Type to SearchView Tags

Drowning in Security Alerts? UEBA and Automation Can Throw You a Lifeline
Darren Prager Director, Analytics Practice Lead, HCL Technologies | November 18, 2020
344 Views

One complaint we often get from security practitioners we work with comes across more as a cry for help: They’re practically drowning in security alerts and can’t catch their breath. With the advent of numerous security tools to identify potential breaches comes a virtual tsunami of incidents to swim through. Data loss prevention (DLP), web proxy and other policy-based tools do a fantastic job of flagging possible malicious behavior, both inside and outside the network, but every event they produce creates more work for short-staffed remediation teams suffering from security “alert fatigue.”

Security practitioners are practically drowning in security alerts and can’t catch their breath. With the advent of numerous security tools to identify potential breaches comes a virtual tsunami of incidents to swim through.

Relying on manual intervention based on severity simply doesn’t work anymore. Not only is it far too time consuming and unrealistic to analyze thousands (or hundreds of thousands) of incidents a day (depending on the size of the company and its policy configurations), but relying on severity alone is misguided. High-severity false positives that may simply signify a broken business process and distract us from lower-severity incidents triggered over a period of time can indicate a low-and-slow data leakage event. With all the noise generated from security tools, it’s no wonder some of the most famous breaches in recent years went virtually unnoticed by cyber response teams.

With all the noise generated from security tools, it’s no wonder some of the most famous breaches in recent years went virtually unnoticed by cyber response teams.

Target and Home Depot are perfect examples of cybercriminals flying under the radar. The security tools the companies had designed to detect such breaches did as expected; it’s just that the breaches slipped through the cracks under a deluge of other incidents.

So how do you find the needle in the haystack to ensure your company stays out of the news?

Identify and Prioritize Top Cyber Risks

Working from the end result backwards, the goal is to identify an enterprise’s top cyber risks, prioritize those risks based on likelihood and impact, and provide supporting information required by human analysts to vet identified risks or orchestrate automated action. Identifying and prioritizing top cyber risks requires a detailed understanding of many aspects of an organization’s computing and business environment, and then applying the right analytics to make sense of it all. In other words, context is key. Some critical data points include (note that required optimal data sources vary by use case):

  • User activity and security telemetry, including DLP, authentication, web activity, cloud activity, application activity, etc.
  • Organizational hierarchies and user attributes
  • Indicators of attack and compromise from endpoint and perimeter protection tools
  • IT asset and architecture information, including organizational ownership and the relationship of machines to applications, business value and loss impact
  • Host and application configuration, patch, vulnerability scan and penetration test results
  • Threat intelligence feeds
  • Industry standard sources of vulnerabilities, asset descriptions, operating system patches, etc.

There are many methods and tools available for mixing and matching the above data points to achieve desired results. For most organizations, though, this process is akin to attempting to solve a Rubik’s cube puzzle with half of the colors missing while wearing a blindfold under water.

Many methods and tools can mix and match data points to achieve improved security results. For many orgs, this process is akin to attempting to solve a Rubik’s cube puzzle with half of the colors missing while wearing a blindfold underwater.

UEBA to the Rescue

Enter User Entity Behavioral Analytics (UEBA), with the emphasis on behavior. Behavior analytics is not a new concept (the financial services industry has used it for decades to identify fraud), but it remains a hot buzzword, especially in cyber-security land, where the volume and pace of attacks are ever increasing and qualified human analysts are in short supply. At nearly every cyber-security conference it seems that most vendors tout some flavor of these capabilities. However, not all algorithms and methodologies are created equal, and more importantly, they do not deliver the same results. For cyber-risk analytics and UEBA platforms, the process and functional goal is all about gathering security data from various sources, then analyzing it to enable accelerated response via human analysts or automated action.

That’s why a solution like Symantec’s Information Centric Analytics (ICA) and others can be a real game changer. ICA is a risk analytics solution that integrates with other security tools while automatically enriching data by filling gaps. In other words, it supplements security events with contextual data that support the involved machine learning and risk analytics before being augmented with inputs based on human analysts’ decisions. This enables ICA to flip the remediation script by shifting from an incident-by-incident approach to a risk-based approach.

Rather than triaging incidents as they come in or action them based on severity, ICA leverages behavior analysis and machine learning to prioritize incidents for review based on certain scenarios or user-risk ratings. By asking questions like, “How normal is this behavior for this user?” a security practitioner can quickly cut to the chase and identify infractions that should be investigated first, accelerating the process of finding that needle in the haystack. ICA also performs peer analysis, which analyzes the behavior of users who report to the same manager and those in the same organization or department to allow a thorough comparison of user actions.

Automation Through Machine Learning

Behavior analysis is only half the battle, however, as automation through machine learning is essential in cutting down incident volume to review. In ICA, this happens on two fronts: supervised and unsupervised machine learning. Unsupervised machine learning is handled by the behavior analysis component I described earlier—anomalies are automatically identified when compared to a user’s baseline behavior and events are scored for normality. Supervised machine learning trains the tool to stop flagging more benign events, thus reducing the system’s overall noise. For example, an analyst can review a set of incidents with similar criteria and decide they represent a broken business process based on a policy violation pattern. The tool learns from the action of classifying incidents as acceptable and excludes future similar events, removing them from a practitioner’s line of sight and decreasing overall workload.

The Icing on the Cake: Moving Toward Zero Trust

The icing on the cake is that by leveraging these techniques to optimize and simplify the security remediation process, companies put themselves several steps closer to Zero Trust. In fact, the glue that holds the fundamental pillars together in the Zero Trust Extended Maturity Model are denoted by Forrester as automation, orchestration, visibility and analytics. UEBA and automation are central components of those requirements, and when used with other Symantec products to adhere to the “Never trust, always verify” mantra of Zero Trust, they give security teams the advantage they need to stay ahead of the game by rapidly centralizing and prioritizing potential threats.

Key Takeaways

The complex nature of today’s data breach methods, coupled with the volume of security tool alerting, has made it extremely challenging for organizations to isolate and visualize multi-vector risks. Uncovering attacks and accelerating investigations can be aided by leveraging technologies that employ UEBA and automation best practices, such as Symantec’s ICA, while at the same time putting organizations on a path towards Zero Trust. To survive the flood of attacks and the deluge of event traffic associated with your security practice, it’s all about using the lifelines that keep your head well above water.

To survive the flood of attacks and the deluge of event traffic associated with your security practice, it’s all about using the lifelines that keep your head well above water.

About Enterprise Studio

Enterprise Studio by HCL Technologies helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.

Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.

Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.