UBA solutions – can they really connect the dots?
Many security companies today claim they have the holy grail of security big data – they have the ability to boil all security data points down, through highly advanced and sophisticated algorithms, and provide useful and powerful insights that can actually help organizations against adversaries.
While I’m sure they have great Data Scientists, and innovative concepts for their UBA – whether it’s on the SIEM layer, or through network forensics – there are a few pitfalls no one will tell you about, unless you know your way around…
Trying to look for an adversary, be it a malicious insider or a hacker, through the piles of data of the WAFs and DAMs and other feeds into the SIEM, is similar to trying to find a bank robber, after he’s out with the money, through listening to all phone calls done in the city at the time of the robbery.
Data is important – Context is even more
To be able to understand the real threats, a good solution must be able to have the full contextual information:
Without the all three, UBA solutions will continue to claim they have an understanding of what’s going on, and the false positive ratio will continue to remain high.
Want to know who is about to rob a bank? You must be looking at all people entering the bank, track those with a weapon or means, and to be fully able to prevent a robbery in real time, be able to reconcile what any person is asking from the cashier, with what they have available. Full contextual understanding of the course of events, as they take place.
Just the same with your assets and sensitive information – a proper UBA solution must be able to know which user accesses which data or application, and connect all dots to form the correct picture.
Lack of visibility into the actual data requests and transactions, which today exist only in some of the logs and only in a fragmented and obscure way, results in high number of false positives, which in turn mean that SOC teams are busy cleaning them up, rather than addressing actual vulnerabilities.
Monitoring vs. Prevention
MONITORING IS SIMPLY NOT ENOUGH!
LACK OF PREVENTION CAPABILITIES IS ONE OF THE MAJOR DRAWBACKS OF MOST UBA SOLUTIONS.
Being able to discover an incident post fact, is basically like having a monitor outside of a stable, letting you know that all horses are out, and you just lost your entire herd.
A proper UBA solution must have the ability to stop a breach as it happens, or better yet, preventing it from happening altogether. Having the means and the tools to do so is crucial!