Anyone who has worked long enough in the data analytics and high-tech industries will have a favorite story about some new technology that was subjected to a degree of hype so great it could never measure up.
Typically, these technologies flame out quickly (fuzzy logic or Google Glass, anyone?). Others, like artificial intelligence (AI), have had seesawing fortunes spanning decades — initially subject to the loftiest expectations only to be followed by severe disillusionment as physical, technical or other limitations became apparent.
Within the sub-domain of AI for security, a collection of technologies known as user behavior analytics (UBA) is now enjoying its own moment of high expectations, much as security information and event management (SIEM) systems did about a decade ago.
UBA differs from SIEM in not just aggregating and correlating alerts from different network events but by using a combination of AI and analytical approaches — including rules-based, pattern-matching and statistical methods, plus supervised and unsupervised machine learning — to establish baselines of how systems, networks and devices typically behave, and then to detect significant anomalies in their behavior and send alerts to security teams for further investigation.
Gartner industry analysts in particular have spent lots of time thinking about UBA. They note that UBA tools hold several key advantages over SIEM for applications like insider threat detection, credential abuse, account takeovers and IP/data loss prevention. First, they detect threats better (and detect ‘better’ threats) than SIEM tools; second, they analytically decide what matters, then boost those signals while minimizing the ‘noise’; and third, they solve some security problems with less expert labor.
That said, analysts from Gartner as well as from Forrester Research and Enterprise Security Group (ESG) also are mindful of lingering UBA weaknesses, including:
- There are some so-called ‘black swan’ events that a UBA system won’t find because they don’t resemble past events.
- AI-based UBA approaches are good at detecting anomalous behavior, but they also spot lots of other things that analysts need to spend time chasing down, only to discover they were not actual threats but ‘false positives.’
- Not all organizations have in place the kinds of human expertise required to run a UBA system properly; in particular, many lack data scientists.
- Network data is not enough to find insider threats and other malicious actors; businesses need additional context from non-IT data sources like personnel files, travel records and employment histories.
- Obtaining all that new data and getting it cleaned and integrated properly is not easy, for a variety of organizational and technical reasons.
These firms are in general agreement that UBA won’t replace human analysts any time soon — instead, it should be seen as making them more effective and less prone to alert fatigue. They also tend to agree that SIEM is not going away, and in many cases should be viewed as complementary to UBA. The best UBA systems, one analyst notes, make SIEM ‘smarter’ by focusing on analyzing streaming and batch data rather than on rules.
They do differ, though, on the issue of whether UBA is a passing fad. Some think UBA will be dead as a standalone market category in five years, transformed into next-gen SIEM or folded into adjacent security markets such as endpoint security, identity and access management and data loss prevention, where advanced analytics and behavioral profiling will help these products lower alert volumes while producing more accurate and actionable high-priority alerts.
My experience tells me that the UBA market, like that for SIEM and other technologies before it, won’t die but will certainly evolve as time goes by. (One ESG analyst called this progression “innovative flux.”) I’m not talking only about inevitable industry churn prompted by corporate bankruptcies and acquisitions (which is already starting to happen), or newly coined buzzwords, but a progression of new techniques and technologies as well.
It also matters that user behavior analytics has already produced successes against some of the security community’s toughest challenges. For instance, encoding whole-person behavior into probabilistic models and then running a diverse array of network- and non network-related data sets through the model nodes is a UBA approach that has been proven to drastically reduce alert fatigue while prioritizing real risks to an organization, easing the strain on the already overworked SOC analysts and letting them focus on the risks that really matter. And it also overcomes most of the other UBA weaknesses that I listed above.
There’s always room for improvement, of course, but if we prematurely write UBA’s obituary I believe we run the risk of overlooking some very real existing achievements — and others that are not too far over the horizon.
# # #
Note: A version of this article first appeared in CSO Online on September 28, 2017.