UBA - Turn your security detection up to 11
02/07/19 – Author: Ben Marrable – Certified Splunk Consultant
So you’ve setup your SIEM and have a large collection of detective controls alerting you of miss-behavings happening in your environment, potentially even automating the response to those as well. Great, there’s nothing more you can do right, as you have security turned up to the max?
Wrong! Attackers are relentless and your security strategy should never stop, you should always look to be proactive and improve. One thing you can do is utilise the latest power of computing by using machine learning and data science to detect anomalies which do not fit a pattern or a signature, what’s deemed as “unknown threats”. This technique is great for finding malicious insiders who already know the environment and potentially how to avoid your security tools and look like a normal user. It is also great for detecting the most advanced of adversaries even when they leave only subtle traces of their activity.
So, how do we start using Machine learning, well Splunk provide two ways when it comes to security. A do it yourself Machine Learning Tool Kit to use with Splunk, it is hugely powerful and can give you great possibilities but there’s no point in re-inventing the wheel with security here. So you can look to utilise the power of Splunk User Behaviour Analytics (UBA), a self contained Behaviour analytics technology leveraging data from Splunk. This data is streamed from the Splunk search head and passed through a collection of data models designed to detect anomalies such as: Excessive Data Transmission, or Unusual Network Activity. These anomalies and corresponding events are then fed through another round of data models to detect Threats. Threats are high fidelity alerts combining a collection of events and anomalies presented across the kill chain philosophy, such as: Data Exfiltration by Suspicious User or Device. Threats can then be sent back into your SIEM for triage and event management.