Remember meForgot password?
    Log in with Twitter

article imageBay Dynamics co-founder and CTO Ryan Stolte explains UEBA Special

By Karen Graham     Sep 20, 2017 in Technology
It's no secret that data breaches are becoming more commonplace. Digital Journal had a chance to chat with Bay Dynamics co-founder and CTO, Ryan Stolte about user and entity behavior analytics as it relates to cybersecurity.
Ryan Stolte is the co-founder and CTO at Bay Dynamics, a cyber risk analytics company that enables enterprises and government agencies to quantify the business impact of cyber risk from both insider and outsider attacks. Stolte has spent more than 20 years of his career solving big data problems with analytics.
Starting in the early days of the Web, his first user behavior analytics (UBA) challenges were to find innovative ways to recommend products to end users and drive sales on e-commerce sites. E-commerce companies like Amazon and video streaming services like Netflix created their own UBA algorithms to recommend products to consumers.
Stolte has a strong base of knowledge around this subject thanks to his background in cybersecurity and the analytics market. He was kind enough to spend some time describing the evolution of UEBA, from where it was born, how it grew up and how it is being used today.
Before the interview, this journalist did some research on UEBA and learned it was born as a method of detecting insider threats by looking at patterns of human behavior, and then apply algorithms and statistical analysis to detect any unusual patterns that could pose a threat. I asked Stolte if this was correct.
"This is correct regarding the definition of user and entity behavior analytics as it relates to cybersecurity, but that’s not how user behavior analytics, in general, was born. Behavior analytics was the first iteration, mainly used in the eCommerce industry. Behavior analytics was meant to give consumers a better experience by providing smart recommendations based on past behaviors."
He uses Amazon as an example of one of the first uses of user behavior analytics (UBA).
"When a consumer goes to Amazon’s web page and clicks on a book to purchase. That click generates a log entry which is full of valuable information about the person."
Using UBA, Amazon gets a better understanding of the customer's likes and dislikes and can recommend additional titles they would probably like.
"Behavior analytics takes the giant mountain of log data, analyzes behavior patterns and produces something of value to the business," says Stolte. "It gives companies like Amazon a competitive advantage because it is providing customers a more tailored, better experience."
A cybersecurity researcher appears to have discovered a "kill switch" that can prevent the...
A cybersecurity researcher appears to have discovered a "kill switch" that can prevent the spread of the WannaCry ransomware -- for now -- that has caused the cyberattacks wreaking havoc globally
User Behavior Analytics grows up
Stolte points out that ten years later, cybersecurity professionals are running into the same problem with the massive volumes of data. He says the piles of data were being "collected mainly for compliance purposes, and they didn’t know what to do with all of it in order to provide value to the business. So, vendors turned to the methods used outside of security."
"They applied the same smarts of taking large amounts of data about what people are doing, analyzing behavior patterns, and identifying users who were behaving unusually compared to their own typical behaviors, those of their peers and their overall team at large. The security industry coined the term UEBA when it entered into the cyber security picture."
But does this amount of data require a certain amount of artificial intelligence and machine learning?
"Yes. It requires both," says Stolte. "Other security tools such as SIEM and loggers have focused on capturing a giant mountain of event data. The amount of data generated is so large that it is not humanly possible to go through each one and determine which event needs to be mitigated first. UEBA turns those individual events into behaviors and applies machine learning to find patterns of behaviors that cannot be preprogrammed into the data."
He adds, "UEBA applies artificial intelligence to identify and understand the typical behaviors of users and systems so that we can identify when something happens that doesn’t look right. The bottom line is that the volume of data is so enormous that no human can do it by hand. Machine learning and AI programs think like a human. The algorithms are designed to review and analyze the data like a human would, and come to the same conclusion as a human would if a human were to look at the same information."
According to Abby Ross, Bay Dynamics' Director of Marketing and Public Relations, the Target breach was "the first time organizations really woke up to this problem. The digital paper trail was there, Target had all of the data prior to prevent the breach but they missed the red flags because they were buried in endless data."
So what is special about UEBA in how it handles this problem?
Stolte again notes that cybersecurity specialists are quite good at gathering data through SIEM and logger tools and applying simple rules to alert investigators if something specific happened. But using these methods generate too many events.
"UEBA shifts the approach from looking at individual events to looking at behaviors. UEBA creates behavior profiles for users which includes analyzing behaviors and passing judgment on them. The behaviors tell a story, turning the large amount of event data into a small subset of specific things investigators should be concerned about most."
Stolte also gives an excellent analogy: "Without UEBA, investigators are looking at individual pixels on a screen. You cannot see the full picture by looking at one pixel. You don’t even know what you are looking at. UEBA paints a full picture of what’s going on, making it easy to find the things that matter most."
US state officials say hackers have stolen data from as many as 200 000 voter records  although they...
US state officials say hackers have stolen data from as many as 200,000 voter records, although they told the Chicago Tribune no such record had been deleted or altered
Loic Venance, AFP/File
So then how is Bay Dynamics using UEBA?
"Using UEBA technology and dynamic telemetry from security and IT infrastructure," says Stolte, "our flagship cyber analytics platform, Risk Fabric calculates the risk associated with specific threats and vulnerabilities and prescribes prioritized actions across the organization to reduce the risks that matter most."
He also points out that UEBA is a key component of their flagship program, adding, "Risk Fabric uses UEBA to identify unusual behaviors, combines that information with essential contextual information such as the value of the asset at risk, associated vulnerabilities and impact to the business if the threat were to succeed, and delivers a prioritized list of the top riskiest users investigators should investigate each day."
Bay Dynamics' platform also takes things a step further in qualifying threat alerts before they are sent to investigators in the first place.
"Once Risk Fabric detects an unusual behavior, it sends the alert to the application owner who governs the asset at risk and asks that person to confirm if the behavior is business as usual or indeed unusual. If the application owner confirms the behavior is unusual, the alert is bumped up to investigators as a high priority alert. Risk Fabric dramatically reduces noise and false positives, enabling organizations to use fewer resources and time to chase down insider threats," says Stolte.
More about UEBA, Bay Dynamics, Cybersecurity, behavior analytics, Artificial intelligence
More news from