Behavior analysis

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Effective behavior analysis processes use tools that analyze behavior on your network and use machine learning to find anomalies in behavior, which can notify you of potential threats. Where it could take a human days or weeks to find anomalies, machine learning algorithms can find this behavior in near real-time. You can do this by adopting a user and entity behavior analytics (UEBA) platform like Splunk User Behavior Analytics, which can seamlessly integrate with Splunk Enterprise Security. Augmenting your SIEM with UBA deepens your security capabilities by detecting and resolving use cases such as lateral movement, unknown threats, and data exfiltration.

Insider threat detection using Splunk User Behavior Analytics and Splunk Enterprise Security

Splunk User Behavior Analytics uses machine learning and your existing data in Splunk to find anomalies that may indicate malicious behavior, such as insider threat. Splunk User Behavior Analytics includes a variety of indicators for suspicious or unusual user behavior that can alert your security team to investigate further. Analysts no longer have to sort through mountains of data to find out what a particular user has been up to on the corporate network. They can go to the Splunk User Behavior Analytics dashboard to look up any user and see all their behavior across all systems and machines on the network.

Splunk User Behavior Analytics can also augment Splunk Enterprise Security to enhance workflow and simplify investigations by synchronizing threat management across both platforms.

What are the benefits of behavior analysis?

You can benefit from the use of behavior analysis in security analytics through automation and faster correlation of historical data. It would be impossible for any human analyst to pull together correlating events and try to simulate what the machine learning algorithms can do in a matter of seconds.

The algorithms in behavior analytics can lead to:

Better anomaly detection
Predictive analytics
Clustering

What are behavior analysis best practices?

Gathering a baseline of normal activity for entities and users across the network provides you with a clear insight into anomalies when behavior falls out of the norm. This can be a leading indicator of a threat, or some other issue that may need further investigation.

How can Splunk Enterprise Security help with behavior analysis?

Would security capabilities that help you focus attention towards malicious actions improve your detections? Would fewer alerts of more value give your team more time for better response? Would expanding machine learning capabilities give your security operations an advanced edge?

With Splunk Enterprise Security, you can leverage advanced capabilities faster and easier, rather than needing to build advanced detections from the ground up. These include:

Risk-based alerting that allows the security domain to use fewer event criteria driven sources. This means that you have an advanced, fully operational detection and response framework in less time.
A use case library that gives you analytic stories to build content from. Each of these comes with framework mapping to a variety of different kill chains and the MITRE ATT&CK framework.
Recommendations for data sources, source types, and data models.
The power of machine learning and streaming analytics with behavior analysis. Unsupervised machine learning algorithms analyze data and detect anomalies that deviate from normal behavior. This continuous learning process allows you to better adapt to emerging cyber threats.
Visual threat topology that maps risk objects to associated threat objects.
Reports that show a variety of threat sources with additional detail all within one place to enrich notable events and give more context.

To learn more, watch the following demo to see how alerting that is better focused on surfacing legitimate threats takes less time and is easier for teams to manage.

What behavior analysis processes can I put in place?

Detecting cloud federated credential abuse in AWS
This use case contains searches that detect abnormal processes that might indicate the extraction of federated directory objects.
Detecting cloud federated credential abuse in Windows
This use case contains searches that detect abnormal processes that might indicate the extraction of federated directory objects.
Detecting insider threats
User behavior monitoring uses machine learning and your existing data in Splunk to find anomalies that may indicate malicious behavior, such as insider threat.
Detecting privilege escalation in your AWS environment
These searches are designed to uncover potentially malicious events in your AWS environment.
Detecting suspicious activities within AWS cloud instances
These searches help you identify, respond to, and investigate suspicious activities in your cloud compute instances.
Detecting unusual GCP service account usage
How to use Splunk to monitor how GCP usage changes over time, and to set up alerting mechanisms that will notify the security team when unexpected access occurs.