You Can’t Stop Threats You Can’t See - Splunk User Behavior Analytics: The Next Level of Security Analytics

​In this interconnected world, organizations have learned that in order to fully address security problems, they need to be able to leverage data and implement the solution across multiple domains. With Splunk as the core data platform for correlation and Splunk Enterprise Security (ES) as the framework for managing security investigations, the next step you can take is to apply machine learning from Splunk User Behavior Analytics (UBA) to augment these insights.

What is Splunk UBA?

So, you’ve probably heard us talk about Splunk UBA and how it uses machine learning (ML) to identify unknown threats and anomalous behavior, but what does that actually mean for you? Your organization may be analyzing tens of billions of raw events which can generate tens of millions of anomalies—a volume too high to investigate, and many of which are invariably going to turn out not to be a threat or a false positive. Splunk UBA uses ML to derive sequences and patterns across all of those anomalies—in addition to other indicators—to filter down and identify just the top threats that are critical and actionable. In all the noise, these threats represent the most likely risk to your business.

Splunk UBA helps you focus on the threats that matter, with the context you need to investigate and then pivot back into Splunk ES for incident management and automated response. Splunk UBA is an out-of-the-box solution that helps you find unknown threats and anomalous behavior across users, endpoint devices and applications. Splunk UBA is relied upon by organizations to detect both insider and advanced threats—among several other use cases—using multi-pass machine learning capabilities.

Splunk UBA Content Enhancements Deliver a Rich Set of Use Cases

Since the release of Splunk UBA 4.0 in October 2017, Splunk UBA has delivered two significant content releases—new machine learning models, threat models, anomaly classifications and data parsers—through the Splunk UBA Content Updates mechanism, available via Splunkbase. Customers can get the latest insights from Splunk security, data science research and the product team to continuously improve their security posture and get immediate value.

What’s New in Splunk UBA 4.1?

The Splunk UBA 4.1 release (May 2018) delivers greater scalability with a new microservices-based architecture, streamlined investigation with drill down to Splunk Enterprise, and improved administration with new fine-grained access control and data availability features.

Microservices-Based Scalable Architecture
Splunk UBA 4.1 offers a new scalable microservices-based architecture that can support up to 20-node clusters and can scale up to 80K events per second (EPS). This is particularly important for large organizations with huge volumes of data coming into Splunk that are security and UBA relevant. In addition, the containerized data pipeline and analytics engine can scale and shrink in footprint as needed. This linear scaling delivers higher performance with incremental node additions.

Advanced Investigation Workflows
Splunk UBA 4.1 now includes drill down capabilities into Splunk Enterprise that significantly improves investigation workflow. For advanced security practitioners and hunters who start investigations of anomalies in Splunk UBA, you can now click a triggering event link that will redirect back to the Splunk instance where these events are stored. An automated SPL search query is generated using the user and asset data in the anomaly, including specific timestamps, to collect more supporting evidence from the Splunk platform to further your investigation.

Fine-Grained Access Control
In addition, Splunk UBA 4.1 ensures the separation of duties between UBA admins and analysts by providing fine-grained, role-based access controls. Customers can now create multi-tiered admins and analysts with varying privileges. The new access controls coupled with the existing PII-masking and auditing capabilities of Splunk UBA help customers meet SOC audit and compliance mandates.

Data Availability Validation
Lastly, new in Splunk UBA 4.1 is a Data Availability capability to help customers identify missing data sources to leverage UBA-specific use cases. For example, you can view the relationship among the various data sources, models, and anomalies that make up a specific threat, helping security teams further analyze their insider threat coverage.

Interested in Learning More?

For more information on the latest enhancements available in Splunk UBA 4.1, please review the Splunk 4.1 Release Notes. Contact us to find out how our customers are detecting insider threats and how you can benefit from using a machine learning-driven, behavior detection solution.

Patriz Regalado is Director of Product Marketing responsible for developing go-to-market strategies for Splunk cybersecurity solutions. Prior to joining Splunk, Patriz led Product Marketing for Identity and Security solutions at Salesforce. Patriz has held Engineering, Product Marketing, Product Management, and go-to-market roles at leading cybersecurity and technology software companies.