Splunk User Behavior Analytics (UBA) 5.4 Delivers FIPS Compliance and Advanced Anomaly Detection

Splunk’s latest User Behavior Analytics (UBA) product update, version 5.4.0, brings enhancements and new features designed to streamline operations and improve threat detection accuracy. Let’s see what’s new!

Achieving New Standards with FIPS Compliance

With version 5.4.0, Splunk UBA now meets compliance requirements for Federal Information Processing Standards (FIPS), ensuring that data handling and encryption processes adhere to rigorous federal guidelines. This milestone underscores Splunk’s dedication to security and compliance, and expands the potential for government, public sector, and regulated industry customers to leverage Splunk UBA in their security operations.

Enhanced Integration with Splunk Enterprise Security for Risk-Based Alerting

Splunk UBA is now more closely integrated with Splunk Enterprise Security (ES) through the Risk-Based Alerting (RBA) framework and feature set. “But wait… what is RBA?” you ask? RBA uses the existing Splunk Enterprise Security correlation rule framework to collect interesting and potentially risky events into a single index with a shared language, which is then used for alerting. Events collected in the Risk Index produce a single “risk notable” only when certain criteria warranting an investigation are met. This increases security visibility, closes gaps, and reduces the volume of low fidelity alerts. This process transforms traditional alerts into potentially interesting observations which correlate into a high-fidelity security story for analysts to investigate.

In Splunk UBA 5.4, users can create and forward risk events from UBA-detected anomalies and threats directly to Splunk Enterprise Security. This integration ensures that organizations can maintain a more holistic view of their security posture, streamline responses, and enable more dynamic risk management.

Innovations in Anomaly Detection with the False Positive Suppression Model

Addressing one of the most challenging aspects of threat detection, the new False Positive Suppression Model significantly reduces the noise of false alerts. Utilizing advanced self-supervised deep learning algorithms, this offline batch model learns from user-tagged false positives to enhance its detection capabilities. By automatically identifying and tagging similar future anomalies, the model helps security teams focus on genuine threats without overlooking potential risks. This model exemplifies how machine learning can transform anomaly detection, providing a smarter, user-friendly way to manage alerts.

Detecting Anomalies in File Access with Precision

The newly introduced model for detecting unusual volumes of file access events per user will help users refine their data analysis. This model identifies outliers in the daily counts of file-related events per user, enhancing the ability to spot potential data exfiltration or unauthorized access activities within vast datasets.

Scalability and Performance Enhancements

The scalability and performance of the Account and Device Exfiltration models in Splunk UBA have seen significant improvements in Splunk UBA version 5.4:

• Execution Time Reduction: Improved by up to 58.78% for datasets containing as many as 300 million records.
• Shuffle Write/Read Improvements: Data shuffling processes can achieve efficiency gains of up to 71.60% across various data volumes.
• Disk and Memory Spills: Optimizations have effectively managed and reduced spills, with no spills observed for data volumes up to 100 million records.

These improvements ensure that Splunk UBA operates more efficiently, providing rapid, reliable analytics to help security teams act quickly.

Upgrade to Splunk UBA 5.4 Today

Splunk UBA 5.4.0 is now available, offering organizations the tools to detect insider threats and cyber attacks more effectively than ever. As cyber threats evolve, so do our solutions. Splunk UBA 5.4 is part of our ongoing commitment to deliver solutions that protect our customers in an ever-changing digital landscape.

To learn more about Splunk UBA, we encourage you to visit the product webpage, take a tour, and review our latest Splunk UBA 5.4 documentation.