The Feeding Frenzy in New Attack Detection Solutions

January 11th, 2017 by admin

How to Choose Amongst a Dizzying Array of New Machine Learning Solutions

Gartner UEBA Guide graphicThe cracks in traditional threat prevention infrastructure are clearly exposed. Motivated attackers can always find a way into any given network. As a result of this growing challenge, the market has produced a range of new solutions designed to detect active attacks and close this widening breach detection gap.

As covered in Gartner’s most recent threat detection guide, Market Guide for User & Entity Behavior Analytics, (UEBA), there are literally dozens of vendors that all endeavor to help security teams achieve greater security assurance by detecting the external attackers and rogue insiders that slip through the proverbial security gates. The overwhelming majority of these emerging vendors approach the attack detection problem from one of three different technical perspectives – from the network; from system and infrastructure logs; or from the endpoint. How should a prospective customer consider these various vendor approaches?

Consider 4 Different Questions When Evaluating Attack Detection Solutions:

  1. Can the Solution Detect a Broad Range of Post-Intrusion Activity?
    Does the vendor’s solution have the ability to see all potential network attack behaviors from both external and internal attackers, including internal reconnaissance, command and control, lateral movement and data exfiltration activities?

  2. How Early in the Attack Lifecycle Can Anomalies Be Detected?
    Does the vendor’s solution have the capacity to see the earliest types of network attack behaviors, specifically command and control and reconnaissance, to detect an active attacker early in the attack lifecycle and before potential damage is done?

  3. Does the Vendor Have Broad Data Inputs to Maximize Machine Learning Accuracy?
    Does the vendor’s solution employ a broad range of machine learning techniques incorporating network, user and endpoint data inputs to maximize the true positive detection rate, while eliminating potential false positives and wasted triage and research time?

  4. How Cost Effective Is the Solution?
    How easy is a vendor’s solution to deploy? How long does it take? How much policy configuration, rule creation and tuning is required? How much external storage is required? How much ongoing maintenance is required?

In this new UEBA guide, Gartner advocates approaches that address these key questions, saying “Once the entities and variables are selected, which is done in the vendors’ models, the more information extracted the better in order to help pinpoint ‘bad behaviors’ and increase detection rates. The analysis of other entities (such as endpoints and networks), and correlating that analysis with user behavior informs the analytics engine so that malicious activities can be more easily detected.*”

But, don’t trust Gartner, me or any other vendor. Select 2 or 3 vendors and then run a head-to-head technical bakeoff. Force the vendors to prove their detection chops in a head-to-head production evaluation. Run a “red team” attack simulation to see which vendor best catches attack behavior. May the best vendor win!

Visit us to learn more about our UEBA and our Behavioral Attack Detection solutions.



* Gartner Market Guide for User and Entity Behavior Analytic, Toby Bussa, Aviva Litan, Tricia Phillips; December 8, 2016

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Leave a Reply

Your email address will not be published. Required fields are marked *