How to use big data analysis to determine UEBA threats in real time

How to use big data analysis to determine UEBA threats in real time

Ross Brewer, VP & MD EMEA, LogRhythm

Organisations of every kind today are using automation, big-data analytics and machine learning to tackle a wide range of challenges. Businesses, for example, are deploying ever-smarter cloud-based systems to improve customer service, supply chains, product development and IT security.

Solutions for faster, easier and more automated security in particular are more important than ever for today’s enterprises. Security professionals are in short supply, while the number and scale of cyberthreats just keep growing. Fortunately, that’s where User and Entity Behaviour Analytics (UEBA) can step in to help.

UEBA automatically monitors how users and devices are acting within an organisation’s systems so that it can stay alert to anomalies and any behaviour that’s out of the ordinary.

Facing such a fast-moving, sophisticated threat landscape, it’s important to quickly identify cyber-threats and act effectively to minimise damage. However, it’s even better to find attacks just as they are starting to happen and prevent damage before it occurs. Whenever problems arise, there are usually data warning signs. But many organisations aren’t watching that data or, if they are, aren’t analysing it in the right ways to enable fast responses.

Managing threats in real time

That’s what UEBA solutions are designed to do, automatically, and in real time. They can monitor vast streams of user and entity data that humans can’t easily handle or understand so businesses can identify threats as they start to happen, rather than afterward.

UEBA lets companies gain deeper insights from the structured and unstructured data they already have that often goes unnoticed: for example, data about network traffic, endpoints, web crawlers and more.
The system then learns the behaviour of users and entities (in other words, devices, servers and other endpoints) by applying scenario-based algorithms that use machine learning, statistical analysis, peer group analytics and other techniques. Once the system has established a baseline of what ‘normal’ user or entity behaviour looks like it can detect and report anomalies and unusual activities far quicker than manual checks.

For example, if ‘User A’ typically logs in at 09:00, fires up Outlook and glances at Internet Explorer over lunch, then all is well. However, if one morning User A logs in at 03:00 from an overseas location, exports a large amount of data from a company database and logs on to a cloud storage website, some alarm bells will (quite rightly) start to ring.

This technology not only helps already-stretched-thin IT teams better deal with a “rising tide” of cyber-threats but also allows the development of better, more predictive models for fighting such attacks.

Identifying both internal and external threats

The proliferation and innovation of business-enabling technology, combined with the speed of today’s advanced hackers to adopt and adapt to the latest technology, is making it increasingly difficult – if not impossible – for security teams to evolve their rapid threat detection and response capabilities as quickly as their adversaries. By having the ability to automatically spot deviations from normal behaviour and monitor the creation, deletion and permission of privileged accounts, organisations are able to recognise established patterns and identify both internal and external threats as soon as they appear.

Whilst it’s still crucial to guard the organisation perimeter, it’s clear that security professionals need to adapt to the increase in the number of attacks and respond to the increasingly sophisticated ways in which systems can be breached. With tools such as UEBA, businesses are in a much better position to detect and mitigate threats before they cause any damage.


Ross Brewer, VP & MD EMEA, LogRhythm

As a vice president and managing director of EMEA, Ross Brewer has nearly 30 years of sales and management experience, with more than 20 years in the information security sector. At LogRhythm he leads the EMEA team and has been key in helping deliver consistent, rapid growth in the region. A highly respected thought leader in the UK, he is regularly quoted in top-tier national and trade press, including the BBC, The Times, Infosecurity Magazine and The Register. He is also frequently featured as a cyber security expert on TV and radio, with appearances on BBC News and BBC Radio to discuss breaking news and provide expert insight into cyber security incidents.

Before joining LogRhythm, Ross was a senior executive at LogLogic where he served as vice president and managing director of EMEA. He’s also held key leadership roles in Europe and the South-Pacific region at NetIQ, PentaSafe and Symantec.

Leave a Comment

Your email address will not be published. Required fields are marked *