ProHoster > Blog > internet news > The UEBA market is dead - long live the UEBA

The UEBA market is dead - long live the UEBA

The UEBA market is dead - long live the UEBA

Today, we will present a brief overview of the User and Entity Behavioral Analytics (UEBA) systems market based on the latest Gartner research. The UEBA market is in the low point of the “disillusionment stage” according to Gartner Hype Cycle for Threat-Facing Technologies, which indicates the maturity of this technology. But the paradox of the situation lies in the simultaneous general growth of investment in UEBA technologies and the disappearing market for stand-alone UEBA solutions. Gartner predicts that UEBA will become part of the functionality of related information security solutions. The term “UEBA” is likely to fall out of use and be replaced by another acronym focused on a narrower field of application (for example, “user behavior analytics”), on a similar field of application (for example, “use of data”), or simply become some new buzzword (for example, the term "artificial intelligence" [AI] looks interesting, although it does not make any sense to modern UEBA manufacturers).

The key results of the Gartner study can be summed up as follows:

  • A confirmation of the maturity of the market for behavioral analytics of users and entities is the fact that these technologies are used by medium and large corporate segments to solve a number of business problems;
  • UEBA analytics functions are built into a wide range of related information security technologies such as secure cloud access brokers (CASBs), identity management and administration (IGA) systems, SIEM systems;
  • The hype around UEBA vendors and the incorrect use of the term "artificial intelligence" makes it difficult for customers to understand the real difference between manufacturers' technologies and the functionality of solutions without a pilot project;
  • Customers note that implementation and day-to-day use of UEBA solutions can be more laborious and time-consuming than promised by the manufacturer, even when considering only basic threat detection models. Adding custom or edge use cases can be extremely difficult and require expertise in data science and analytics.

Strategic Market Development Forecast:

  • By 2021, the market for user and entity behavioral analytics (UEBA) systems will cease to exist as a separate area and move towards other solutions with UEBA functionality;
  • By 2020, 95% of all UEBA implementations will be part of the functionality of a broader security platform.

Definition of UEBA Solutions

UEBA solutions use built-in analytics to evaluate user activity and other entities (such as hosts, applications, network traffic, and data stores).
They detect threats and potential incidents, typically representing anomalous activity compared to the standard profile and behavior of users and entities in similar groups over a period of time.

The most common use cases in the corporate segment are threat detection and response, as well as detection and response to internal threats (in most cases, compromised insiders; sometimes internal attackers).

UEBA is like decisionAnd function, built into a specific tool:

  • Solution - manufacturers of "pure" UEBA platforms, including vendors that also sell separately SIEM solutions. Focused on a wide range of business tasks for both user and entity behavior analytics.
  • Embedded - manufacturers / divisions that embed UEBA functions and technologies into their solutions. Usually focused on a more specific set of business objectives. In this case, UEBA is used to analyze the behavior of users and/or entities.

Gartner views UEBA across three axes that include tasks, analytics, and data sources (see figure).

The UEBA market is dead - long live the UEBA

"Pure" UEBA platforms vs. built-in UEBA

Gartner considers a "pure" UEBA platform to be solutions that:

  • solve several specific tasks, such as monitoring privileged users or moving data outside the organization, and not just abstract "monitoring of anomalous user activity";
  • imply the use of complex analytics, based on basic analytical approaches as necessary;
  • provide several data collection options, including both built-in data source mechanisms, and from log management tools, Data lake and / or SIEM systems, without the mandatory need to deploy separate agents in the infrastructure;
  • can be purchased and deployed as standalone solutions rather than included in
    composition of other products.

The table below compares the two approaches.

