Unified SASE empowers Observability with Precision

Quoting Wikipedia, “observability” originates from control theory, which measures how well a system’s state can be determined from its outputs. Similarly, in software, observability refers to how well we can understand a system’s state from the obtained telemetry, including metrics, logs, traces, and profiling.

Current visibility & monitoring lacks behavioral intelligence

Traditional monitoring is commonly employed to visually monitor and identify issues related to applications, networks, and endpoints concerning performance, health, user experience, security, and resilience. Alerts are combined with monitoring to promptly notify critical events through emails, SMS, and dashboards. This conventional monitoring, used by APMs, NPMs, SIEMs, operates on “known unknowns,” where the risks are known in advance, but the specific occurrence time remains unknown. Such monitoring suffices for simple systems with a limited number of entities, where troubleshooting is straightforward and evident.

However, enterprise systems have grown more complex with the advent of multiple architectures, such as distributed applications, multi-cloud deployments, Edge computing, and collaboration applications with numerous partners. In addition, the expanded attack surface associated with these architectures has made the traditional monitoring and simpler correlation inadequate. Addressing “known unknowns” alone is insufficient.

Observability platforms take a leap forward by identifying unexpected risks that were not previously considered. These platforms are designed to handle “unknown unknowns” and offer faster and more accurate troubleshooting and debugging systems by providing deep visibility into their performance, health, security, and behavior.

This post focuses on observability optimally achieved through inputs gathered from SASE (Secure Access Service Edge) networking and security components. Specifically, we explore observability use cases related to behavioral anomalies to identify anomalous behavior of users, networks, application entities, and internet access.

Observability platforms heavily rely on the quality of input data they receive. In this context, we delve into how SASE solutions offer rich data in the form of logs, metrics, and traces and how observability systems can leverage this data to address various use cases. By harnessing insights from SASE solutions, observability solutions can enhance their capabilities, resulting in improved monitoring, proactive risk detection, and robust system analysis. Combining SASE and observability provides a powerful framework to monitor and secure modern enterprise systems effectively.

SIEM, NPM, NDR, APM, XDR – Anomaly Detection is Limited

In today’s landscape, numerous visibility and monitoring tools are available, each proficient in their respective functionalities. However, they have certain limitations, primarily around behavior-based anomaly detection and limited event correlation, which hinder their ability to provide in-depth visibility and root cause analysis. Our perspective is that these tools should eventually encompass behavioral analytics/predictive analytics, and deeper visibility, fulfilling the requirements of performance, security, and resilience systems.

To achieve completeness, adding User and Entity Behavioral Analytics (UEBA) functionality becomes crucial for these tools. Furthermore, we strongly believe that successful observability necessitates improved correlation capabilities. To achieve better correlation, relevant data is required from network devices, security devices, Identity systems, and application infrastructures. Nevertheless, obtaining this information consistently across devices and systems from different vendors poses a challenge due to variations in log content, metrics, and log schemas and formats. The biggest challenge is the inconsistent and missing information required for comprehensive analytics.

Unified SASE, which unifies multiple network and security functions from a single vendor under a cohesive architecture, can alleviate the burden of these tools concerning correlation and behavioral analytics—more on this in later sections.

Let us delve deeper into UEBA and explore the type of logs and metrics expected from the data plane of unified SASE.

User and Entity Behavioral Analytics

The cybersecurity industry coined the term “User and Entity Behavior Analytics” (UEBA). It refers to monitoring and analyzing the behavior of users (such as employees, contractors, and partners) and entities (such as devices, applications, and networks) within an organization’s network to detect anomalous or suspicious activities.

UEBA solutions typically use advanced analytics and machine learning (AI/ML) techniques to establish a baseline of normal behavior for each user and entity. Once the baseline is established, the system continuously compares real-time behavior against this baseline to detect deviations or anomalies that may indicate potential security threats or abnormal activities. It is also important to note that the baseline keeps changing with time, hence the need for updating the baseline and corresponding continuous model training.

UEBA aims to identify unusual patterns or behaviors that might go unnoticed by traditional security measures, helping organizations detect insider threats, compromised accounts, unauthorized access, and other suspicious activities. By analyzing behavior, UEBA provides additional context and insights into potential security incidents, allowing security teams to respond promptly and effectively.

Even though UEBA is defined in the context of cyber security, behavior anomaly detection is not limited to cyber security but applies to performance aspects of entities such as applications and networks.

