SIEM+UBA leaves false sense of security
Don’t be fooled: Adding UBAs to SIEM still leaves hackers and malicious insiders undetected
In a nutshell, SIEM collects network signals, DLP detected malware, and application logs. Therefore, adding User Behavior Analytics to existing solutions that only rely on existing context cannot protect your blind spots, and security breaches go undetected.
Malicious insiders and hackers are like ghosts – their fingerprints are not detected nor captured by any security sensor (Firewalls, DLP, WAF, DAM, Application logs). Malicious insiders use valid application credentials – abusing their authoritative privileges. Similarly, hackers use stolen user credentials from legitimate user devices at standard working hours – leaving no trace. Therefore, applying machine learning and algorithms that only PhD can understand cannot change the fact that there is NOTHING visibly out of the ordinary. This is why almost all attacks are identified after the fact by external sources to the organization.This is why more context/data is the answer, not complex analytics and machine learning algorithms.
For comparison, another area where huge analytics and predictive effort has been invested is weather forecasting. After billions invested, the result is that weather cannot be accurately forecasted for longer than 5 days ahead. This is not because of a lack of resources or human effort; but relevant context – or more precisely, the lack of it. I can better predict tomorrow’s weather because I have good context (today’s weather). As the context relevance is reduced – thus the accuracy of my predictions.
The same goes for detecting breaches. As the sensors are blind to identity hijacking, “man-in-the-browser” attacks, malicious insiders, and such, so is the UBA that is analyzing these sensors’ data. Months or even years of learning will not help. While UBA solutions are decent at reducing false positives alerts, they are blind to attacks because the sensors are also blind.
Facts that support this claim:
1. UBA vendors have openly stated they require almost a year in learning mode in order to detect abnormal behavior. This means that they have a “data-context” problem. The lack of real context requires them to learn for so long.
Would you rely on a solution that delivers value maybe in one year’s time, meanwhile, having your applications vulnerable to exposure?
2. UBA does not offer prevention capabilities stopping hackers in their trails before damage occurs. Simply too much clutter and false positives do not allow it.
3. UBA does not claim they can stop malicious insider attacks.
If identity hijacking/man-in-the-browser/credential theft attacks of hackers are identical to a malicious insider’s attack behavior, why doesn’t UBA protect us from both? Or can it not protect us from either?
Where there is a void of context, analytics is not the answer. Therefore, putting UBA on top of SIEM will not provide that context needed to protect your enterprise applications and sensitive data from malicious insiders and hackers.