Author: Matt Rodgers, E8 Security
Recently, E8 made a major step forward in behavior intelligence with the release of our next-generation Entity Fusion functionality. This idea encompasses the learnings from our Fortune 100 customer deployments, and enables our product to identify and monitor users and hosts in large-scale enterprise environments. It does this by “fusing” information from multiple disparate logs and data, such as authentication logs, network data, and endpoint telemetry. These capabilities are critical to making security analytics (sometimes referred to as UBA, UEBA, or SUBA) effective and actionable in modern enterprise operations.
Why is entity identification so critical?
The other day during a presentation, one of our customers asked why we put so much attention toward high-efficacy entity identification. I responded by asking him how the analytic signals E8 generates could be trusted if we were unsure which entity those analytic signals belonged to.
I reminded him that the security analyst using the product must respond based on the signal, and if there are discrepancies in user or host information, then the signal could be inaccurate. It would be like a 9-1-1 operator without caller-ID or geo-location — the system might know something bad has happened, but it doesn’t know who’s involved or where they are.
Let’s look at the issue in a different way. If assigning signals to users and devices isn’t done effectively, then signals may have the opposite effect than what’s desired: their true criticality may be lost among hundreds of other signals, and investigation may not occur for weeks, if at all.
The “20-minute” problem
Several years ago I spent time with one of my customer’s security analysts, Frederick. He was using many different tools during his incident investigations. Frederick had all of the best-of-breed toolsets available to him, including Splunk and QRadar. During each investigation, he needed to determine who the incident involved within the organization before turning the it over to the Incident Response team. Often, incidents from network and endpoint systems carry only partial information to accomplish this task, such as an IP address or hostname. Armed with this information and three different identity and configuration management tools, Frederick would spend an average of 20 minutes per incident figuring out the user involved to prepare a response action.
This “20 minute” problem stuck with me. Why should anyone have to spend that much time and energy to determine the actors involved in an incident? Eliminating this is an important byproduct of security analytics products and one of the things we must solve: determining the “who” efficiently and accurately.
The next-generation Entity Fusion architecture is now a cornerstone of the E8 Security Fusion Behavioral Intelligence Platform. It provides analysts like Frederick a single source of truth when it comes to identifying entities across the enterprise. Our customers are seeing desired results when it comes to actionable behavioral intelligence and user/device monitoring across large deployments, and they’re able to use that intelligence to respond faster to critical incidents, which helps save them energy and time, and saves their companies money.