Enterprises and their ever-expanding IT systems are more laborious to manage with each passing day. With numerous applications, multi-cloud deployments, Edge computing, and various partner integrations, enterprises are dealing with an expanded attack surface that makes traditional monitoring obsolete.
Observability platforms have made progress in this domain by identifying unexpected risks. These platforms also offer faster, more accurate troubleshooting and debugging systems by providing deep visibility into performance, health, security, and behavior.
For observability platforms to be effective, they must have high-quality input data, but where does that come from?
SASE solutions offer rich data in the form of logs, metrics, and traces, which observability platforms can leverage to address several scenarios. By doing so, observability solutions enhance their capabilities, resulting in improved monitoring, proactive risk detection, and robust system analysis.
There are multiple visibility and monitoring solutions readily available today, such as SIEM, NPM, NDR, APM, and XDR. However, they each have limitations, primarily around behavior-based anomaly detection and limited event correlation, which hinder their ability to provide in-depth visibility and root cause analysis.
To close the gap, adding User and Entity Behavioral Analytics (UEBA) functionality is crucial for these tools. Furthermore, successful observability requires improved correlation capabilities. To do this, relevant data must come from network devices, security devices, identity systems, and application infrastructures. Obtaining this information consistently across devices and systems from different vendors poses a major challenge due to variations in log content, metrics, log schemas, formats, and inconsistent and missing information.
Unified SASE, which unifies multiple network and security functions from a single vendor under a cohesive architecture, can alleviate the burden of these tools related to correlation and behavioral analytics.
UEBA refers to monitoring and analyzing the behavior of users and entities (such as devices, applications, and networks) within an organization’s network to detect anomalous or suspicious activities. UEBA solutions typically use artificial intelligence and machine learning (AI/ML) techniques to establish a baseline of normal behavior for each user and entity. Once a baseline is established, the system continuously compares real-time behavior against a dynamic baseline to detect deviations that may indicate potential security threats.
UEBA aims to identify unusual patterns or behaviors that might go unnoticed by traditional security measures, helping organizations detect insider threats, compromised accounts, unauthorized access, and other suspicious activities. By analyzing behavior, UEBA provides additional context and insights into potential security incidents, allowing security teams to respond promptly and effectively.
Behavior anomaly detection applies to cybersecurity and performance aspects of entities, such as applications and networks. Some industry analysts conclude that a Zero Trust Architecture is only complete if UEBA is included.
Accurate behavioral threat anomaly detection relies on real-time information from threat intelligence providers. While SASE systems perform initial threat detection at the time of traffic, the threat intelligence gathered at that moment may quickly become outdated. Threat intelligence providers continually evaluate the reputation score of IP addresses, domain names, URLs, files, and SaaS services, updating their feeds with the latest information. However, this can result in a time gap between the emergence of actual threats and the update of threat intelligence feeds.
Consequently, any connections or transactions that occur before these feed updates can lead to the data plane missing the correct classification of traffic. To address this, UEBA-based observability platforms proactively examine previous accesses continuously and enhance the data with new threat intelligence. These platforms then inform the IT-threat-hunting teams about the changes in intelligence, empowering threat hunters to delve deeper into potential threats.
The accuracy and breadth of any analytics rely on the quality of logs received by the observability platform. This is where Unified SASE solutions shine.
Traditional observability platforms depend on logs and metrics from various vendor systems, such as firewall appliances, UTM appliances, applications, IDS/IPS systems, and more. However, managing logs from multiple vendors poses challenges, such as insufficient information, different formats and schemas, duplicate information, and excessive computer power required for log correlation.
SASE solutions address these challenges with their integrated approach. However, SASE solutions can be built differently. Single-vendor SASE services, though delivered as a combined offering from one vendor, may be composed of discrete security and networking components from multiple vendors. Thus, logs and metrics from such single-vendor SASE solutions may face similar challenges.
In contrast, Unified SASE solutions are typically delivered as a unified and comprehensive data plane that adheres to the principles of a single pass architecture and run-to-complete architecture. Unified SASE has a holistic view of each session or transaction and the related security functions applied. Therefore, Unified SASE solutions generate only one log for each file, transaction, or session, containing all the necessary information, like start time and end time of the session, 5-tuple information (source IP, destination IP, protocol, source port, destination port) of the underlying transport connection, domain name, URL, request headers, all the policy references of security functions applied, name of the files that are scanned, and the authenticated user information.
Access logs are critical for enabling accurate analytics in observability platforms. However, other logs are of equal importance for observability platforms, and Unified SASE solutions offer them out-of-the-box. These logs – such as user sign-in and sign-in failures – are instrumental in enhancing the platform’s capabilities for comprehensive insights.
Including user authentication-related logs and access logs can provide valuable inputs to observability platforms for effectively identifying behavioral anomalies.
Furthermore, Unified SASE solutions offer logs whenever threats are detected, such as malware, exploits, or suspicious activities. These logs include 5-tuple information, date/time, and known user claims information at the time of the threat detection. This helps correlate the threat with the session or transaction in which it was observed, aiding in incident response and mitigation.
Unified SASE solutions also provide various metrics, including counters, gauges, and histograms. These metrics are invaluable in identifying statistical anomalies and troubleshooting by offering visibility into multiple components of the SASE architecture.
Different types of logs combined with various types of metrics from Unified SASE help observability platforms with descriptive and diagnostic analytics and behavioral/predictive analytics.
Unified SASE stands out by enabling various analytics tools with its rich set of exported data. Unified SASE solutions also encompass a comprehensive observability platform that includes various analytics, notably behavioral analytics. In the initial stages, integrated observability platforms were primarily limited to SASE solutions, with end-to-end observability often relying on observability services and end-to-end threat XDR platforms.
In essence, Unified SASE incorporates its own integrated observability platform while simultaneously providing high-quality logs and metrics to diverse external observability tools.
Traditional monitoring and visibility tools fall short in complex enterprise environments characterized by distributed workforces, multi-cloud/edge application deployments, extensive usage of multiple SaaS services, an ever-expanding threat landscape, and microservices-based application architectures. Reliance on logs and metrics from various networking, security, and application sources hinders these tools’ ability to deliver actionable insights, efficient correlation, and root cause analysis capabilities.
Many traditional analytics vendors have started augmenting their offerings with observability features like UEBA and associated anomaly detection capabilities. However, the effectiveness of these analytics tools depends on the quality of logs and metrics. Unified SASE can overcome challenges related to generating comprehensive, high-quality logs for all types of analytics, including behavioral analytics.
With a unified approach and comprehensive data export, Unified SASE can amplify an organization’s observability capabilities, facilitating proactive threat detection, precise analysis, and better decision-making. Integrating multiple analytics tools and observability features within Unified SASE provides a potent solution for addressing the complexities of modern enterprise environments and fortifying cybersecurity defenses.
Srini Addepalli is the Chief Technology Officer at Aryaka.
Related articles:
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
