Splunk UBA APP

Splunk User Behavior Analytics

Splunk UBA APP extends the Splunk platform by creating multidimensional behavior baselines around users, service accounts, devices and applications, and then executing unsupervised machine learning algorithms to generate anomalies and threats.
Splunk UBA works in conjunction with Splunk Enterprise and Splunk Enterprise Security (Splunk ES) to automate the detection of:

• Malware and insider threats
• Account compromise and privileged account abuse
• Lateral movement
• Suspicious behavior
• Data exfiltration and IP theft

Specifically, Splunk UBA analyzes events collected in Splunk Enterprise and then performs behavior baselining, peer group analytics, clustering, graph walks and other techniques to find hidden threats by identifying and stitching anomalies together, for example:

• Remote account takeover
• Suspicious behavior
• Malware activity
• Data exfiltration by compromised account
• Data exfiltration by malware
• Lateral movement by insider
• Compromised account
• Infected device
• Fraudulent website activity

Data Sources

Splunk UBA APP provides machine learning driven correlation of anomalies across multiple data sources, which can include security products or services such as firewalls, web gateways, VPN technologies, endpoint solutions, DLP products, cloud applications, networking devices and essentially any infrastructure within the environment that generates machine data.

Examples of Data Sources

Identity and Privileged User Activity: entity ID and authentication events (Active Directory, single sign-on, VPN, etc.), and privileged account management applications

Activity: HTTP transactions, intra-network activities (firewall, web gateway, proxy, DPL, etc.)

SIEM: Splunk ES or third party log management products (HP/ArcSight, LogRhythm, IBM/QRadar, etc.)

Hadoop Ecosystem: existing Hadoop data repositories (Cloudera, Hortonworks, etc.)

Malware Detection: existing sandbox or dynamic analysis products (FireEye, Palo Alto Wildfire, etc.)

External Threat Feeds: FS-ISAC, Collective Intelligence Framework (CIF), etc.
Cloud Applications: AWS CloudTrail, Box, Office 365, etc.

Endpoint: application and security logs from laptops, desktops and servers or third party endpoint solutions

Custom Apps: live event streaming via JavaScript, Java, REST, Syslog

Automated Continuous Threat Monitoring

Splunk UBA visualizes threats along the kill chain and provides supporting evidence so that the security analyst can take immediate action based on a prioritized list of significant threats to investigate. This approach avoids overloading the analyst with alerts and false positives. Analytics-based workflow enables a hunter to investigate anomalies and look for policy violations or potential intent to exfiltrate data.

Splunk UBA adds automation to either a standalone enterprise deployment or an enterprise security deployment. In an enterprise security deployment, it automatically pushes threat information into Splunk ES, which then becomes a notable event. Threats discovered by Splunk UBA will be taken into account as part of the risk scoring algorithms within Splunk ES. This enables Splunk Enterprise Security users to continue leveraging the Splunk ES Risk Scoring Framework and Splunk ES Incident Review workflow for threat management. In addition, all Splunk UBA anomalies are also fed into Splunk ES for additional insight. This combined solution offers prevention, detection and response capabilities.