The UEBA Evolution: You Gotta Be a Wolf to Catch Coffee

Posted on by Ryan Stolte

I’d like to submit that the heyday of User and Entity Behavior Analytics (UEBA) technology is upon us, despite many preconceived notions.

As CTO of a vendor that plays in this space, that theory shouldn’t surprise you; however, if you care to read on I feel that I can make a pretty good case.

To be fair, the first generation of UEBA security products delivered some immediate value, yet also left a fair amount of room for further innovation. This isn’t uncommon when you consider other segments, for instance DLP and SIEM; there was simply more work to be done to build something that could deliver more targeted results.

In the case of UEBA, as with these other examples, of course, the trick was creating output that optimized expenditure of security manpower and resources, not something that generated more data, and related complexity. The first generation of products came up a little short on that end.

If you know anything about the history of UEBA, you know that you’ve been engaging with this manner of analytics for nearly as many years as you’ve been using the Internet. It’s well established that e-commerce companies like Amazon and eBay were among the leaders in deducing what you liked, based on behaviors on their websites, and then recommending other items that you might want to order.

Using this model, the analytics at the core of early UEBA products were born. Take a huge database of relevant information and begin throwing algorithms at it to give customers the optimal experience. Businesses have been perfecting this approach for decades, and e-commerce offered the best opportunity yet to profile and then refine sales processes.

Related to cyber security, roughly a decade ago, practitioners found themselves in a tricky, yet promising situation. We had reached the conclusion that insider threats represented a huge gap closely related to addressing the data breach issue. This was daunting. However, on the upside, we had also been collecting huge amounts of highly relevant user activity data for ages, mostly for compliance purposes.

It only made too much sense to co-opt some of the same technology being used to make retail recommendations and begin using those analytics to begin sorting through our mountains of log data to help identify problematic activities that represented real-world threats.

However, the fit was not exactly efficient. False positives abounded, and those first gen UEBA technologies struggled cutting through the noise.

In my opinion, the best consumer user behavior technologies on the market today, are those used by entertainment services such as Netflix, YouTube, etc. These companies are recognized for achieving amazing success in gauging precisely the next piece of content that their customers want to consume. Netflix has even started making a lot of it. Pretty impressive.

If I were to pick two movies that highlight the how and why of the UEBA evolution – essentially how the technology must evolve to provide far more useful results, and why you should believe what I’m telling you, I’d pick two business and security classics, respectively: “Glengarry Glen Ross” and “Training Day”.

OK, so I’m dating myself a bit here and there are actual cyber-related productions that may be relevant, but these older examples are well travelled and fit the bill nicely.

First of all, to be useful to anyone, UEBA solutions must provide the correct package of results. As we all know from Mamet’s classic treatise on sales, “Coffee is for closers”. In “Glengarry Glen Ross”, it’s all about those leads, and with UEBA it’s much the same. False positives have to be massively reduced. We have to refine the models, and employ stronger machine learning to do so.

Secondly, to achieve this goal, you have to know who your audience is, your consumer. As Denzel Washington’s character Alonzo teaches us in “Training Day” - “You gotta be a wolf to catch a wolf”. You may disagree with Alonzo’s interpretive methods of police work, but, the concept fits here as well.

If UEBA results aren’t tailored correctly to suit today’s practitioners [most of whom are retired military and law enforcement, not “traditional” IT security pros], then the output produced isn’t going to have the desired impact. The results must be in those responders’ language, providing a complete package of data that they can use to immediately know who they must investigate. Taking it one step further, UEBA technologies must learn from those responders and become smarter based on which types of behavioral profiles are repeatedly investigated.

In fact, this is actually what is going on today, and it’s why UEBA is catching fire in the security community.

Not only did the technologies need to provide a smaller number of more high-quality leads in terms of which incidents organizations should actually investigate, it had to adapt to more closely fit the language and workflows of the people who perform the investigations themselves.

And on the over-wrought concept of machine learning – which has regrettably become used far too heavily in the marketing of analytics in general, yet must apply in this space – “adaptive” is just the right concept. Specifically, adaptive machine learning, in the form of both unsupervised and reinforcement learning is precisely what is needed for UEBA solutions to get markedly better.

Unlike early UEBA solutions, the current and future state of the art are technologies that truly adapt to account for what represents a “hit” in terms of nefarious activities, and what does not. We have to become more responsive to user input and vastly reduce the signal to noise ratio of alerts, providing the specific package of results required by people doing the legwork, in the exact language they speak.

It’s that simple, and I think we’re getting there.

Ryan Stolte

Co-founder and Chief Technology Officer , Bay Dynamics

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community