Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Anomaly detection


While manmade correlation rules can and do detect malicious behavior, they cannot be solely relied upon to identify all threats in any given environment. Security teams are so overwhelmed by the sheer volume and sophistication of attacks that many have reached, if not exceeded, their capacity to effectively and rapidly observe, orient, decide, and take action. As a result, stealthy, hidden, and unknown threats are missed. 

Tools that analyze behavior on your network and use machine learning to find anomalies in that behavior can notify you of potential threats. Where it could take a human days or weeks to find anomalies, machine learning algorithms can find this behavior in near real-time. You can do this by adopting a user and entity behavior analytics (UEBA) platform like Splunk User Behavior Analytics, which can seamlessly integrate with Splunk Enterprise Security. Augmenting your SIEM with UBA deepens your security capabilities by detecting and resolving use cases such as lateral movement, unknown threats, and data exfiltration.

Anomaly detection using Splunk User Behavior Analytics and Splunk Enterprise Security

Splunk User Behavior Analytics (Splunk UBA) uses machine learning and your existing data in Splunk software to find anomalies that may indicate malicious behavior, such as insider threat. Splunk UBA includes a variety of indicators for suspicious or unusual user behavior that can alert your security team to investigate further. Analysts no longer have to sort through mountains of data to find out what a particular user has been up to on the corporate network. They can go to the Splunk UBA dashboard to look up any user and see all that person's behavior across all systems and machines on the network.

Splunk UBA can also augment Splunk Enterprise Security to enhance workflow and simplify investigations by synchronizing threat management across both platforms.

What are the benefits of effective anomaly detection?

Effective anomaly detection processes help you to:

  • Rapidly and effectively detect different types of threats - known, unknown, or insider - across users, devices, and applications.
  • Find anomalous behavior quickly, investigate the root cause and impact, and then quickly respond and remediate.
  • Find known, unknown, and hidden threats using multi-dimensional behavior baselines, dynamic peer group analysis, and unsupervised machine learning.
  • Visualize threats across multiple phases of an attack to give security analysts a comprehensive understanding of the root cause, scope, severity, and timeliness of an attack.

What are anomaly detection best practices?

  • Monitor insider threat/behavior analytics: Identify unusual patterns or deviations from normal behavior within your environment, enabling early detection of potential insider threats by flagging activities that may go unnoticed through traditional monitoring.
  • Detect fraud: Enhance fraud detection by automatically identifying irregularities or suspicious activities in data. This proactive approach allows you to respond swiftly to potential fraudulent behavior, minimizing financial losses and protecting the integrity of your systems.
  • Detect insider threat: Implement real-time monitoring and analysis of user behavior. By establishing baselines and recognizing deviations, you can promptly detect and respond to insider threats, ensuring the security of sensitive information and critical systems.
  • Adopt of custom ML models: Tailor anomaly detection to your specific needs. This customization ensures a more accurate identification of anomalies in data, making the anomaly detection process more effective and aligned with your unique requirements of your organization.
  • Integrate data from fraud tools:  Integrating fraud tools' data enhances the overall fraud detection process. By consolidating data sources, you can obtain a holistic view of potential fraudulent activities, leading to more robust and comprehensive fraud prevention measures.
  • Implement machine learning (ML) for fraud: ML algorithms can continuously learn and evolve, adapting to changing patterns of fraudulent behavior. This ensures a more resilient and proactive defense against fraud in comparison to static rule-based systems.
  • Perform ML model analysis: Regularly analyzing machine learning models is crucial for maintaining their effectiveness. The capabilities in Splunk security software facilitate the monitoring of model performance over time, allowing you to fine-tune and optimize your ML models for better anomaly detection accuracy and staying ahead of emerging threats.

How can Splunk Enterprise Security help with anomaly detection?

Would security capabilities that help you focus attention towards malicious actions improve your detections? Would fewer alerts of more value give your team more time for better response? Would expanding machine learning capabilities give your security operations an advanced edge?

With Splunk Enterprise Security, you can leverage advanced capabilities faster and easier, rather than needing to build advanced detections from the ground up. These include:

  • Risk-based alerting that allows the security domain to use fewer event criteria driven sources. This means that you have an advanced, fully operational detection and response framework in less time.
  • A use case library that gives you analytic stories to build content from. Each of these comes with framework mapping to a variety of different kill chains and the MITRE ATT&CK framework.
  • Recommendations for data sources, source types, and data models.
  • The power of machine learning and streaming analytics with behavior analysis. Unsupervised machine learning algorithms analyze data and detect anomalies that deviate from normal behavior. This continuous learning process allows you to better adapt to emerging cyber threats.
  • Visual threat topology that maps risk objects to associated threat objects.
  • Reports that show a variety of threat sources with additional detail all within one place to enrich notable events and give more context.

To learn more, watch the following demo to see how alerting that is better focused on surfacing legitimate threats takes less time and is easier for teams to manage.

What anomaly detection processes can I put in place?