By Splunk November 03, 2015
Every month we hear about a major breach targeting an enterprise or public sector. Based on current cyberattack growth rates, we anticipate the impact to our global economy to be around three trillion US dollars.
Within the past five years, 2.5 billion records were exposed. From January, 2015 until June 2015, 256 million records were compromised. Breaking that down, that’s…
- 1,400,000 stolen records per day (or)
- 56,000 stolen records per hour (or)
- 943 stolen records per minute.
A recent FireEye study found that on average, an organization takes 205 days to detect advanced threats. We need a security solution that uses a new paradigm to combat modern day attacks…
Splunk calls it Splunk User Behavior Analytics (Splunk UBA).
Splunk UBA uses data science and machine learning to identify threats, cyberattacks or insider threats. It’s not just about compromised credentials or compromised devices; a solution should have the ability to detect malicious intent. Detecting insider threats is as important as detecting cyberattacks.
So how does Splunk UBA work? Well, the core fundamental this solution is built upon is known as behavior baseline – the process of looking at each and every activity associated with an entity: user, device, application, network, etc. within your organization, and creating a state and transition model. It’s a fairly complex process and far more advanced than building baseline using a statistical model. Using this baseline, Splunk UBA applies data science and unsupervised machine learning to identify deviations; Splunk UBA labels them as anomalies. It’s important to distinguish anomalies from threats – it’s easy to confuse the two since some organizations don’t have a multi-layered threat detection architecture nor do they have the ability to execute machine learning algorithms in multiple phases, which leads to mislabeling — if everything is a threat, this adds to the overwhelming issue of excessive alerts and false positives (one time deviations, policy violations, etc.).
Another unique feature of Splunk UBA is the ability to automatically stitch identified anomalies within threat patterns such as:
- cyberattack: data exfiltration by malware
- cyberattack: remote account takeover
- insider attack: lateral movement
There are tons of other unique features such as peer group analytics, hunter centric workflow, automated notable event creation within Splunk ES, kill-chain visualization, etc. that makes Splunk UBA the most advanced behavior analytics solution. You can learn more in our Splunk UBA press release or check out the website.
You can also register for the free webinar:
Leverage Machine Learning Using Splunk User Behavioral Analytics
Date/Time: Wednesday, November 18, 9am PT
Learn how Splunk UBA:
• Utilizes advanced analytics and machine learning to detect insider threats and external threat actors
• Builds a behavior baseline to distinguish “normal” vs. “anomalous” behavior and automatically stitches anomalies into various threat classifications – Lateral Movement, CnC Detection, Malware Activity, Suspicious Insider Behavior, Data Exfiltration, etc.
• Maps a threat over a kill chain so an organization can visually understand the intensity of the attack, and help with quickly identifying and scoping compromised entities – accounts, devices, network and applications
Related reads:
Improve Your Ability to Detect, Scope and Respond to Advanced Attacks with Splunk ES 4.0
Splunk Adds Behavioral Analytics to Boost its Security Stance
Splunk creates security nerve centre with behavior analytics