Some in Industry say, which I concur with, that Zero Trust Architecture (ZTA) realization, either with service mesh or SASE technologies, is only complete if they include UEBA in their offering.

Since UEBA talks about anomalies, let us first understand the term ‘anomaly detection,’ different types of anomalies, and techniques used to detect anomalies.

Anomaly Detection for Cyber Security

This blog post, What Is Anomaly Detection? provides an excellent overview of anomaly detection. In simple terms, anomaly detection involves identifying unusual points or patterns within a dataset. Anything deviating from an established baseline within a predefined tolerance is considered an anomaly. While anomalies can be benign and concerning, detecting malicious anomalies is paramount in the cybersecurity industry.

Unsupervised anomaly detection is particularly crucial for cybersecurity as it helps identify previously unseen events without relying on prior knowledge. In other words, this unsupervised approach is essential for detecting “unknown unknowns” in the context of security threats.

Anomaly detection can be approached using various techniques, sometimes leveraging statistical tools and other times requiring machine learning algorithms. Two popular types of machine learning algorithms used for anomaly detection are:

  • Clustering: Clustering is a technique that groups data points based on their similarity or distance. Anomalies can be identified in clustering by detecting data points that do not belong to any cluster or are significantly distant from their nearest cluster center. Examples of clustering algorithms include K-means.
  • Density estimation: Density estimation is a technique that estimates the probability distribution of the data. Anomalies can be detected using density estimation by finding data points with low probability density or residing in low-density regions. Common density estimation algorithms include Isolation Forest, Kernel Density Estimation, and more.

We will not cover descriptive analytics here as many monitoring systems already support them. The main focus here is behavior analytics, a branch of predictive analytics. As mentioned, anomaly detection is relevant for cybersecurity, and thus, we will cover anomaly detections here.

A few examples of anomaly detections can help in understanding the type of information expected from SASE solutions, particularly User and Entity Behavior Analytics (UEBA) and observability in general. In the following sections, we will provide anomaly detections that are required for the cybersecurity and networking industry.

As mentioned before, it is also important to have a generic anomaly detection system with multiple features to identify any detection types that are not known beforehand. An important consideration for identifying unknown detection types is that the input logs and metrics data shall be comprehensive.

Here are a few examples of anomaly detections:

User Behavior Anomalies:

  • Users accessing Internet, SaaS, and Enterprise applications from locations different than their normal patterns.
  • Users accessing services at unusual times compared to their regular usage patterns.
  • Users accessing applications from multiple locations in a short amount of time, which seems implausible.
  • Users accessing services through anonymous proxies, raising security concerns.
  • Users accessing services from suspicious IP addresses that might be associated with malicious activity.
  • Users accessing suspicious domains or URLs, indicating potential security threats.
  • Users displaying unusual download/upload behavior with files, warranting attention.
  • Users exhibiting atypical access to applications, Internet sites, or SaaS applications.

Unusual User Activity:

  • Unusual number of sign-ins by a user, which could indicate compromised credentials or unauthorized access attempts.
  • Unusual number of sign-in failures, suggesting potential brute-force attacks or authentication issues.
  • Unusual access to various application URIs that may require further investigation.
  • Unusual number of remote access VPN tunnels from a given user or globally across users.

Application Access Anomalies:

  • Application access by unfamiliar users, necessitating verification of their legitimacy.
  • Unusual access to different sections or spaces within the applications by users.
  • Unusual downloads/uploads of data by users, potentially indicating data exfiltration or unauthorized data transfers.
  • Unusual access from locations not previously seen, which could raise security concerns.
  • Unusual access of applications at unexpected times by users or specific users, warranting investigation.
  • Unusual access from ISPs not seen before, which may be indicative of suspicious activities.
  • Detection of unusual HTTP request headers while accessing application resources.
  • Detection of abnormal URI lengths when accessing application resources.
  • Unusual usage of different user agents that might be linked to malicious intent.
  • Unusual latency of HTTP-level transactions.

Network Anomalies: Note that the Internet is considered one of the networks.

  • Anomalies in the amount of incoming traffic, outgoing traffic, or their combined values for a given network.
  • Anomalies in the amount of traffic for different sets of protocols.
  • Anomalies in the number of connections to resources in the network.
  • Anomalies in the number of transactions to resources in the network.
  • Anomalies in the number of transactions on a per-connection basis.
  • Anomalies in latency while accessing resources in the network.
  • Anomalies in the traffic among the networks.

