for his time and expertise!
Latest posts by Ben Canner (see all)
- Key Findings: 2020 Gartner Peer Insights Customers’ Choice for Security Information Event Management (SIEM) - July 10, 2020
- 2020 Vendors to Know: SOAR - July 8, 2020
- Should We Move to a New Definition of SIEM? - July 6, 2020