UBA / User Behavior Analytics

I’m in the process of evaluating behavior analytics tools. UBA and UEBA seem to be the popular acronyms for the product space.

It appears the space has three separate platform styles. You’ve got your add-ons such as CyberArk Priveleged Threat Analytics, Microsoft Advanced Threat Analytics, and Rapid7 InsightUBA. You’ve got your ‘independent’ platforms from Exabeam and Gurucul. Finally are your network analytic platforms such as Observable Networks and Pwnie Express. My prediction is Microsoft is going to absolutely crush the user competition.

If you’ve already got a heavy Microsoft environment, ATA’s cost is negligible compared to the enormous additional cost of expanding your CyberArk or Rapid 7 environments. Those platforms can clearly  cover more ground than just Microsoft platforms, but is it worth the additional cost and the proper environment configuration? It’s much easier to blindly stumble upon building a functional Microsoft environment than properly build a Linux environment. Local account usage seems significantly less common in enterprise Microsoft environments than enterprise Linux environments from what I’ve seen and heard.

I like the network analytics platforms, but they’ve got a battle against Cisco’s Stealthwatch platform. Cisco has a really weak ability to deliver in the security space, but they’ve got integration benefiting them here. It’s tough to battle against Cisco security products in a Cisco environment. We’ll have to see how the other network analytics products perform.

Verizon DBIR – Thoughts

Verizon has released their 2015 edition of the Data Breach Investigation Report, covering incidents in 2014.  This report is really good.

On pages 6 and 7, the analysis of intelligence feeds is useful.  I’ve wondered about overlap of intelligence feeds.  My thought was there would be significant overlap.  Their results of very little overlap is not what I expected.

Page 22 indicated “70-90% of malware samples are unique to a single organization.  Special snowflakes fall on every yard.”  Again, this is useful information for reporting incidents to leadership.  As others have said, attribution is difficult.

Page 53 indicates that 75% of espionage attacks start with email while the next 15% are via web infections.  It is crazy how effective email attacks are in business environments.  We really need to get better at this stuff.

Having just had some Six Sigma courses, 5 Why’s was interesting to see for risk mitigation on page 55.  I will need to try it out for some risk assessments in the future.

Finally is the recommendations at the very end of effective controls.  The SANS Top 20 is great, but where do you start?  Seeing the recommendation of starting with patching / vulnerability management and two factor authentication is great.  It is difficult to build a business case for a specific control when you are deficient in so many.

The compromise statistics and time to respond aren’t interesting.  Everyone is terrible at incident response.  I question the applicability of cost per record losses to an environment.

SANS Effectiveness – Locus Of Control

Everyone has security controls/tools that work and controls/tools that don’t work.  I’d originally thought a bigger budget would solve a lot of problems.  The community likes to say that budgets don’t solve everything, but even open source needs hardware (cost) and time (cost) to implement / management.

My problem seems to be more of a locus of control issue than a budget issue.  Even if the budget doubled, I question if the security posture would increase.  A security team can easily implement AV, firewalls, malware detection, etc.  The administration and usage is almost entirely the responsibility of the security team.  The locus of control is internal to the team.

On the other hand, a penetration test has an external locus of control.  There is the budget issue, but even a budget won’t solve anything if the problematic systems have admins that won’t resolve an issue.

A web-application firewall is another example.  A network firewall is pretty simple, 80 is either open or closed to a web server.  A WAF requires cooperation between the security team and the server admin for an effective setup.  Once again, the locus of control is external.

Even if the budget keeps increasing, effectiveness won’t increase until external groups buy in.  Fixing that requires more than open source tools, a budget, or security people…