Threat Anomalies:

  • Anomalies in the number of sessions to suspicious IP addresses, indicating potential attempts to communicate with malicious entities.
  • Anomalies in the number of sessions to suspicious domain names, which may signify contact with untrustworthy or compromised domains.
  • Anomalies in the number of sessions to suspicious URLs, pointing to potential threats in web traffic.
  • Anomalies in the number of downloads/uploads of malware-infected files, highlighting potential cyberattacks.
  • Anomalies in the number of sessions to unauthorized or malicious SaaS and Cloud services.
  • Anomalies in the number of sessions that were denied, potentially indicating security measures at work.
  • Anomalies in the number of transactions that were denied, suggesting possible security threats or fraudulent activities.

Observability platforms with UEBA tend to provide the above detections. A generic clustering model can be employed for unknown risks to detect any new abnormalities that should be monitored. This generic model should incorporate multiple features.

Since most of the anomalies listed above require baseline data to identify abnormalities accurately, it is crucial for observability platforms to enable learning mode. Sometimes, the learning can be dynamic, allowing configuration to check for current-day anomalies based on the last X number of days of data.

Given that multiple models may be necessary, observability platforms need to be scalable and capable of handling the load to train and accommodate multiple models.

Threat Intelligence with Accuracy

Accurate behavioral threat anomaly detection relies on up-to-date information from threat intelligence providers. While SASE systems perform initial threat detection at the time of traffic, the threat intelligence gathered at that moment may become outdated. Threat intelligence providers continually evaluate the reputation score of IP addresses, domain names, URLs, files, SaaS services and update their feeds with the latest information. However, this can result in a time gap between the emergence of actual threats and the update of threat intelligence feeds.

Consequently, any connections or transactions that occur before these feed updates can lead to the data plane missing the correct classification of traffic. To address this challenge, UEBA-based observability platforms proactively examine previous accesses continuously and enhance the data with new threat intelligence. These platforms then inform the IT-threat-hunting teams about the changes in intelligence, empowering threat hunters to delve deeper into potential threats.

Unified SASE aggregates logs, metrics, and traces with precision

The comprehensiveness and accuracy of any analytics, including descriptive, predictive, diagnostic, and prescriptive, heavily rely on the quality of logs received by the observability platform. This is where Unified SASE solutions truly excel.

Traditional observability platforms depend on logs and metrics from various vendor systems, such as firewall appliances, UTM appliances, applications, identity services, web application firewalls, IDS/IPS systems, DNS security systems, and more. However, managing logs from multiple vendors poses several challenges:

  • Insufficient information in the logs.
  • Different log formats/schemas.
  • Constant changes of log messages and format by vendors.
  • Difficulty in correlating logs from networking/security devices to specific traffic sessions, users, or applications consistently.
  • A large number of logs with duplicate information, leading to log bombs and log drops.
  • Excessive compute power required for log correlation and handling the high volume of logs.

SASE solutions effectively address these challenges through their integrated approach. SASE combines multiple network and network-security functions into a single service, delivered as a comprehensive solution. However, being cautious is essential since SASE solutions can be built in multiple ways. Single vendor SASE services, though delivered as a combined offering from one vendor, may be composed of discrete security and networking components from multiple component vendors. Consequently, logs and metrics from such single vendor SASE solutions may face similar challenges.

In contrast, Unified SASE solutions are typically delivered as a unified and comprehensive data plane that adheres to the principles of single pass architecture and run-to-complete architecture. This means Unified SASE has a holistic view of each session or transaction and the related security functions applied. As a result, Unified SASE solutions generate only one log for each file, transaction, or session, containing all the necessary information. For example, Unified SASE access logs include comprehensive details such as:

  • 5-tuple information (source IP, destination IP, protocol, source port, and destination port)
  • Start time and end time of the session/transaction
  • Domain name in case of TLS connections
  • Host header value and URL path in case of HTTP transactions
  • Whether or not the connection is secure (TLS)
  • HTTP method (GET/POST/DELETE/PUT), URI query parameters and HTTP request & response headers & values, mainly headers that start with X-
  • File hash (if multiple files are sent in one HTTP transaction, there could be multiple access logs)
  • Number of bytes sent from client to server and vice versa
  • Access policies and security policies applied, along with policy details and matched values from the traffic session, such as user claims (principal name, group, role, authentication service, Issuer), IP reputation category & score, domain category, and reputation score, URI category and reputation score, SaaS service category and reputation score and action taken. It is important to note that multiple security engines provide consent for access to any session or transaction. These security engines encompass IP reputation engine, Domain reputation engine, URL reputation engine, SaaS reputation engines, Access control engines, Anti-Malware engine, IDPS engine, and more. Each security engine applies its own set of policies and takes appropriate actions based on the results. Due to the presence of various engines, each with its policy table and unique sets of matched values from traffic or traffic-enrichments, it is necessary to record the matching policy name and the parameters that led to the policy match.

