SC Magazine’s annual cybersecurity awards this year were announced at the recent 2018 RSA Security Conference. SC Magazine have been an authority on cybersecurity developments for over 25 years with these coveted awards  judged by a panel of 50 security industry luminaries - including CISO’s from a wide range of organisations and vertical segments.

What we want to focus on is Aruba’s award for best threat detection technology – for their IntroSpect User and Entity Behaviour Analytics (UEBA) solution.

'Like a digital Sherlock Holmes'

In making the award, SC Magazine’s panel of industry judges described IntroSpect in this way:

“Like a digital Sherlock Holmes, Aruba's eagle-eyed User and Entity Behaviour Analytics (UEBA) solution, IntroSpect, notices tiny anomalies and deviations in network activity that more conventional technologies might miss. IntroSpect uses machine learning-based analytics to automate the detection of attacks, exploits and breaches… The solution leverages over 100 AI-based models to continuously assess risks associated with each user/guest, system and device, as well as identify and remediate threats including phishing, ransomware, lateral movement, data exfiltration, command-and-control communication, account takeovers, privilege escalation and more.” – SC Magazine

Why is UEBA a security game-changer?

The reason that Aruba IntroSpect UEBA was a clear winner for best threat detection technology of 2018 is that it brings powerful artificial intelligence to an organisation’s network defence arsenal. IntroSpect UEBA uses AI-based machine learning to spot changes in user behaviour that may be indicators of inside attacks that until now have evaded perimeter defences. Far from the old focus on securing the perimeter, IntroSpect UEBA actually analyses activity and behaviour to identify malicious, compromised or negligent users, systems and devices – cutting off the threat before it does damage.

IntroSpect UEBA builds baselines of normal behaviour for a user, a system or any device with an IP address—known as an “entity”. The baselines are built by machine learning models that operate on key data from logs, NetFlow and packet streams—anything that characterises an entity’s IT behaviour. These baselines are then used to detect abnormal changes in behaviour that, aggregated over time and put into context, indicate a potential attack. Setting automated rules can enable alerts for IT administrators to investigate, and rules for potentially critical threats can instantly revoke network access for the threatening user or entity.

This advanced AI-based machine learning enables pinpoint visualisations and instant forensic insight. Attacks involving malicious, compromised or negligent users, systems and devices can be found and remediated before they damage the operations and reputation of the organisation.

How UEBA augments Aruba's 360 degree security plan

Aruba’s introduction of IntroSpect UEBA begs the obvious question – where does it fit within the broader security framework? The answer is compelling: it is a powerful augmentation of existing security frameworks. This really is a case of breakthrough innovation that adds decisive value.

For example, when IntroSpect UEBA is coupled with ClearPass – Aruba’s leading Network Access Control solution - the combined technologies deliver three key security innovations for true 360° protection: advanced attack detection, accelerated investigation, and automated policy-based enforcement.

How UEBA ties in with other security technologies

The beauty of UEBA is that it integrates across an organisation’s cybersecurity defences.


IntroSpect UEBA process the broadest range of
data sources, including:

  • VPN, FW, IPS/IDS, Web proxy,
    Email logs
  • NetFlow, Bro logs
  • Endpoint protection logs
  • DLP logs
  • Packets
  • DNS logs
  • Active Directory logs
  • DHCP logs
  • External threat feeds
  • Alerts from 3rd party security


IntroSpect UEBA brings artificial intelligence
integration to:

  • Aruba ClearPass
  • HPE ArcSight
  • IBM QRadar
  • Splunk
  • Intel McAfee Nitro 
  • Gigamon
  • Carbon Black 
  • Microsoft
  • Palo Alto Networks
  • FireEye
  • Cisco
  • Symantec

Practical examples that make it real

The theory is good, the reality is compelling, but what does it actually look like in practice? If you haven’t already grasped the game-changing nature of UEBA, let’s close with a tiny selection of the inside-threat scenarios that UEBA machine-based learning can detect and prevent.

Sarita | Finance – never starts work before 9am but has logged into the accounts payable approval system at 5am. 

John | Sales – just logged into the network from Sydney and Adelaide – at the same time!

Sally | Engineer – logged into the source code repository at 10pm last night and downloaded 500 megabytes of data.

Amit | Marketing – is currently exporting 20,000 interstate customer records from a system he has never accessed before.

Johann | IT – has been accessing the supplier database after normal work hours every evening for the last two weeks.

In each of these scenarios, would you want to know? If you would like to explore how to implement IntroSpect UEBA in your organisation, Matrix CNI is here to help.