Let’s start by taking a closer looking at the differences between UEBA and SIEM. UEBA uses advanced analytics to baseline network activity so that malicious behaviour can be identified from both in and outside of an organisation. It does this by automatically learning what is ‘normal’ based on typical activity and then using proprietary algorithms, assigns risk scores to potential malicious behaviour. Alerts can provide almost 100% accuracy which means that the SOC can operate far more efficiently and proactively and ensures that a business is protected before any potential threats become a major issue.
If you’re thinking that SIEM already does this then you’re sadly mistaken. SIEM will only highlight what a security team tells it to. It makes assumptions that the security team is always aware of everything in the continually evolving threat landscape and then configures the product to alert when any one of those threats occur. In fact with so many possibilities of what is deemed to be NORMAL can impact negatively on resources and end up doing more harm than good for an organisation’s security strategy.
UEBA, on the other hand, is signature-less and doesn't need any human input but instead learns what is normal activity by taking feeds from all applications (or in some cases, just network traffic) and only flags when something genuinely malicious has occurred. Do not despair though your SIEM investment hasn’t been a complete waste of time as it still serves a huge purpose in centralising security events for monitoring and alerting but just requires extra assistance to make it more efficient.
You could be fooled into thinking that AI spells the end for a skilled IT security workforce but with one of the biggest concerns among the UK’s leading banks being a lack of skilled resource that’s highly unlikely. UEBA should be viewed as a smart and reliable tool that frees up skilled security resource to concentrate on doing the jobs they were employed to do such as security strategy, apply patches, fix vulnerabilities, respond to threats, train and skill up etc.
It’s safe to say that security professionals should be greeting AI with open arms and recognising the powerful operational efficiencies that can be achieved when combined with a skilled security team in the war on cyber-crime.
Danny Maher is Chief Technology Officer at information security specialist, HANDD Business Solutions