Author: Hina Ashar, Head of Engineering
There has been a great shift in the security analytics and threat hunting landscape in the recent years. SIEM (Security Information and Event Management) providers have been facing tough challenges to safeguard against the ever-advancing threats hidden in their network.
Looking at SIEM, we see that it provides adequate solutions for the Security Operations Center (SOC) and IT teams in terms of real-time monitoring based upon correlation rules and alerts. Moreover, it provides the long-term storage, search and reporting mechanisms for amplified visibility into network log data. The SIEM has retained the security market for many years, but the explosion of “Big Data” has brought modern threats that SIEMs aren’t able to address by themselves. Some of the known limitations in the legacy SIEM:
- It doesn’t have the ability to identify the unknown and hidden threats already present in the network.
- It doesn’t provide an entity-centric view related to insider threats. You can write a SIEM correlation rule to detect a threat via data coming into your network, but it doesn’t have the ability to analyze the behaviors of the user and hosts inside the network.
- SIEM’s processing power is limited to a specific data set, which doesn’t give you the full picture of your entire organization.
User and Entity Behavioral Analytics (UEBA) is an emerging market and a new era for security analytics platforms. While SIEMs are very useful within a SOC, they are even better when augmented by UEBA platforms that focus on addressing the intricate and sophisticated threats by baselining what’s normal and looking for deviations. For example:
- UEBA solutions detect hidden and unknown threats that could lead to potential attacks. UEBA is built on the idea of machine-learning-based “behavior analytics” to identify new, unusual activity or a threat that went dormant for an extended period of time.
- Identifying the risky users and hosts (entities) on the network is a by-product of A UEBA platform builds baselines of user activity and ties it to the at-risk host to provide extended visibility to the system administrator.
- A UEBA architecture built with a technology stack able to handle the massive scale of “Big Data” provides a broader pool of data to cover the entire network, leading to more accurate threat indicators.
In summary, SIEM tools continue to provide necessary and valuable security measures, however, given the complexity in the new threats, UEBA has also become a necessity to address the gaps created by a constantly changing and increasingly more deceptive threat landscape.