Splunk User Behavior Analytics helps organizations find known, unknown and hidden threats using machine learning, behavior baseline, peer group analytics, and advanced correlation to find lurking APTs, malware infections, and insider threats. It focuses the hunter workflows and security analysts, requires minimal administration, and integrates with existing infrastructure to locate hidden threats.
Behavior-Based Threat Detection
- Multi-entity behavior profiling and peer group analytics – devices, users, service accounts and applications
- Anomaly and threat detection with sophisticated kill – chain visualization
- Machine learning – no signatures, no human analysis
Splunk User Behavior Analytics Key Use Cases
- Cyber Attack Detection
- Insider Threats
- On-line Account Takeovers
Data Sources in Splunk User Behavioral Analytics
- Identity and Privileged User Activity: Entity ID and authentication events (Active Directory, single signon, VPN, etc.), and privileged account management applications
- Activity: HTTP transactions, intra-network activities (firewall, web gateway, VMs, proxy, DPL, etc.)
- SIEM: Existing log and SIEM management products (HP/ ArcSight, LogRhythm, IBM/QRadar, etc.)
- Hadoop Ecosystem: Existing Hadoop data repositories like Cloudera, HortonWorks, etc.
- Malware Detection: Existing dynamic or sandbox analysis products (FireEye, Palo Alto Wildfire, etc.)
- External Threat Feeds: External threat feeds like FS-ISAC, Google CIF, etc.
- Cloud, Mobile: Remote application logs, Mobile device events, AWS CloudTrail, Box, etc.
- Endpoint: Application and security logs from desktops, laptops, and servers
Streamlined Threat Workflow
- Splunk User Behavior Analytics reduces billions of raw events to thousands of anomalies, which result in hundreds of threats that the security team can review and resolve quickly
- Powerful security semantics-aware ml algorithms, dynamic statistical methods, and correlations identify hidden threats for review
- Context, location and container aware such that security anomalies are detected and correlated into threats with low rate of false positives
Kill Chain Detection and Attack Vector Discovery
- Automatic identification of abnormal APT/breach activity (CnC, lateral communication, etc.) and suspicious killchains,
e.g. pass-the-hash attacks
- Detection of lateral patterns of malicious or malware insider proliferation
- Real-time flagging of anomalous activity, e.g. suspicious URL activity or land-speed violations of logins
- Behavior-based detection of system or device irregularities, e.g., VM or AWS container threat activity
- Detection of Command-and-Control or botnet activity, e.g., Trojans or polymorphic malware
Threat Review and Exploration
- Threat path sequencing, highlighting abnormal or suspicious paths and frequencies
- Advanced correlations across the models results in critical threat identification
- Self-learning and adaptive algorithms machine learning and statistical
- Interactive threat exploration and the supporting evidence presentation
Splunk User Behavior Analytics Architecture
- Splunk UBA is built as a platform that includes Hadoop ecosystem for scalable, cost-efficient and open data persistence.
- The platform is designed for large-scale and real-time event analysis, includes time-series databases and graph databases for processing and representing security connections within the network.
- The platform provides RESTful APIs for integrating with third-party products to insert data automatically, as well as to drive action for remediation and prevention. The product is proven to scale over hundreds of TBs and billions of events.
- On-premise VM or software
- WS and vCloud Air public cloud
Why Behavioral Analytics from Splunk?
- ML, the statistical profiling and the other detection capabilities needs a foundation.
- A massively scalable and readily available data platform is required to support advanced analytics, one that provides users accessibility, quality and data coverage from a range of security and enterprise systems.
- The entire lifecycle of security operations: prevention, detection, response, mitigation, to the ongoing feedback loop, must be unified by continuous monitoring and advanced analytics to provide context-aware intelligence.
- The threat detection capabilities in Behavioral Analytics extend the search/pattern/expression (rule) based approaches currently in Splunk and
- Splunk Enterprise Security for detecting threats. Splunk can provide the data platform as well as the security analytics capabilities needed to empowers organizations to alert, monitor, analyze, investigate, respond, share, and detect known and unknown threats regardless of organizational size or skillset.
Sample Threats Prevented
- Suspicious login activity
- Privileged account abuse
- Virtual machine and container breach
- Data exfiltration
- Unusual SaaS and remote user behavior
- Rogue mobile device transmitting malware
- Privileged app infiltration, data theft
- AWS and cloud asset compromise
- Malware CnCs or bad IP addresses
- Systems infected with malware
Locus IT has a good knowledge of Splunk User Behavior Analytics and provides Splunk User Behavior Analytics training, Splunk behavior Analytics support and Splunk behavior Analytics Staffing services. For more information please contact us.