Elevating Security Intelligence with Splunk UBA's Machine Learning Models

One of the most challenging aspects of running an effective Security Operations Center (SOC) is how to account for the high volume of notable events that actually do not present a risk to business. These events often include common occurrences like users forgetting their passwords a ridiculous number of times or accessing systems at odd hours for valid reasons. Despite their benign nature, struggling to handle the volume of such potential threats may often overwhelm limited staff.

An even greater challenge is detecting unknown threats, such as Advanced Persistent Threats (APTs) and Insider Threats, which are constantly evolving and difficult to detect with traditional rule-based approaches. Splunk User Behavior Analytics (UBA) tackles these challenges using unsupervised machine learning to profile normal behavior for each user and asset. It then identifies unusual behavior patterns across users, devices and applications that go beyond human-designed rules, effectively searching for unknown threats.

^{Figure 1:  Splunk UBA identifies unusual behavior patterns across users, devices and apps}

To ensure analysts are able to focus on the most critical threats that pose the greatest risk to the organization, Splunk UBA identifies anomalies and then uses machine learning again to correlate unusual patterns from the captured anomalies that indicate a High Fidelity Threat. 

Within Splunk UBA, models are designed to generate threats, anomalies, or indicators of compromise (IOC). Anomalies, as shown in Figure 2, are notable findings within the data, such as deviations from typical behavior or the detection of interesting patterns, such as beaconing. Anomalies are typically categorized as various types such as Exfiltration, Infection, or Expansion. 

^{Figure 2: Anomalies notable findings serve as supporting evidence.}

A threat is essentially a set of one or more anomalies or IoCs that together form a distinct security use case, as shown in Figure 3. For example, Kill-chain threats analyze all anomalies to identify specific user or device patterns that align with various stages of a kill chain. Such threats may include Data Exfiltration by a suspicious user, device, or a compromised account. In contrast, graph-based threats, such as  Public-facing Website Attack or Fraudulent Website Activity, are computed based on groups of similar anomalies, rather than anomalies grouped by user or device. 

^{Figure 3: Threats represent actionable items derived from sets of anomalies and IoCs.}

In short, threats in Splunk UBA represent actionable items that users aim to address, while anomalies serve as supporting evidence. Anomalies are typically generated by the streaming models, batch models, and anomaly rules employed within the Splunk UBA framework (See Figure 4).

Streaming models are crucial for processing events as they occur, which is particularly important for use cases where the sequence and timing of events are critical. These models analyze incoming data in real time, assessing the impact of these events over a short time window, such as the past 24 hours.

On the other hand, batch models and their corresponding anomaly rules operate on accumulated data stored in the Splunk UBA analytical store. They analyze data over a longer time window, such as the last 30 days (configurable), often running overnight due to the need to process large volumes of data.

Some use cases, like beaconing detection, function in a mixed mode. The streaming component identifies "events of interest," which may subsequently be analyzed further by batch models. For enhanced scalability, Splunk UBA consolidates ingested events and stores them in scalable "analytics" repositories, effectively reducing the volume of raw events. The granularity of aggregation and retention period are configurable. Batch models operate on these aggregated events, enabling re-computation for training and scoring over customized data windows. All Splunk UBA ML models are configurable to accommodate large-scale deployments.

^{Figure 4: List of Splunk UBA streaming, batch and custom models from UI.} 

Splunk UBA goes beyond mere detection models, offering a range of models that can establish a security context and compute security analytics. These models utilize a variety of detection algorithms, including generic algorithms, time series, and various scalable clustering and anomaly detection algorithms. To improve the accuracy of detection models, Splunk UBA provides algorithms for re-scoring anomalies, refining anomaly action and score rules, ranking both internal and external users, and offering more personalized detection through threat rules, watchlists, allow/deny lists, and dashboards (see Figure 5).

^{Figure 5: Personalized Splunk UBA dashboards for analyzing users and entities.} 

In Splunk UBA, machine learning models leverage peer groups and entity profiling, as shown in Figure 6. There are four main types of peer groups: Human Resources peer groups, which include Active Directory (AD) groups and management chains; Organizational Unit (OU) groups, which are based on organizational units; Behavioral groups, which cluster behavioral patterns; and Device peer groups, defined by network activity of device groups. Entity profiling encompasses both user and device profiling, achieved through the analysis of user and device properties derived from AD activity.

^{Figure 6: Splunk UBA peer grouping analysis.} 

In essence,  Splunk UBA offers a complete solution package, featuring anomaly detection models primarily based on unsupervised learning techniques. Security analytics models that provide personalized detection through features like internal and external ranking, watchlists, allowlists, and deny lists. Context-building models help establish a security context for other models, while threat computation models use anomalies and context information to bridge the semantic gap, leading to threat generation. These models leverage anomaly correlation, graph analysis, application of security rules, and more.

In the rapidly evolving cybersecurity landscape, staying ahead demands tools that can detect and adapt to emerging threats intelligently. Splunk's UBA represents a significant step forward in achieving this goal, offering advanced analytics, machine learning capabilities, and comprehensive threat detection strategies to defend against sophisticated cyber attacks.

Don't let unknown threats compromise your organization's security. Unleash the transformative power of Splunk UBA to revolutionize your approach to cybersecurity, supercharge your SOC's efficiency, and equip you with the critical insight needed to respond to threats with speed and precision. Explore the full potential of Splunk UBA and witness firsthand how our cutting-edge technology can fortify your defenses. Visit the Splunk UBA webpage, take a tour of the product, or speak with a Splunk security expert now.

Related Articles

• Building Large-Scale User Behavior Analytics: Data Validation and Model Monitoring
• Detecting Lateral Movement Using Splunk User Behavior Analytics
• Enhance Security Resilience Through Splunk User Behavior Analytics VPN Models