Hidden threats, inside risks, and sophisticated attacks are difficult to detect using traditional security solutions. Splunk UBA (User Behavior Analytics) helps companies control this type of threat using advanced analysis and Machine Learning technologies and integration with the Splunk Enterprise SIEM system. Early detection of unknown or internal threats is becoming increasingly difficult for companies, due to the increase of cyber-attacks and the diversification of penetration and propagation methods.

Internal threats, in turn, are also increasing. According to ENISA data, last year 88% of organizations considered “insider threats” a real danger. And 40% said that their critical business data was vulnerable to such types of risks.

However, the difficulty of detecting threats is also due to the fact that the IT departments are struggling with large volumes of false-positive alerts. According to studies, in 2017, a big company received, on average, over 10,000 alerts per month. More than half (52%) of these were false-positives, while almost two-thirds (64%) were redundant. For this reason, companies investigated only 56% of daily security alerts, according to the Cisco report from the same year. After four years, the situation did not improve.


Splunk UBA, the answer to hidden threats


The Datanet solution for this cumulative problems is Splunk Enterprise Security (ES), a SIEM system that helps companies to identify, investigate, and quickly respond to threats and attacks and anything abnormal activity that tends to affect their activity. The early detection capability of the SIEM system is enhanced by integration with the Splunk User Behavior Analytics (UBA) application. The UBA solution automatically detects abnormal behavior of users, equipment, applications, and privileged accounts, aggregates them into patterns, and delivers actionable information.

For this, Splunk UBA uses advanced methods of modeling and behavioral analysis, as well as Machine Learning (ML) algorithms. With the help of aggregated data from multiple sources (via Splunk ES), the solution detects and associates in real-time the identity of users with IP addresses and the patterns discovered. ML algorithms and peer group analyzes, which use categories of users to assess and classify their behavior, ensure that any deviation from established patterns is identified.

Splunk UBA thus ensures the detection of cases of:

  • Abusive use of privileged accounts and improper use of access permissions;
  • Theft of confidential data;
  • Compromise of access data;
  • Abnormal behavior (such as unauthorized access to critical resources, attempts to access unusual connection locations, etc.)

Not every anomaly is a threat


Even if it detects any deviation from the patterns, the solution does not deliver a torrent of alerts when it discovers deviations. The ML technology developed by Splunk uses data correlation, statistical analysis, and learning algorithms to automatically reduce thousands of detected events to several hundred potential abnormal behaviors. Then, also automatically, with the help of dynamic classification rules and models, hundreds of anomalies are recognized in dozens of threats, which are reported to the computer security team.

Also, the Splunk solution has the ability to detect, track, monitor, and correlate over time various anomalies that may signal a real threat. This feature provides increased efficiency in identifying “Low and Slow” attacks, which traditional detection methods fail to detect, considering that they are dealing with legitimate traffic.

Another competitive advantage of the ML technology developed by Splunk is that learning mechanisms do not require human intervention. Thus, SOC teams no longer have to create templates and update and adapt sets of rules and signatures in advance to detect a threat.


The benefits of the integrated approach


Splunk UBA (User Behavior Analytics) assigns a risk score to each identified threat. The security responsible team can thus not only analyze them, but also priorities them, allocating the resources, and take preventive measures depending on their severity. In turn, the response measures can also be automated using the ability of Splunk ES and UBA to be integrated with numerous IT security systems for companies.

Together, Splunk SE and Splunk UBA can quickly address the most sophisticated threats by sharing and correlating data about known anomalies and threats. By integrating data flows regarding detected behavioral deviations, the SIEM Splunk system expands its ability to identify unknown threats. The filtering alerts before reaching the SOC team gives them the needed time to focus on really urgent complex threats and to resolve them without the need for a security specialists’ army.

Datanet Systems specialists can help you leverage the capabilities of both Splunk solutions which enables you to increase the accuracy of the early detection processes, the speed of reaction, and the effectiveness of prevention and remedial measures. For more details about Splunk UBA, the advantages of Splunk SE’s integration, and the Datanet commercial offer, contact us at sales@datanets.ro .