SECURITY

Use Splunk UBA Content Updates to Stay Ahead of Advanced and Insider Threats

The threat landscape continues to be dynamic and existing security solutions require frequent updates to keep up with threats. Identifying and developing analytics to detect and respond to threats takes significant time and requires deep security expertise as well analytics knowledge.

Since 2015, Splunk User Behavior Analytics (UBA)—a machine learning-powered user and entity behavior analytics solution—has been successful in detecting unknown and hidden threats, and anomalous behavior across users, endpoint devices and applications using unsupervised machine learning and automated behavior baselining.

Splunk UBA Content Updates

Since its introduction in 2016, Splunk UBA Content Updates has helped customers reduce time to detect and time to respond. The architecture of Splunk UBA has separated platform capability from content, which improved not only operational efficiency but also provides an agile way for Splunk customers to use new data models, threats and anomalies to stay ahead of the threat landscape by using the latest innovations.

Through the Splunk UBA Content Updates mechanism, available via Splunkbase, customers are using the latest insights from Splunk security, data science research and the product team to continuously improve their cyber resiliency.

“Content” in Splunk UBA Content Updates could be machine learning models, threat models, anomaly classifications and data sources. Installing Splunk UBA Content Updates does not require any downtime and administrators do not have to upgrade the platform!

What’s New in UBA 4.0.2 Content Updates

With the 4.0.2 Content Update release (March 2018), customers get new models and enhancements to existing models to expand their threat coverage and efficiency.

  • Enhanced External Alarm Model: Better aggregation of alarms
  • Enhanced Streaming Rare Event Models: Allows for better scalability and improved results
  • New Profiling Model: Identifies account type (admin, service, web-enabled), Windows server type (email, web, SQL), and domain identities (AD vs. DNS)
  • New Rules for SaaS: SaaS app related and USB activity

What’s New in UBA 4.0.1 Content Updates

With the 4.0.1 content update release (January 2018), customers are able to detect new threats, new anomalies and leverage the updated models to improve their security posture.

New Anomalies

  • Local Account Creation: Detects if a local account is created on a workstation or a server.
  • Recovery Account Detection: Detects if Active Directory (AD) recovery account is seen performing any activity.
  • Password Policy Circumvention: Detects a potential policy circumvention attempt by analyzing the number of password resets on a given day for an account.
  • Crowdstrike External Alarms: Detects infection, lateral movement and data deletion based on CrowdStrike events.

New Threats

  • Privilege Escalation After PowerShell Activity: Triggers a threat if it detects any suspicious PowerShell activity followed by a suspicious privilege escalation by an account.
  • Suspicious Badge Activity: Triggers a threat if it identifies a user trying to badge in at an unusual time and denied access at multiple entry points. 

Updates to Models, Anomalies and Threats

  • Suspicious Account Lockout: Verifies the hosts on which the user usually logs in. If the account lockout is on a known host for that user, the risk will be lower when compared to a lockout on an unknown host.
  • Disabled Account Activity: Considers the historical behavior and understands if it is a recurring activity. In such a scenario, the anomaly is not raised again.
  • Service Account Login: Removes the hard dependency of the known naming convention of service accounts. The rule will now leverage the HR account type “Service.” The update will now enable detecting VPN login along with interactive login by a service account.
  • Separate Handling of Logins vs. Authentications: Separates logins and authentications in Windows authentication events. Different anomalies triggered for Multiple Authentications, Multiple Authentication Failures, Multiple Logins, Multiple Login Failures.

The Time is Now

If you are an existing Splunk UBA customer, make sure that you are running the latest version of Splunk UBA, which you can download from Splunkbase. For details on the latest UBA Content Updates, review the Splunk UBA 4.0.2 Release Notes.

Contact us to find out how you can benefit from Splunk Security Solutions.

Girish Bhat
Director, Security Product Marketing
Splunk
@girishb

Girish Bhat
Posted by

Girish Bhat

Girish Bhat is the director of security product marketing at Splunk with responsibility for key security solutions, the Splunk CISO customer advisory board and customer use cases.

Previously, Girish held various roles managing authentication, compliance, VPN, advanced threats, DLP, IDS/IPS, mobile, SaaS, IaaS, virtualization and network monitoring solutions.

With more than 15 years of experience with startups and global brands, Girish’s experience includes product marketing, business strategy, strategic analysis, solutions marketing, product management for security, mobile, networking, cloud and software products.

Join the Discussion