In corporate cybersecurity, UEBA (user and entity behavior analytics) systems are starting to look more like a stray bullet than a magic bullet.
Glowing endorsements marked the rise of UEBA tools, which analyze users’ actions and network activity to detect cyberthreats. “Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve,” Gartner and industry analyst Avivah Litan proclaimed in 2015.
UEBA systems are built on an admittedly strong premise. As they were in 2015, when UEBA took the security world by storm, insider threats continue to be businesses’ top cybersecurity challenge. UEBA’s proponents point to this as evidence that activity monitoring, not perimeter defense, is the way to catch cyber threats. Because every perimeter is eventually breached, they argue, security teams should instead pay attention to the actions of users inside the system.
By early this year, however, Litan had changed her view. Although she noted that the UEBA market has been doubling every year, she couldn’t see it gaining traction. As Litan pointed out, UEBA systems’ best features are being swallowed by their bigger brother, the SIEM (security information and event management) market. Unlike UEBA tools, SIEM systems detect cyberthreats by monitoring the network perimeter for suspicious activity.
But there’s another, more fundamental reason why UEBA never caught on, and it holds important implications for what may fill UEBA systems’ little-worn shoes.
Why UEBA Couldn’t Cut It
UEBA faces a catch-22. Such systems must be tuned by those with deep domain expertise. But only large enterprises, which are often disconnected from their own employees’ processes and workflows, can afford to purchase, implement, and maintain UEBA tools.
The result? Poorly configured UEBA systems that flag innocent users as threats. Then, sick of false positives, enterprise security teams stop using UEBA. Unfortunately, I’ve heard this story from multiple UEBA practitioners.
False positives happen because legitimate users sometimes take odd but harmless actions. Modeling capricious behavior is a fundamental IT problem. How does a non-human differentiate between the user who deleted 50 documents because the files are truly unneeded and the user who deleted them because he’s being malicious?
To their credit, UEBA vendors saw this problem coming. Their first line of attack was machine learning, but it wasn’t enough. They responded by increasing context, information about users, and accessed systems. This helped, but it was too laborious to be practical, and employees took issue with UEBA systems scooping up their social media data.
False positives aren’t just wrong; they’re expensive. Vetting suspicious activity takes time and diverts resources from actual problems. It doesn’t take many false alarms for an enterprise to look elsewhere for cybersecurity software.
If UEBA Isn’t the Answer, What Is?
As Litan predicted, SIEM vendors are already poaching UEBA’s strengths for an emerging class of systems, currently called “next-gen SIEM.” These tools don’t fit neatly into either the UEBA or SIEM categories, instead marrying each group’s best ideas and strong threat detection tools into a new, more powerful package.
Built by startups like empow and SS8 and established vendors such as Rapid7, RSA, and Symantec, next-gen SIEM systems take an “all above the above” approach to addressing UEBA’s problems.
To reduce training time, next-gen SIEM tools are preprogrammed with activity patterns captured over the past decade. In addition, they use supervised machine learning to establish a baseline of user activity for the given organization. To be fair, UEBA tools use machine learning to establish baseline activity, too, but those that I’ve seen are simplistic in their approach.
To contextually separate merely unusual from malicious activity, next-gen SIEM tools add proprietary data feeds on top of the perimeter, system, and log data of SIEM systems. Next-gen systems further reduce false negatives by using deep learning to refine their frameworks for differentiating between odd and aberrant activity. And because deep learning models learn without human input of parameters, they’re an ideal way to reduce personnel costs.
Of course, all this sounds great on paper. But because next-gen SIEM tools are so new, their approach is frankly faith-based. It remains to be seen whether they’ll have enough context and sufficiently powerful learning models to cut training time and false positives without producing false negatives.
Although UEBA hasn’t lived up to its hype, it has indisputably driven cybersecurity innovation. Next-gen SIEM systems, meanwhile, have yet to prove themselves, but they’re a promising answer to what has so far proved an intractable problem.
Next-gen SIEM may prove more successful than UEBA, but the truth is that it isn’t a magic bullet for cybersecurity, either. Every system — SIEM, UEBA, or otherwise — is built for today’s use cases, and it inevitably falls short when applied to tomorrow’s.
Still, UEBA isn’t working, and doing nothing is not an option. Next-gen SIEM represents just one route to a more secure environment; every enterprise must find its own. In cybersecurity, the only wrong answer is to not try at all.