Feel like your phone knows you better than you know yourself? Your streaming service recommends your next movie. Shopping sites predict the look you’re going for or the book you’ll love before you have time to consider it. Social media clinches hours of your attention by parading the content that keep you saying “just one more.”
It's not magic. It’s User and Entity Behavior Analytics (UEBA), a technology that examines large data sets with Artificial Intelligence-based algorithms. Essentially, UEBA gets to know you (and every other user) intimately by analyzing your behavior and tailoring expectations accordingly. More likely to buy a pair of fun shoes on Friday, or a self-help book the night your favorite team won? Noted…perhaps not by you, but certainly by UEBA.
UEBA is good for more than just shopping and social media, though. It can protect you against catastrophic cyberattacks.
UEBA clocks not just people, but also devices, networks, apps, and other tools, constructing a complex picture of what normal function looks like for your system. When behavior strays away from normal, it kicks out a risk-based, prioritized alert for human follow-up.
Splunk User Behavior Analytics (UBA) applies that approach to a Splunk environment, working hand-in-glove with Splunk Enterprise Security to attain the highest level of protection. Most importantly, it offers early detection of insider threats, whether they be malware that has wormed into your system, uncareful users, or bad actors inside your organization. When things start to get strange, Splunk UBA can detect it.
The power of Splunk UBA comes from its detailed picture of what’s normal for each element of a system. It knows, for example, when each user typically logs into their system. If that’s during standard workdays Monday through Friday, then the UBA will consider a 3am weekend ping anomalous. Depending on a number of factors, it may send an alert to administrators, temporarily disable the user’s permissions, or automatically lock down certain parts of the network in order to prevent harmful action.
According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches that year involved humans. Social attacks, mistakes, and deliberate misuse aren’t things that enterprise security is generally built to protect against. Those insider threats require an always-on detection platform that ingests the largest of data sets and understands it intricately.
How large are those data sets, you ask? Depends on the system, but they include a wide range of sources, such as
- Security products like VPNs and firewalls
- Web gateways
- Malware detection products
- Endpoint application and security logs
- Cloud applications
UBA pays attention to pretty much any infrastructure that generates machine data within your environment. As it detects possible data exfiltration attempts or protocol violations, it triages them, setting up visualizations and informing security personnel in a standard workflow.
In an enterprise security deployment, Splunk UBA automatically pushes threat information into Splunk Enterprise Security. As it identifies notable events, Splunk UBA contributes to a comprehensive understanding of your system’s security, including the Splunk ES Risk Scoring Framework and Splunk ES Incident Review workflow for threat management.
Your system’s data is valuable. Not just to you, but to your adversary, too. Facing reality means recognizing that not all threats come from outside: nefarious or negligent employees, or code that snuck in and now operates from within your walls are grave hazards, too. Splunk UBA helps find them – before the damage is done.
If you’re ready to learn more about how to keep your data safe, let’s talk.
