The Summer of Security continues! Hot on the heels of security announcements at .conf22 and a brand new Splunk Security Essentials 3.6.0, we’re excited to announce the availability of User Behavior Analytics (UBA) version 5.1.
What’s New with UBA 5.1?
In this new version, Splunk continues to build upon our industry-leading behavioral analytics platform. UBA 5.1 provides new operating system support, installation and configuration upgrades, security vulnerability patches and per data source custom configuration. Let’s dig into the details.
Operating System Support and Updates Plus Air-Gapped Installation
One of the most consistent requests from our customers is to support more up-to-date OS releases. With UBA 5.1, we’re bringing support for installation on RedHat Enterprise Linux 8.4 and 8.5, Oracle Enterprise Linux 8.6, and Ubuntu 18.04. One of the changes around OS support is that we have dropped support for CentOS as version 8 reached the end of life in December 2021. RedHat has provided a migration plan for CentOS to RedHat Enterprise Linux.
We now also support installation in an air-gapped environment. Air-gapped networks increase isolation, secrecy and subsequently the security of high-risk secure networks such as critical infrastructure. This new capability allows customers with sensitive or critical computer systems on air-gapped networks the ability to do an offline upgrade or installation of UBA.
Extensible Content, Improved Visibility and Patches a Plenty
Anyone who has used Splunk UBA knows that many core libraries and products are operating under the hood to give you that ML goodness. With the release of UBA 5.1, the content has gone through a significant overhaul. First, Splunk data scientists and content engineering teams have implemented new model updates across the board. This effort was launched to support the migration from Spark 2 to Spark 3, making UBA and future content more extensible now and in the future.
Let's also not forget about the simple quality of life features, such as a new refreshed MaxMind IP to geography mapping that should help reduce false positives when evaluating land speed violations. We’ve also improved our Threats and Anomalies menus so that now employee IDs can be displayed to greatly reduce analyst confusion in the instance where multiple employees share the same name.
And finally, the unsung hero of cybersecurity resilience, the almighty vulnerability patch hits hard and heavy in this new release.I caught up with Erick Ingleby, Director of Product for Security Analytics, and asked him what excites him most about this release. No surprise—it’s patches!
He said, “In this release, I’m most proud of the simple things that we often take for granted—security and stability. This latest release includes patches and upgrades to ensure the product is free of all high and critical vulnerabilities. Customers expect this from a security product, and we must continue to deliver on this promise regardless of how difficult a patch may be to implement. There are more than a handful of essential security updates; additionally, over 50 third-party libraries have been upgraded (Hadoop, Spark, Scala, etc.). These upgrades unlock the door for our data scientists and content engineers to get back to work on delivering the state-of-the-art machine learning and detection analytics our customers need and expect from Splunk.”
Per Datasource Configuration
Per data source lag support is an essential new feature to monitor hybrid, on-prem or multi-cloud environments. Analysts can now specify the delay within UBA per data source and perform searching a customized timeframe behind minutes behind. This is critically important for any customer with a cloud data source, like cloud-based directory services that help administrators manage permissions and control access to network resources which can suffer from log origination to delivery lag times. Without this feature, you may never see anomalies from these delayed data sources.