August 3, 2017 by Idan Tendler
How quickly can you hone in on the information that matters within the hundreds of alerts you get daily? Your answer may be the difference between becoming a cybersecurity headline and remaining in obscurity (which, when it comes to cybersecurity, is really where you want to be!).
If you are like most organizations, you are probably struggling to keep pace with all that is happening in your environment. Consider the average large organization gets 17,000 alerts every week and less than a fifth of those alerts are actually reliable! It’s no wonder dwell time (the amount of time an attacker spends in your network – from the moment they enter to when they are stopped/removed) is typically measured in hundreds of days!
But what can be done to shake up the status quo and stop the madness? Well, we believe behavioral analytics is the key. Cyber analysts are literally becoming desensitized to alerts and overwhelmed by information that is high in volume, but low in value.
Most of the information in an alert is isolated and incomplete, making it very difficult to figure out what is going on and what needs to happen next. As a result, security decisions are typically made based on ‘best guesses’ of what an alert may indicate to determine what to ignore and what to pursue. Did you know that only 4% of alerts ever get fully investigated?
Behavioral analytics can change all that. It provides the context for the activity that triggers an alert, making it easy for you to quickly pinpoint threats and prioritize responses to eliminate attack impacts. It can detect anomalies in a network to uncover hard to spot threats, such as system compromises, account compromises, data leaks, insider abuse. Once identified, it’s simple to take action and adjust policies to strengthen security and regulatory enforcement.
Unfortunately, behavioral analytics has typically only been available to those with enough budget and expertise to use it. At the beginning of 2017, Gartner analyst, Anton Chuvakin, wrote, “Ok, So Who Really MUST Get a UEBA?” which indicated that, while user and entity behavioral analytics (UEBA) is a valuable security technology, it isn’t feasible for everyone to use it. We believe this is a product of the approach most vendors in the market have taken, which is to create a ‘black box-like’ solution that is:
- Stand-alone – requiring staff and expertise to deploy, customize, manage and maintain it to extract value.
- Rule-based – placing the onus on the customer to define, via a set of rules, what users and entities should and shouldn’t be doing in the environment.
- Rigid – requiring data to be structured, in a specific data format, before it can be ingested and analyzed.
We believe this approach is flawed and holding behavioral analytics back. We don’t think behavioral analytics should be a tool of the privileged few, but rather something that everyone should be able to benefit from. So, we set out to democratize behavioral analytics.
We were excited to introduce earlier this year the industry’s first embeddable analytics platform – Fortscale Presidio – to make security analytics available to all. Basically, Presidio eliminates traditional delivery and usage barriers, enabling every solution within your security infrastructure to take advantage of the visibility and insights of behavioral analytics to give you smarter, more effective and agile security solutions. Presidio makes behavioral analytics:
- Embeddable – integrating behavioral analytics, via Smart Kits, directly into the native operations of your security solutions (e.g. data loss prevention (DLP), security information and event management (SIEM), endpoint detection and response/protection (EDR/EDP), and firewall solutions) to improve their detection accuracy, decision-making and responsiveness.
- Risk-based and predictive – leveraging the power of machine learning and advanced big data analytics to make it easy to set up and keep current. Our analytics engine automatically establishes a baseline of user and entity activity and tracks the risk-level of outliers to pinpoint threats and help automate appropriate responses that strengthen your overall security posture. It continues to monitor the environment and make adjustments to reflect real-time conditions.
- Data agnostic – standardizing the data sets during the integration process, so there is nothing for the end-customer to do. We can take any data, over any length of time, from any entity and start to model behaviors and detect anomalies to generate immediate value.
Now, with Fortscale, behavioral analytics can be used by everyone to quickly pinpoint threats and enable a fast, automated response. No longer is behavioral analytics a mysterious, time intensive ‘black box’ for your security operations – now, it can be an integral part of your security infrastructure, delivering the insights your solutions need to improve the efficiency and strength of the security they can offer.