Access logs play a critical role in observability platforms, enabling accurate analytics. However, other logs are of equal importance for observability platforms, and “Unified SASE” solutions offer them out of the box. These logs are instrumental in enhancing the platform’s capabilities for comprehensive insights. Some of the essential logs provided by Unified SASE solutions include:

  • Logs related to user sign-in and sign-out through its identity broker function.
  • Logs related to user sign-in failures, which help monitor potential security threats.
  • Logs related to user sign-in, enriched with comprehensive user claims information, including:
    • User email address
    • Issuer (identity provider)
    • Multiple groups and roles the user belongs to
    • The authentication service that authenticated the user
    • Whether Multi-Factor Authentication (MFA) was applied or not
    • Source IP from which the user signed in
    • Authentication protocol used by the user application
    • Location from which the user signed in

Including user authentication-related logs and access logs can provide valuable inputs to the observability platform for effectively identifying behavioral anomalies.

Furthermore, Unified SASE solutions offer logs whenever any threat is detected, such as Malware, Exploits, or Suspicious activities. These logs include 5-tuple information (source IP, destination IP, protocol, source port, destination port), date/time, and known user claims information at the time of the threat detection. This helps correlate the threat with the session or transaction in which it was observed, aiding in incident response and mitigation.

Though we are not talking about them here, many other logs related to SASE system Kernel, processes, containers, and hardware help in diagnostic analytics.

In addition to generating logs, Unified SASE solutions also provide various metrics, including counters, gauges, and histograms. These metrics are invaluable in identifying statistical anomalies and troubleshooting by offering visibility into different components of the SASE architecture.

Overall, different types of logs, including access logs, authentication-related logs, threat logs, and diagnostic logs with various types of metrics that Unified SASE provides, help observability platforms to provide not only descriptive & diagnostic analytics but also behavioral/predictive analytics.

Unified SASE and Integrated Observability are joined at the hip.

As discussed thus far, Unified SASE stands out by enabling various analytics tools with its rich set of exported data.

We also recognize that Unified SASE solutions will encompass a comprehensive observability platform that includes various analytics, notably behavioral analytics, as described earlier. In the initial stages, integrated observability platforms were primarily limited to SASE solutions, with end-to-end observability often relying on observability services from Splunk, Datadog, Elastic, New Relic, and end-to-end threat XDR platforms.

In essence, Unified SASE incorporates its own integrated observability platform while simultaneously providing high-quality logs and metrics to diverse external observability tools.

Unified SASE is key to boosting observability capabilities.

Traditional monitoring and visibility tools fall short in complex enterprise environments characterized by distributed workforces, multi-cloud/edge application deployments, extensive usage of multiple SaaS services, an ever-expanding threat landscape, and microservices-based application architectures. Reliance on logs and metrics from various networking, security, and application sources often hinders these tools’ ability to deliver actionable insights and efficient correlation and root cause analysis capabilities. The need of the hour is “observability.”
Many traditional analytics vendors have started augmenting their offerings with observability features like UEBA and associated anomaly detection capabilities. However, the effectiveness of these analytics tools heavily relies on the quality of logs and metrics they receive. Unified SASE holds the potential to overcome challenges related to generating comprehensive and high-quality logs for all types of analytics, including behavioral analytics.

By offering a unified approach and comprehensive data export, Unified SASE can significantly enhance the observability capabilities of organizations, facilitating proactive threat detection, precise analysis, and better decision-making. The integration of multiple analytics tools and observability features within Unified SASE provides a powerful solution for addressing the complexities of modern enterprise environments and bolstering cybersecurity defenses.

  • CTO Insights blog

    The Aryaka CTO Insights blog series provides thought leadership for network, security, and SASE topics. For Aryaka product specifications refer to Aryaka Datasheets.

About the author

Srini Addepalli
Srini Addepalli is a security and Edge computing expert with 25+ years of experience. Srini has multiple patents in networking and security technologies. He holds a BE (Hons) degree in Electrical and Electronics Engineering from BITS, Pilani in India.