Table 1. "Pure" UEBA solutions vs built-in ones

Category "Pure" UEBA platforms Other solutions with integrated UEBA
Problem being solved Analysis of user behavior as well as entities. Lack of data may limit UEBA in analyzing the behavior of only users or entities.
Problem being solved Serves to solve a wide range of tasks Specializes in a limited set of tasks
Analytics Anomaly detection using various analytical methods - mainly through statistical models and machine learning, together with rules and signatures. Comes with built-in analytics to create and compare user and entity activity with their and peer profiles. Similar to "pure" UEBA, however the analysis can be limited to only users and/or entities.
Analytics Advanced analytical capabilities, not limited only by rules. For example, a clustering algorithm with dynamic grouping of entities. Similar to "pure" UEBA, however, the grouping of entities in some embedded threat models can only be changed manually.
Analytics Correlation of activity and behavior of users and other entities (for example, by Bayesian networks) and aggregation of individual risk behavior in order to identify anomalous activity. Similar to "pure" UEBA, however the analysis can be limited to only users and/or entities.
Data sources Receiving events on users and entities from data sources directly through built-in mechanisms or existing data stores, such as SIEM or Data lake. Data retrieval mechanisms are usually only direct and affect only users and/or other entities. Do not use log management tools / SIEM / Data lake.
Data sources The solution should not only rely on network traffic as the main source of data, but also solely on its own agents for collecting telemetry. The solution can be focused only on network traffic (for example, NTA - network traffic analysis) and/or use its agents on end devices (for example, employee monitoring utilities).
Data sources Saturation of data about users / entities with context. Support for collecting real-time structured events as well as structured/unstructured related data from IT directories such as Active Directory (AD) or other machine-readable information resources (such as HR databases). Similar to "pure" UEBA, however the scope of the contextual data may differ in different cases. AD and LDAP are the most common context data stores used by embedded UEBA solutions.
Availability Provides the listed features as a standalone product. It is not possible to buy built-in UEBA functionality without buying an external solution in which it is built.
Source: Gartner (May 2019)

Thus, for solving certain problems, the embedded UEBA can use basic UEBA analytics (for example, simple machine learning without a teacher), but at the same time, due to access to exactly the right data, it can be generally more efficient than a "pure" UEBA solution. At the same time, "pure" UEBA platforms are expected to offer more complex analytics as the main know-how compared to the built-in UEBA tool. These results are summarized in Table 2.

Table 2. The result of the differences between "pure" and built-in UEBA

Category "Pure" UEBA platforms Other solutions with integrated UEBA
Analytics Multi-business applicability implies a more versatile set of UEBA features with a focus on more sophisticated analytics and machine learning models. The focus on a smaller set of business tasks implies highly specialized functions focused on models for specific applications with simpler logic.
Analytics Analytical model customization is required for each application scenario. Analytical models are pre-configured for the tool in which UEBA is embedded. A tool with built-in UEBA generally achieves faster results in solving certain business problems.
Data sources Access to data sources from all corners of the corporate infrastructure. A smaller number of data sources, usually limited by the availability of agents for them or by the tool itself with UEBA functions.
Data sources The information contained in each log may be limited by the data source and may not contain all the necessary data for the centralized UEBA tool. The amount and detail of the initial data collected by the agent and transmitted to the UEBA can be specially configured.
Architecture It is a complete UEBA product for an organization. Easier integration using the capabilities of a SIEM system or Data lake. Requires a separate set of UEBA features for each solution that has built-in UEBA. Embedded UEBA solutions often require agent installation and data management.
Integration Manual integration of the UEBA solution with other tools in each case. Allows an organization to build its technology stack based on a best-of-breed approach. The main bundles of UEBA functions are already included in the tool itself by the manufacturer. The UEBA module is built-in and not available for extraction, so customers cannot replace it with something of their own.
Source: Gartner (May 2019)

UEBA as a function

UEBA is becoming a feature of end-to-end cybersecurity solutions that can benefit from additional analytics. UEBA is at the heart of these solutions, representing an impressive layer of advanced analytics on user and/or entity behavior patterns.

Currently, the built-in UEBA functionality is implemented on the market in the following solutions, grouped by technological scope:

  • Data-focused audit and protection, are vendors that focus on improving the security of structured and unstructured data warehouses (the so-called DCAP).

    In this category of vendors Gartner notes, including, cybersecurity platform Varonis, which offers analysis of user behavior to monitor changes in access rights to unstructured data, their access and use for various information stores.

  • CASB systems, which offer protection against various threats in cloud SaaS applications by blocking access to cloud services for unwanted devices, users and application versions using an adaptive access control system.

    All market-leading CASB solutions include UEBA capabilities.

