UEBA: Artificial Intelligence Just Got Intelligent


There is a real buzz in the industry around artificial intelligence, machine learning, automated network monitoring and user & entity behaviour analytics (UEBA) at the moment.

Artificial intelligence (AI) is hardly a new concept, but part of the norm with any mention of anything AI related, it’s hard not to be afraid or fearful of what it actually is. Most of us growing up in the 80’s and 90’s can’t even think of AI without imagining Arnold Schwarzenegger’s iconic Terminator line “I’ll be back!” That famous hospital scene in Terminator 2 where, much to Sarah Connor’s horror, he actually did come back.

I’ve been investigating a lot of the solutions available in this space, as well as speaking to a lot of customers who surprisingly have concerns that almost echo the fears of Sarah Connor in that hospital. Where is this going?

First of All, What is User & Entity Behaviour Analytics (UEBA)?

Briefly, it is what it says on the tin. It is a solution set that uses advanced analytics to baseline network activity in order to identify malicious behaviour from external sources as well as insider threats. It does this by automatically learning what is normal based on typical activity and then, using proprietary algorithm’s, assigns risk scores to potential malicious behaviour. Alerts are near 100% accuracy and therefore your SOC is operating with far more efficiency in a more proactive manner, protecting your business before the threat becomes a major issue.

Doesn’t SIEM already do this?

Not even close. Anyone who has worked with both solutions know there is a major difference between SIEM and UEBA. SIEM only throws up what your security team tells it to. It assumes that your security team are always aware of everything in the ever evolving threat landscape and are able to configure the product to alert when any one of those threats occur. Don’t even get me started on the thousands of false positives created for what is potentially NORMAL activity, the drain this has on security resources can be harmful to your strategy.

UEBA is signature-less and doesn’t require the use of human input thresholds. It simply learns what is normal activity, taking feeds from all of your applications (or in some cases, just network traffic) and only tells you when something genuinely malicious has occurred. Don’t worry though, your huge investment in SIEM hasn’t been a complete waste. SIEM serves a huge purpose in centralising your security events for monitoring and alerting. It just requires extra assistance to make it a lot more efficient. Take HANDD partner Securonix (UEBA) for example, they can take a feed from your existing SIEM solution as well as replace SIEM entirely to create a more efficient, proactive breach monitoring solution.

If, for example, someone access’s a jobsite, that in itself may not be a threat in isolation and would go under SIEM’s radar. Securonix’s Security Analytics Platform can let you know from its DLP feed that this same user has also downloaded your entire customer database and then tried to email it out or save it to USB. This now raises the risk score as you now have a potential flight risk and a genuine insider threat.

Cyglass takes a slightly different approach with the monitoring of network traffic in order to detect rogue behaviour. This is a subtle different between the way Cyglass works in this space, it monitors network traffic between applications and end points. It understands roles through Active Directory integration and looks at connections between devices on the LAN and WAN to detect rogue activity. It doesn’t monitor the feeds from SIEM, DLP or your Mail Gateway to aggregate the risk, it looks purely at the traffic and with whom communications are taking place. Cyglass is proven military grade technology that can support cloud based analytics as well as on premise.

SIEM is prone to human error and lots of unimportant information overload. This can be a massive burden as it requires expensive security experts to waste thousands of man hours sifting through millions of largely pointless alerts to find the one threat to act upon. Even then there is no guarantee that they find the threat or certainly not any time soon. With UEBA not only does it throw up genuine alerts with a greater degree of accuracy but most solutions have also developed (or are developing) ways of automating the shutdown of malicious activity. Nipping the problem in the bud in near realtime before your security team finishes their coffee. Darktrace have stolen a march having launched their Antigena product that replicates the “human immune system by creating digital antibodies” to shutdown malicious connections. This massively reduces the time frame in which your security team responds to threats which in turn can help support GDPR compliance notification requirements.

Market leaders Forcepoint have also made a huge investment in their security offering with the transfer of SureView from Raytheon to become “Forcepoint Insider Threat”. Taking feeds from their existing DLP platform, their march towards a “single pane of glass” to monitor insider threats has taken huge steps forward in recent months.

HANDD security partner Microsoft have also emphasised the importance of artificial intelligence with the inclusion of their Advanced Threat Analytics (ATA) component in their recently launched Enterprise Mobility Suite.

Sounds like I am going to be making a lot of skilled people redundant?

Not at all, this shouldn’t be a fear for anyone working in security. I was recently speaking at a round table event to representatives from most of the UK’s leading banks. It appears that one of the most critical, shared concerns is the lack of resource and short fall of skill available in the security industry. With UEBA you are not saying “let’s replace all the people”, quite the opposite. You are freeing them up to concentrate on doing the things that humans need to do, work on the security strategy, apply patches, fix vulnerabilities, respond to threats, train, skill up etc. UEBA can and will help address some of that short fall all the while adding that extra efficiency required to bolster your defence capabilities. Skilled security people are in demand, allow them to do the jobs they were meant to do.

Artificial Intelligence and skilled people are your most important tools in the war on cyber crime. Allow them both to do the job they were designed to do by complimenting each other and enable your security strategy to run with far more efficiency than ever before.

I have been studying and advising clients on the immediate impact that advanced threat analytics can have on their business productivity for more than 2 years now. HANDD have been pioneers in taking this message to the market and are the leading experts in UEBA and advanced threat analytics. We have delivered solutions to more than 500 customers in 27 countries including 45% of the FTSE 100 and 8 of the largest banks in the world.

Danny Maher – Chief Technology Officer – HANDD

HANDD are independent specialists in global data security, and work with some of the leading vendors in the security market. Established 10 years ago, our goal is to provide customers with industry leading solutions that analyse and protect data through every aspect of its journey.