Continuous Threat Monitoring
Enterprises are constantly under attack from external perpetrators such as hacktivists, cyber-criminals, and nation states. These attacks often come in the form of malware, APTs or zero-day attacks delivered through web content, phishing campaigns or removable media.
By using Splunk UBA for cyberattack detection, you gain:
- Detection of malware and hidden attacks
- Numerous anomaly and threat models focused towards external threat detection
- Fully automated and continuous threat monitoring—no rules, no signatures, no human analysis
The reason external attacks are successful is because attackers have become sophisticated; malware is polymorphic and programmed to evade common signatures, rules and perimeter- based defense mechanisms. Once within the network, attackers are able to stealthily navigate the network, compromise accounts, find valuable assets, and gradually exfiltrate data. In spite of innovations like next-generation anti-malware solutions, threat intelligence feeds, and collaboration initiatives like FS- ISAC, these “below-the-radar” attack techniques manage to evade even the smartest security tools today.
The common thread across various forms of cyberattacks is the deviation of a compromised user’s or asset’s behavior from its past or its peer groups. This changing behavior of entities provides indicators of compromise (IoC) which can be woven together to distinguish a threat.
Behavior of entities, especially users, devices, system accounts, and privileged accounts, can be mined to reveal anomalies, even when they occur in low frequency and over extended periods of time.
Splunk User Behavior Analytics (Splunk UBA) not only captures the footprint of these threat actors as they traverse an enterprise, environments, or both, but also runs them through its advanced machine learning algorithms to baseline, detect deviations and find anomalies continuously.
These aberrations are then stitched into a meaningful sequence over time using unsupervised machine learning to reveal the actual kill chain, which is not only comprehensible but also immediately actionable.
A kill chain is a sequence of malicious activities resulting in a breach. Frequently, there are several events in each stage of the sequence that reveal the path and behavior of an attacker. In contrast to alerts corresponding to violations of known thresholds, a behavior-based threat detection approach uses machine learning with extreme context awareness, thereby maximizing the probability of finding true, hidden threats while greatly minimizing the rate of false positives. In short—a kill chain is the true picture of an attack.
“Account takeover is one of the most significant debilitating challenges we face as a major B2C company; the resulting cyber-fraud costs us millions and current security tools are no longer able to keep up with today’s sophisticated attacker. A new, behavior-based paradigm is what we need.”
-CISO, major consumer financial company
Sample Threats Detected
- Account Takeover (ATO) – compromise of privileged and regular accounts by external, malicious entity
- Lateral Movement–navigation of malware within a network
- Command and Control Activity – periodic beaconing activity by malware to communicate with CnC infrastructure
- Data Exfiltration–the act of stealing private, confidential and sensitive data within an organization by malware or an attacker
- Browser Exploits and Malware Activity–infection discovery of polymorphic attacks
Why Splunk for User Behavior Analytics?
Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people resources and time. Its powerful machine-learning framework, customization ability, and breadth of use cases helps organizations with the automated detection of known, unknown, and hidden threats. Splunk UBA addresses the entire lifecycle of an attack including insider threats and external attacks and provides customers with the ability to detect, respond and contain threats using Splunk Enterprise Security.