Highway heading into the sunset

The Splunk UBA Journey…Q&A

What is UBA?

UBA, or user behavior analytics, is a premium product published by Splunk.  It is a separate product from Splunk’s core software and has its own binaries and configuration. By relying on machine learning technologies, UBA can secure an organization from insider threats and also provide outsider threat monitoring and alerting capabilities.

What are insider threats?

Any malicious activity that is generated from, or related to, an entity inside the organization.  This entity can be an asset or an identity account.  Many hacking techniques now are relying on compromising company accounts and using them to gain access into the organization.  They will always work to find a backdoor to any vulnerability or security weakness inside the organization’s security systems.

What UBA is capable of?

  • It can automatically detect threats and anomalies from internal users and assets using machine learning and data.
  • Leveraging the prebuilt threat detection models, UBA will constantly monitor the organizing events and identify anomalous entities without human intervention.
  • Correlate anomalies generated by any unusual behaviors into one or multiple threat alerts, so that analysts can trace these anomalies down to any internal or external entity sources.
  • Create dashboards that will help analysts understand their threats and anomalies and deeply investigate them.
  • Provide alerting on newly created threats.
  • Integrate with Splunk ES to enable notable events on threats and anomalies.
  • Provide anomalies actions rules, white or blacklisting of any entity, to help analysts eliminate false positive and legitimate activities within the organization.

How does UBA categorize threats and anomalies?

UBA will categorize threats and anomalies by: Users, devices, IPs, and domains. All related subcategories will be also provided by UBA, such as Internal vs external IPs, user account status, and trusted vs untrusted applications.

Is a Splunk environment required?

For the most part and for best performance and results the answer is YES. UBA will leverage the Splunk platform to collect and ingest data, and also get CIM data when possible. UBA will also integrate will many Splunk security products like Splunk Enterprise Security to provide a robust security solution for the customers.

What are the essential first steps to have UBA work as expected?

  • Sizing UBA installation requirement, Splunk PS will first engage to size your environment by analyzing your environment, including:
    • log ingestion rate (EPS) which stands for “Events Per seconds”;
    • Number of users accounts and devices; and
    • Number of Sources that reflect UBA.

Where can we install UBA?

UBA can be installed in a single server or in a cluster of nodes, depending on the sizing and planning above. UBA can be installed on the following platforms:-

Other than data sources, what information do I have to provide?

In order to let UBA learn the organization operation and log flows perfectly, and in order to make it understand normal internal activities vs anomalies, it is essential that we provide the following information to UBA during the installation:

  • Internal IP ranges of the organization. This will include any internal or external subnets that are owned by the organization.
  • Associated offices geo-locations.
  • Default office location like the organization HQ.
  • List of competitors, This is an optional step for certain threat models only.
  • AD Domains in use for all the organization devices.
  • The IP address for the internal and external scanners.

What happens after installation and configuration are completed?

Now it is time to provide the data sources to UBA.  The PS engineer will start creating the data sources using a scheduled job to fetch the data from the Splunk platform and ingest it into Splunk.  This task may include CIM work on the data sources in Splunk, as we must make sure that all data is ingested cleanly in order to ensure the UBA models work as expected.

Is there any data sources order for data ingestion into UBA?

The first data sources we would have to ingest into UBA are, HR data and assets. After ingesting those data sources, we will validate those data and make sure that they look as expected. Make sure HR data has all the required information, it is normalized and multiple accounts for the same user are bonded into a unique Employee ID.

After ingesting and validating those data sources, there is no order preferred to ingest the others.

How UBA will work afterwards

Once we have ingested all the data sources and validated that all jobs are being ingested properly, we will now let UBA do its work on its own, meaning that we will leave UBA for about 6 weeks to run independently. During that time, the jobs will be running on the schedule and UBA will keep monitoring the users and assets behavior and then will create a baseline for these activities. So anything out of this baseline will be considered an anomaly.

What must the UBA engineer do after the baseline period is completed?

After the baseline period is completed, the engineer will engage again, and complete the following steps: –

  • Validate the UBA is healthy and has no warnings or errors
  • Validate that all data sources are still running as expected.
  • Validate that devices and HR data are still available and valid.
  • Validate the anomalies created and work with the client to create action rules that will delete the false positive anomalies.
  • Add any white/blacklisting for domain, users, and IPs.
  • Have a knowledge transfer session with the client.

About SP6

SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.