Professional Documents
Culture Documents
BEHAVIOR
ANALYTICS (UEBA)
THE HEART OF NEXT-GENERATION
THREAT HUNTING
INTRODUCTION
SOURCE: Avivah Litan, Market Guide for User and Entity Behavior Analytics, Gartner, September 22, 2015
THE
DETECTION + RESPONSE
GAP
265
DAYS
69
DAYS
SOURCE: 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2015
TRADITIONAL
SOLUTIONS ARENT
FINDING THREATS
FAST ENOUGH
DROWNING IN
ALERTS + DATA
17,000
4%
ADD ENTITIES
Gartner recognized that UBA is narrow in its
focus on individuals. By expanding the analysis
to entities, organizations can better detect
malicious activity. In UEBA, entities can include
devices, applications, servers, data, or anything
with an IP address.
COMPLEMENTING SIEMS
UEBA can make automated detection
systems such as SIEMs more effective by
complementing signature- and rule-based
detection with behavioral analysis.
SIEM
UEBA
Velocity of Data
Anomaly Detection
Static, rule-based
Self-learning
Types of Anomalies
Event-based
Entity-based
Algorithms
Higher
Lower
UEBA?
Increasing sophistication
of cyber threats
UEBA AND
LINKED DATA:
A KILLER COMBO
CASE STUDY:
DETECTING LATERAL
MOVEMENT WITH
UEBA AND
LINKED DATA
WHAT IT IS
Lateral movement is the process an attacker
uses to expand his or her access to computing
resources throughout a network.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
By tracking unusual authentications and
by looking for other hints in logs that might
indicate specific mechanisms being employed,
UEBA and linked data can identify lateral
movement activity.
RESULTS OF SQRRLS
LATERAL MOVEMENT DETECTOR
Sqrrls lateral movement detector identified
a collection of credentials that an advanced
persistent attack had compromised at a
Fortune 100 financial services enterprise. The
credentials were being used to log into various
systems for which they were not typically
used (e.g, an engineers credentials were used
to log into a financial system). Sqrrls lateral
movement detector identified a star pattern
of multiple, failed logins combined with a
stringed progression of rare login successes.
Sqrrl also correlated how hosts involved in
the lateral movement connected to each other
by leveraging netflow data in addition to user
authentication logs.
ADD THREAT
HUNTING
TO THE MIX
Unlike waiting for an alert to surface a potential threat, hunting for cyber
threats lets your security team be proactive to identify threats sooner.
Hunting can help your team counter an adversary at almost any stage of an attack by using data
and analysis to follow the digital footprints of the attacker and disrupt the adversarys attack.
10
AUTOMATION OF
THE HUNT WITH
UEBA
1
CREATE HYPOTHESES
UEBA can provide a starting
point for a hunt by automatically
detecting potential threats based
on adversary Tactics, Techniques,
and Procedures (TTPs) and
assigned risk scores.
2
INVESTIGATE
Linked data automates manual
searches by semantically fusing
datasets and predefining search
pathways. On-demand anomaly
detection capabilities allow a hunter
to quickly hone in on the most
important pieces of data.
3
UNCOVER TTPS
UEBA and linked data enable
analysts to rapidly and visually
reveal the TTPs of adversaries
and reconstruct the attack paths
that those adversaries utilized.
4
INFORM ANALYTICS
Insights uncovered by analysts can
be used by the system to inform
and improve its analytics. Using
techniques such as machine
learning, whitelisting, and behavior
classification, UEBA systems can be
tuned to focus on real threats and
ignore false positives.
CASE STUDY:
UNCOVERING
BEACONING WITH
UEBA AND
LINKED DATA
WHAT IT IS
Beaconing is a technique often used by
compromised assets to communicate with
an external command and control (C2) point.
Beacons are network traffic typically sent at
regular intervals and can be used to signal
availability or to receive new instructions. They
may hide in plain sight by using common ports
and protocols such as TCP, ICMP, and HTTP.
Uncommon ports are sometimes
used, too, when trying to evade protective
network measures.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
UEBA and linked data look for behavior
indicative of malicious beacons, while
excluding benign beacons issued by mail
clients, software update agents, or websites
that automatically refresh their content
(e.g., weather sites). Contextual information
such as linking alerts, identity, IP reputation,
and geographic data help analysts assess
potential malicious behaviors.
12
BENEFITS WITH
74
59
SOURCE: Threat Hunting: Open Season on the Adversary, Robert M. Lee, SANS Institute, 2016
SQRRL DELIVERS
UNMATCHED
THREAT DETECTION
AND RESPONSE
COMPREHENSIVE
UEBA CAPABILITIES
WITH SQRRL
GRAPH ALGORITHMS
MACHINE LEARNING
(Both supervised and unsupervised)
BAYESIAN STATISTICS
BEHAVIORAL BASELINING
SIGNAL PROCESSING
TIME-SERIES ANALYSIS
CASE STUDY:
DISCOVERING DATA
STAGING AND
EXFILTRATION
WITH UEBA AND
LINKED DATA
WHAT IT IS
Data exfiltration is the process of removing
stolen data from a victim organization. Data
staging is a technique used by an actor to
gather stolen data in one place and prepare it
for exfiltration. Not all data exfiltration requires
staging, but it is a very common tactic among
advanced persistent threat actors and insiders.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
UEBA and linked data can detect data
staging by analyzing the relationships and
communication patterns among internal
hosts and combining that with information
on common data preparation techniques.
Similarly, data exfiltration can be detected by
analyzing communications with hosts outside
the organization, especially in the areas where
they differ from baselines of typical behaviors.
When data staging and exfiltration activities
are linked together, these analytics can provide
the clearest indications of actual threats.
17
LEARN MORE
Check out these additional resources for you and your security organization to
learn more about UEBA, linked data, and cyber threat hunting.
18
ABOUT SQRRL
Sqrrl is the security analytics company that enables organizations to target, hunt, and disrupt advanced cyber threats. Sqrrls industry-leading threat detection and response platform
unites threat hunting, behavioral analytics, and incident investigation capabilities in an integrated solution. Sqrrls unique platform approach enables security analysts to discover
threats faster and reduces the time and resources required to investigate them. Learn more at www.sqrrl.com.
2016 Sqrrl Data, Inc. All rights reserved.