  • DLP Solutions - Focused on detecting the release of critical data outside the organization or its abuse.

    DLP advances are based largely on understanding content, with less focus on understanding context such as user, application, location, time, rate of events, and other external factors. To be effective, DLP products must recognize both content and context. That is why many manufacturers are starting to build UEBA functionality into their solutions.

  • Employee Monitoring is the ability to record and replay the actions of employees, usually in a data format suitable for litigation (if necessary).

    Constant monitoring of users often generates an exorbitant amount of data that requires manual filtering and human analysis. Therefore, UEBA is used inside monitoring systems to improve the performance of these solutions and detect only high-risk incidents.

  • Endpoint Security – Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP) solutions provide powerful tooling and operating system telemetry on
    end devices.

    Such user-related telemetry may be parsed to provide built-in UEBA functionality.

  • Online scam – Online Fraud Detection Solutions detect deviant activity indicating client account compromises through a front man, malware, or exploiting insecure connections/browser traffic interception.

    Most fraud solutions use the quintessence of UEBA, transactional analysis and device performance measurement, and more advanced systems complement them with matching relationships in a database of identity identifiers.

  • IAM and access control - Gartner notes an evolutionary trend among access control vendors to integrate with "pure" vendors and build some UEBA features into their products.
  • IAM and identity management and administration (IGA) systems use UEBA to cover behavioral and identity analytics scenarios such as anomaly detection, dynamic grouping analysis of similar entities, login analysis, and access policy analysis.
  • IAM and Privileged Access Management (PAM) – Due to their role in controlling the use of administrative accounts, PAM solutions have telemetry to show how, why, when and where administrative accounts have been used. This data can be analyzed using the built-in UEBA functionality for anomalous administrator behavior or malicious intent.
  • Manufacturers NTA (Network Traffic Analysis) – use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activity on corporate networks.

    NTA tools continuously analyze source traffic and/or flow records (such as NetFlow) to build models that reflect normal network behavior, primarily focusing on entity behavior analytics.

  • SIEM - Many SIEM vendors now have advanced data analytics functionality built into SIEM, or as a separate UEBA module. Throughout 2018 and so far in 2019, there has been a continuous blurring of boundaries between SIEM and UEBA functionality, as disclosed in the article. "Technology Insight for the Modern SIEM". SIEM systems have become better at working with analytics and offer more complex use cases.

UEBA Application Scenarios

UEBA solutions can solve a wide range of tasks. However, Gartner customers agree that the main use case involves the detection of various categories of threats, achieved by displaying and analyzing frequent correlations between user behavior and other entities:

  • unauthorized access and movement of data;
  • suspicious behavior of privileged users, malicious or unauthorized activity of employees;
  • non-standard access and use of cloud resources;
  • and more

There are also a number of atypical non-cybersecurity use cases, such as fraud or employee monitoring, for which UEBA may be justified. However, they often require non-IT and information security data sources or specific analytical models with a deep understanding of this area. The five main scenarios and applications that both UEBA manufacturers and their customers agree on are described below.

"Malicious Insider"

UEBA vendors covering this scenario only monitor employees and trusted contractors for unusual, "bad" or malicious behavior. Vendors in this area of ​​expertise do not monitor or analyze the behavior of service accounts or other non-human entities. For the most part, this is why they are not focused on detecting advanced threats where hackers take over existing accounts. Instead, they aim to identify employees involved in malicious activity.

Essentially, the concept of a "malicious insider" stems from trusted users with malicious intent looking for ways to harm their employer. Since malicious intent is hard to assess, the best vendors in this category analyze contextual behavior data not easily available in audit logs.

Solution providers in this area also optimally add and analyze unstructured data, such as email content, productivity reports, or social media information, to form the context of behavior.

Compromised insider and intrusive threats

The challenge is to quickly detect and analyze "bad" behavior as soon as the attacker has gained access to the organization and began to move within the IT infrastructure.
Intrusive threats (APT), like unknown or not yet fully understood threats, are extremely difficult to detect and often hide behind legitimate user or service account activity. Such threats usually have a complex operating model (see, for example, the article " Addressing the Cyber ​​Kill Chain") or their behavior has not yet been identified as malicious. This makes them difficult to detect using simple analytics (such as pattern matching, thresholding, or correlation rules).

