Last Updated: 9th October, 2019
User and Entity Behavior Analytics (UEBA): Groups and organizations need to get a more in-depth security approach to properly address cybersecurity threats by employing both User and Entity Behavior Analytics (UEBA) and Machine Learning (ML). This approach leverages layered security that provides prevention, detection and response capabilities. Yet organizations invest a lot of time and resources into preventative controls. Advanced adversaries are prepared to bypass defenses by blending in as a normal user in the environment and laterally move across the enterprise.
The challenge with layered security is each control point generates hundreds, if not thousands of logs per second. Securities operation centers are inundated with noise and false alerts, which makes it difficult to detect an adversary in the network.
What Is User And Entity Behavior Analytics (UEBA)?
Gartner defines the user and entity behavior analytics (UEBA) as a solution that uses analytics to build the standard profiles and behaviors of users and entities across time and peer group horizon. An activity that is anomalous to these standard baselines is presented as suspicious and packaged analytics applied to these anomalies can help discover threats and potential incidents.
User and entity behavior analytics (UEBA) solutions build baselines for the user and entity profiles to identify normal activity. The solution also leverages machine learning (ML) for descriptive and predictive models. Descriptive models look into the past to answer, “What happened?” Predictive models understand the future and answer, “What could happen?”
Machine Learning (ML) is an important component of the user and entity behavior analytics (UEBA) as it automatically builds models, learns from historical data, and identify deviations of normal behavior. To take advantage of the more advanced form of ML is known as deep learning (DL), you can use a deep learning platform, which may help you run your UEBA model more efficiently.
As a previous incident handler, I recall working through several incidents where I had to manually analyze and conclude normal behavior for a user. For example, if a user established two concurrent VPN sessions from two different locations and accessed several servers during that session, I would go back three to six months and begin to manually analyze the data set.
Based on the professional experience of the analysts, due to the manual essential nature of the exercise, that it is more probable that each analyst could provide a different conclusion.
Through ML, UEBA can help you gain an understanding of how users (humans and service accounts) and entities (machines) normally behave within your environment. A user and entity behavior analytics (UEBA) platform prioritize the highest–risk users and entities in an environment to make the best use of an analysts’ time. The challenge with the legacy SIEMs is that static correlation rules generates a large number of false positives and are single – dimensional.
The difference with a user and entity behavior analytics (UEBA) tool is the platform’s detection engine is multi-dimensional as it aggregates the anomalies per user and entity when it deviates from its normal behavior. Once the user and entity exceed a threshold established by your organization, the user and/or entity to become notable for the analyst to prioritize.
Prioritizing users and entities address the concerns CISOs and SOC Mangers have about alert fatigue – this is where analysts become desensitized to a large amount of alert and may miss the important ones.
A legitimate user activity may be classified as suspicious during initial deployment, which could occur frequently during initial learning phases, and the analysts can classify the event as normal behavior. Subsequently, the UEBA system machine learning integrates that data to reduce similar false positives.
The integration of the precise user behavioral data along with machine learning enables analysts to screen users and groups more effectively while offering profound insight in their specific activities. Here are a few examples demonstrating this user and entity behavior analytics (UEBA) ability:
- Abnormal Data Downloads – A user regularly downloads a maximum of 100 MB of data every day. One day, the user suddenly downloads gigabytes of data. The system will detect this anomaly and add points to the user’s profile.
- Stolen Credentials – An adversary compromised an employee’s username and password and used the credentials to access an executive’s system; however, the adversary’s behavior deviates from the normal behavior of the owner of the credentials. For instance, if during certain times and from certain devices, the compromised credentials are consistently used within a certain zone, the behavior of the assailant will break away all through the entire chain of attack. The adversary will attempt to lateral move within the environment, an activity, the UEBA platform will detect.
- Abnormal Transactions – The user and entity behavior analytics (UEBA) system used by a financial institution can detect a situation in which a bank clerk is conducting fraud by initiating and approving a large number of transfers. The system will recognize that the typical transaction patterns of that clerk (the insider user) are different from a baseline of normal behavior and will flag the activity for a supervisor to investigate.
Top 5 User And Entity Behavior Analytics (UEBA) And Machine Learning (ML) Strengths
Using machine learning with the user and entity behavior analytics (UEBA) provides the ability to learn a behavior and integrate it into the detection engine which saves analysts an enormous amount of time from writing and modifying complex correlation rules. Correlation rules are static which require analysts to create multiple iterations of the same rule to account for every possible scenario – this leads to many false positives.
UEBA dynamically adapts to an environment and can detect subtle changes in behavior that is difficult to do with static correlation rules. The dynamic nature and detection capabilities of the user and entity behavior analytics (UEBA) benefit your cybersecurity in many ways including:
- Identify Breach Of Encrypted Data – While you have encrypted data, retaining it secure is just not enough. Whenever a user retrieves this data you will know if he or she has no legitimate business logical explanation to access it. The UEBA system will detect this situation and alert you when it happens.
- Detect Insider Threats – An employee could go rogue, stealing data and information by using their access. UEBA can help you detect data breaches, sabotage, privilege abuse, and policy violations made by your staff. For example, if an adversary compromised a system administrator’s credentials, the adversary could potentially move data within the environment, including offline storage (OST) files, documents and presentations containing sensitive or proprietary data. Perhaps we would consider one or two true positive DLP instances out of another 100 or more warnings probably as a result of working in a security operations center. User and entity behavior analytics (UEBA) help reduce that number to identify true insider threats.
- Flag Changes In Permissions And Creation Of Privileged Users – Some attacks involve the use of privileged users. UEBA alerts you when privileged users are created, or if there are accounts that were granted unnecessary permissions. According to the MITRE ATT&CK framework, one of the tactics, techniques, and procedures (TTPs) leveraged by adversaries is to establish persistence through the technique Create Account (T1136). UEBA helps identify abnormal account creations based on the user’s baseline. For example, if a system administrator’s account is regularly used to create accounts from 9 a.m. – 6 p.m. ET when an adversary compromise the admin account and begins to create accounts outside that time frame, a UEBA tool will identify the activity. The user and entity behavior analytics (UEBA) tool can also identify other anomalies such as the privileges it is granted, which system the privileges were granted by, the network zone of the system and other factors.
- Detect Brute Force Attacks – Often cyber threats hit the cloud-based services along with authentication frameworks from third parties. With the user and entity behavior analytics (UEBA), you can detect brute force attempts, allowing you to block access to these entities. For organizations that regularly monitor failed logins, there is not enough time in the day to look through a list of 200 accounts that generated a failed login and identify which ones are potentially malicious. A UEBA tool can help prioritize the accounts that generated an abnormal number of failed logins based on the account profile and provide the contextual information to make a decision.
- Reduce False Positives – The user and entity behavior analytics (UEBA) system is constantly learning how to be more accurate and avoid false alarms. This approach reduces false positives because multiple abnormalities must occur before an analyst is alerted. Machine learning and UEBA prevent getting a mass of false positive alerts.
User and entity behavior analytics (UEBA) employ machine learning and algorithms to maximize cybersecurity by surveying users and other various entities, identifying changes in behavioral patterns which could clearly indicate a threat.
By taking a more proactive approach to security and gaining more visibility into the user and entity behavior, you can build a stronger security position and more effectively mitigate threats and prevent security breaches.