Detect Insider Threats and External Attacks

Modern day threats are either driven by external attackers or malicious insiders. The latter is hard to detect since traditional security products don’t focus on behavior, and sophisticated external attacks rely on new techniques and extended dormant timelines. To remedy this, next-generation security tools must analyze trillions of events over extended periods of time and employ a new detection philosophy based on behavior modeling and peer group analytics vs. a rule- or signature-driven approach.

Splunk UBA is an out-of-the-box solution built on a big data (Hadoop) platform that helps organizations find known, unknown and hidden threats. It uses a data science driven approach that produces actionable results with risk ratings and supporting evidence so SOC analysts and hunters can quickly respond to and investigate threats.

Splunk User Behavior Analytics:

  • Detects insider threats and external attacks using out-of-the-box purpose-built, but extensible unsupervised machine learning (ML) algorithms
  • Provides context around the threat via ML driven anomaly correlation and visual mapping of stitched anomalies over various phases of the attack lifecycle (Kill-Chain View)
  • Increases SOC efficiency with rank-ordered threats and supporting evidence
  • Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security for incident scoping, workflow management and automated response
Get Started
  • Product Brief Splunk User Behavior Analytics
  • Technical Brief Using Splunk® User Behavior Analytics
  • Splunk UBA Use Case Insider Threats
  • Splunk UBA Use Case External Threats
  • Splunk UBA Animation Video
    Detect External Attacks and Insider Threats
  • 451 Impact Report Splunk Brings Machine Learning Into the Machine Data Analytics Fold
 

User Behavior Analytics Product Tour

Splunk User Behavior Analytics Key Features

big data foundation

Big Data Foundation

Built using a big data foundation (Hadoop), Splunk UBA scales to process billions of events per day and supports analyzing hundreds-of-thousands of entities within an organization.
machine learning

Machine Learning

Purpose-built unsupervised machine learning algorithms provide high efficacy results in real time for effective incident response and threat hunting without the need for the algorithm to train or wait for user input.
multi dimensional behavior baseline

Multi-Dimensional Behavior Baseline

Historical and real-time data assists with the creation of behavior baselines, which can identify outliers and provide visibility into organizational metrics.
threat review and exploration

Real-Time Threat Detection and Visualization

Self-learning machine learning algorithms can automatically stitch anomalies together into threats and then visualize them over a kill chain for a SOC analyst’s response. 

Bi-Directional Integration with Splunk Enterprise and Splunk Enterprise Security (Splunk ES)

Seamless integrations with Splunk Enterprise for data ingestion along with real-time transfer of anomalies and threats into Splunk ES helps organizations gain visual insights into their security posture and automate workflows.

Splunk UBA Use Cases

Customers use Splunk UBA for the following use-cases:
Data Exfiltration
Quickly identify evidence of data exfiltration from assets or users within an organization.
Account Hijacking & Privileged Account Abuse
Quickly detect compromised accounts and gain full visibility into threats associated with privileged accounts.
Cloud Application Compromise
Gain holistic visibility surrounding access and activity for applications (on-premises or in the cloud) for users and gain insights into misuse or abuse of these applications. 
Unusual Behavior: User, Device, & Application
Identify threats and anomalies associated with users and other entities within your organization: User and Entity Behavior Analytics (UEBA).
Malware Detection & Lateral Movement
Detect malware and other threat actors as they move laterally within your network and communicate with internal and external C&C servers. 

Available Workflows in Splunk UBA

Splunk® UBA maps threats and anomalies across a kill-chain to drive multiple workflows addressing the needs of an analyst and hunter.
Anomaly Exploration
Fully automated and customizable anomaly detection framework enables a hunter to explore machine learning outcomes, identify key violations and find suspicious patterns.
Threat Detection
Fully automated and customizable threat detection framework to address insider threat and external attack use cases such as malware infection, privileged account abuse, data exfiltration, unusual behavior and more.

Why Splunk for User Behavior Analytics?

Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people resources and time. Its powerful machine-learning framework, customization ability, and breadth of use cases helps organizations with the automated detection of known, unknown, and hidden threats. Splunk UBA addresses the entire lifecycle of an attack including insider threats and external attacks and provides customers with the ability to detect, respond and contain threats using Splunk Enterprise Security.

Ask an Expert

Need help with your environment and requirements? Send us your questions and we will get back to you as soon as possible.

 

Email us at ubainfo@splunk.com.

 

If you need immediate assistance, check out our community forum, Splunk Answers.

 

 

vi ly expert