However, many of these intrusive threats lead to non-standard behavior, often associated with unsuspecting users or entities (aka compromised insiders). UEBA's methodologies offer several interesting opportunities to detect such threats, increase signal-to-noise ratio, consolidate and reduce notification volume, prioritize remaining alarms, and facilitate effective incident response and investigation.

UEBA vendors targeting this area often have bi-directional integration with SIEM systems in an organization.

Data exfiltration

The task in this case is to detect the fact of data output outside the organization.
Vendors focused on this task typically leverage DLP or data access control (DAG) capabilities with anomaly detection and advanced analytics, thereby improving signal-to-noise ratio, consolidating notification volume, and prioritizing remaining alerts. For additional context, vendors typically rely more on network traffic (such as web proxies) and endpoint data, as analysis of these data sources can help in a data exfiltration investigation.

Data exfiltration detection is used to catch insiders and external hackers who threaten an organization.

Identification and Privileged Access Management

Manufacturers of independent UEBA solutions in this area of ​​expertise observe and analyze user behavior against the background of an already formed system of rights in order to identify excessive privileges or anomalous access. This applies to all types of users and accounts, including privileged and service accounts. Organizations also use UEBA to get rid of idle accounts and user privileges that are higher than required.

Incident prioritization

The purpose of this task is to prioritize notifications generated by their technology stack solutions in order to understand which incidents or potential incidents should be addressed first. UEBA methodologies and tools are useful in identifying incidents that are particularly anomalous or particularly dangerous for a given organization. In this case, the UEBA mechanism not only uses a baseline activity level and threat models, but also saturates the data with information about the company's organizational structure (for example, critical resources or employee roles and access levels).

Problems of implementing UEBA solutions

The market pain of UEBA solutions lies in their high price, complex implementation, maintenance and use. While companies are trying to combat the number of different internal portals, they are getting another console. The size of the investment of time and resources in a new tool depends on the tasks at hand and the types of analytics that are needed to solve them, and most often require large investments.

Contrary to what many manufacturers claim, UEBA is not a "set it and forget it" tool that can then run continuously for days on end.
Gartner clients, for example, note that it takes from 3 to 6 months to launch a UEBA initiative from scratch before receiving the first results of solving the problems for which this solution was implemented. For more complex tasks, such as identifying insider threats in an organization, the period is extended to 18 months.

Factors affecting the complexity of UEBA implementation and the future effectiveness of the tool:

  • The complexity of the organization's architecture, network topology, and data management policy
  • Availability of the right data at the right level of detail
  • Complexity of vendor analytics algorithms – such as using statistical models and machine learning against simple patterns and rules.
  • The amount of pre-configured analytics that comes with the kit - that is, the manufacturer's understanding of what data needs to be collected for each of the tasks and which variables and attributes are most important for performing the analysis.
  • How easy it is for the manufacturer to automatically integrate with the required data.

    For example:

    • If a UEBA solution uses a SIEM system as the main source of its data, does the SIEM collect information from the required data sources?
    • Can I send the necessary event logs and organization context data to the UEBA solution?
    • If the SIEM system does not yet collect and control the data sources needed by the UEBA solution, then how can they be transferred there?

  • How important the use case is to the organization, how many data sources it requires, and how much the task overlaps with the manufacturer's area of ​​expertise.
  • What degree of organizational maturity and involvement is required – for example, creating, developing and refining rules and models; assigning weights to the variables to be evaluated; or adjusting the risk assessment threshold.
  • How scalable the vendor's solution and architecture is relative to the organization's current size and future requirements.
  • Time to build base models, profiles and key groups. Manufacturers often require at least 30 days (and sometimes up to 90 days) to conduct an analysis before they can define what is “normal”. Loading historical data once can speed up model training. Some of the interesting cases can be identified faster with the help of rules than using machine learning with an incredibly small amount of initial data.
  • The level of effort required to build dynamic grouping and account profiling (service/person) can vary greatly between solutions.

Source: habr.com

Add a comment