Security breaches have risen by 48% in the last year according to the IDG CSO State of Security report, and the center for Strategic and International studies pegs the global cost of these breaches between $375 and $575 billion. Pinpointed and targeted attacks have penetrated organizations with siloed security teams that are often struggling with a lack of visibility and intelligence, or the equally daunting issue of teams overwhelmed by the influx of new data sources to monitor. The Ponemon Institute’s 2015 Cost of Data Breach Study states that the average cost of data breach in the US has spiked to USD 6.5 Million, an 11% increase since 2014, as shown in the graph below
FIGURE 1: Cost of data breach measures (Source: 2015 Cost of Data Breach Study – Ponemon Institute)
Undeterred by the massive amounts spent globally on security ($80 billion, per Gartner) attackers are still getting through organizational defenses. In almost every publicized case of a breach or intrusion alerts and alarms did go off in the various monitoring systems, but security analysts largely ignored the alerts due to the copious amounts of alerts being triggered on a daily basis. While it may be impossible for a human to distinguish the false alarms from actual threats without investigating, applying data science to the process could have easily helped raise awareness on particularly concerning alerts. And, while most enterprises spend a majority of their security budget on prevention measures, such as firewalls, strong user authentication, intrusion prevention, antivirus systems, etc., beating these defense systems has become routine for the most successful hackers, and hackers often explore systems undetected once they intrude on a network, again due to the shear volume alerts.
In order to protect against the wave of cyber attacks, security vendors are looking to apply new data science techniques to identify the needles in increasingly large haystacks. Gartner predicts that by 2017, at least 60% of major cloud access security broker (CASB) vendors and 25% of major SIEM and DLP vendors will incorporate advanced analytics and user and entity behavior analytics (UEBA) functionality into their products, either through acquisitions, partnerships or natively (disclaimer: Skyhigh provides UEBA for cloud Threat Protection today).
UEBA helps enterprises pinpoint potential threats by building behavioral models for cloud services and continuously monitoring for patterns of behavior that deviate, even in non-obvious ways, from the norm. Essentially it brings profiling and anomaly detection based on machine learning to security and provides analytics to evaluate the activity of users and other entities to discover security infractions. Machine learning provides computers the ability to learn from data (observations) without being explicitly programmed. Where humans and software engineering fail, machine learning excels in solving complex, data-rich business problems. For example, machine learning can be applied to profile and baseline the activity of users, peer groups, and other entities; form peer groups based upon common user activities, using directory groupings and human resources information; correlate user and other entity activities and behaviors; and detect anomalies using statistical models, or rules that compare activity to profiles. User activities are evaluated beyond an initial login, and include user movements, access to organizational assets and the context with which that access occurs.
With the deluge of usage and security data skyrocketing, it is imperative that enterprises begin using the same type behavioral analytics credit card companies use to detect fraudulent transactions within massive datasets of billions of transactions. Cloud security is a perfectly analogous scenario, where the average enterprise has 2 billion cloud transactions per day, so simply setting stagnant thresholds to detect unusual activity will result in a massive amount of alerts, hiding the malicious activity in a sea of false positives. Imagine if credit card companies flagged any transaction over $10,000, or any user with more than 10 transactions in one day, as potentially fraudulent. UEBA is the answer for cloud security analytics just as it is for fraud detection.
Within the realm of cloud security, UEBA can be used to input various pieces of data to analyze, including service action, service action category, service action objects, number of bytes downloaded or uploaded, number of times a service is accessed, rate of access or time of access, etc. measured either across one service action, a cloud service provider (CSP) or a homogenous group of either service actions or cloud service providers. For any enterprise, UEBA would potentially depend on time of use, rate of use, aggregate use, level of use etc.
Noticeable variation in use could either arise from personal preferences or from corporate policies and practices. Without visibility into the corporate policies or an individual’s preferences, the only observable artifact is the actual usage. Therefore, the problem at hand is that of modeling the user behavior as a combination of unobserved components where the combination varies from one user to the other. It is reasonable to expect that an individual’s cloud service usage is different during different times of the day and week, and the usage patterns of a user also tend to evolve over time. Hence through UEBA it is possible to predict the expected usage, which can further be utilized to detect anomalous behavior.
Skyhigh leverages UEBA to capture user and user-group behavior across a large number of facets. Skyhigh’s unique UEBA solution for Threat Protection can be broadly summarized as shown in the figure below
FIGURE 2: Building blocks of Skyhigh’s UEBA Solution for Threat Protection.
- Behavior Models – Complex higher-order polynomials are used to represent UEBA, which in turn generate an information dense representation of the data. Skyhigh’s UEBA solution also has built-in capabilities to deal with the sparse usage data, especially for cloud services in the long tail.
- User Groups – Automated data driven group detection identifies users with similar behavior across the cloud services. By simultaneously analyzing a user using an individual and group model yields a tighter control on expected behavior while minimizing false-positives.
- Time Evolving – Skyhigh’s UEBA solution allows evolution over time (to absorb policy, user preference changes etc.). By segregating user behavior into patterns that span across time, models are guaranteed to be stable, robust, and stationary.
- Self-Learning – Skyhigh’s UEBA solution also dynamically indexes user risk, cloud service risk, and compares it to to the evolving nature of the cloud service usage to generate anomalies for all users within an enterprise. Data obtained from the multi-facetted behavioral analysis are combined with dynamic indexing to render an active self-learning module that powers Skyhigh’s UEBA Solution for Threat Protection.
By analyzing petabytes of data from over 23 Million users across more than 16,000 cloud services to identify behavior based bounds for any service and allowing enterprises to create user customized models, Skyhigh’s UEBA solution for Threat Protection provide a unique value in the UEBA space.
With today’s myriad of data, knowing what to look for has become vital. Empowering security teams with context aware UEBA to combat hackers opens yet another way in which this data can be processed by machines to inform sound human judgments. In my next blog, I will explore Skyhigh’s UEBA Solution in depth and demonstrate how actionable intelligence around a wide range of internal and external threats and security vulnerabilities in real-time helps security teams address today’s challenge of “too much security data, not enough actionable intelligence.”