UBA / User Behavior Analytics

I’m in the process of evaluating behavior analytics tools. UBA and UEBA seem to be the popular acronyms for the product space.

It appears the space has three separate platform styles. You’ve got your add-ons such as CyberArk Priveleged Threat Analytics, Microsoft Advanced Threat Analytics, and Rapid7 InsightUBA. You’ve got your ‘independent’ platforms from Exabeam and Gurucul. Finally are your network analytic platforms such as Observable Networks and Pwnie Express. My prediction is Microsoft is going to absolutely crush the user competition.

If you’ve already got a heavy Microsoft environment, ATA’s cost is negligible compared to the enormous additional cost of expanding your CyberArk or Rapid 7 environments. Those platforms can clearly  cover more ground than just Microsoft platforms, but is it worth the additional cost and the proper environment configuration? It’s much easier to blindly stumble upon building a functional Microsoft environment than properly build a Linux environment. Local account usage seems significantly less common in enterprise Microsoft environments than enterprise Linux environments from what I’ve seen and heard.

I like the network analytics platforms, but they’ve got a battle against Cisco’s Stealthwatch platform. Cisco has a really weak ability to deliver in the security space, but they’ve got integration benefiting them here. It’s tough to battle against Cisco security products in a Cisco environment. We’ll have to see how the other network analytics products perform.

DBIR – Exfil Time – Explore v Smash & Grab

Anton Chuvakin’s review of the DBIR is my favorite.  It is super concise and to the point.

Document page 10 / PDF 14 has a chart comparing compromise time and exfiltration time.  Compromise time is typically in minutes while 20% of exfiltration is in minutes and 70% is in days.  Both make sense given the data on hand.

 If you’re getting in, you’re getting in relatively quickly. The message is delivered or the application vulnerability is found.  If you fail, you’re changing tactics and your attack likely won’t be correlated with the previous attack.  I’m not aware of many organizations doing any real threat intelligence.  My MSSP’s and threat data providers can never answer if they’ve seen alerts from fellow customers.

My guess is time for exfiltration is based on the compromise.  The shorter compromises are if the target had the data while the longer exfiltration are if a pivot was required.  If the attacker can pull off a smash and grab, the exfiltration will be quick.

It’s too bad the vulnerability section is so poorly sourced.  Then again, patching and QA typically aren’t given the resources to properly function at most organizations anyway.

Reviewing Splunk For Enterprise Security

I gave a brief presentation on using Splunk for Enterprise Security after having used Splunk for a while.  Here is a summary of my thoughts:

Splunk for Enterprise Security seems to primary be two things.  A ticketing system and a investigation system.

The ticketing system is alright.  I’d already had Splunk integrated in to an enterprise ticketing system.  From the ticketing perspective, Splunk ES is relatively weak.  Alerting / notifications and metric tracking leave a lot to be desired.

The investigation system is built on two explorer dashboards, one for identities and one for assets.  If I view an asset for example, Splunk ES can show Windows events, IDS events, and firewall events all in a single dashboard.  It is very polished.  I’d suspect an organization further along in Splunk may already have a home brew version of this.  My previous environment had something in the infant stages of this.

Splunk for Enterprise Security is heavily built on data models.  I’d argue the Knowledge Object course is more useful to a security practitioner than the Using Enterprise Security or Administering Enterprise Security course.  If you’ve already been using Splunk for a while, you likely already have dashboards and alerts with functionality similar to Splunk for Enterprise Security.  The ES training seemed focused on understanding the dashboards more than understanding the underlying Splunk ES architecture.

If you’ve been using Splunk for a few years, Enterprise Security isn’t going to wow you.  You’ve already got plenty of alerts and dashboards to compete with the package out of the box.  It will however allow you to build much better searches going forward.  Having used it for a few months, I have correlations in Splunk ES that I doubt I could have ever written as alerts in Splunk.


My organization is testing Geofiltering controls. I’m generally opposed to Geofiltering, but this is intriguing.

The easiest controls are the ones backed by policy. If your audit department has rules against international remote access, that’s mostly easy. Every modern firewall except for Cisco offers native Geofiltering.  Apply the rules and walk away.  The shortcoming is threat intelligence. If your remote access solutions (Cisco ASA VPN) can’t handle Geofiltering, you’re stuck. In an ideal world, I’d like to use dynamic access policies to block users after authentication.

User / Customer / Shareholder system controls are the interesting ones. You can’t block those people just because they travel overseas. Do you implement captcha technology, email notifications, etc?

Are Conference Attendee’s Getting Older?

Are conference attendees getting older on average?  A fellow attendee made the observation at DerbyCon.  ShmooCon is probably combating this with their Shmooze-A-Student program as well as their guarantee of tickets for West Point.  But what about the others?

The theory given was that DerbyCon and ShmooCon are hard to attend.  Tickets sell out extremely quickly.  The tickets are more likely going to people who have already attended and want to return.

Anyone else observe this or have any thoughts?

DerbyCon Review / SIEM Management

DerbyCon was amazing as usual.  I can’t recommend the conference enough.

The most useful talk for me was Ryan Voloch’s talk on SIEM management.  I have experience deploying Splunk as a security monitoring solution.  Ryan’s talk focused on managing use cases / searched.  Prior to the talk, I had a note pad for my ideas and used my employer’s ticket system for external requests.  It worked but wasn’t elegant.  I’m in the process of deploying a larger Splunk monitoring solution.  I’m testing the template.

When do you move on?

I am shifting industries.  The first 6 years of my information security career have been in steel manufacturing.  I’ve accepted a job securing an organization in the medical sector.  This should be interesting.

My current employer has on site medical facilities.  I’m familiar with their demands, though they were primarily Citrix and your basic medical equipment.  It’s been a long time since the operating rooms have been active at the mills, though operating rooms (and morgues) exist at the facilities.

I’m ready for the challenge.