User and Entity Behavior Analytics (UEBA) is a cybersecurity solution that analyzes the behavior of users and machine entities using machine learning and mathematical algorithms to detect anomalies that may indicate risk to the organization. Read this blog for details on how the technology works and why companies need this solution.

#

UEBA Overview

UEBA is the scientific process of transforming behavior data from human users and entities such as servers, routers, endpoints, and IoT devices into risk-prioritized intelligence, for the purpose of driving business action. It’s the application of data science to create user and entity behavior baselines from months of historical access and activity. Once behavior baselines are established, analytics is used to monitor user and entity behavior in real-time, for the purposes of predicting and detecting anomalous activity. Real-time is the key here: analytics ingests massive amounts of data and provides insight into what’s actually going on with users and entities in your organization, as it’s happening. The output of security analytics is a single risk score for every user and entity. The risk score provides actionable intelligence on potential risky situations in real-time so organizations can take corrective action.

#

Why Companies Need a UEBA Solution

Cyber threats have become so pervasive that organizations must think about prevention of successful attacks as a failing strategy. Instead, they must assume their computing environment – from the endpoints, to the datacenter, to the cloud – to be already compromised in some way. Traditional rules-based cybersecurity solutions such as firewalls, anti-virus and anti-malware, and intrusion prevention tools can no longer provide full protection against bad actor intrusion.

Consider, too, that many more entities have access to resources in an organization’s computing environment these days. Among them are routers, switches, printers, surveillance cameras, badge systems, and industry-specific devices like medical equipment, hospital beds, machine interface devices, HVAC controllers, and more. In many cases, it’s difficult to secure network access to these devices, which makes them vulnerable to compromise.

Account takeover, often through the use of phishing and social engineering, is also a growing concern. When a bad actor uses a legitimate user’s credentials, they have the same access privileges as the real user, and their movements and activities can be hard to detect unless the organization is closely watching for anomalous activity that is out of place or uncharacteristic of the real user.

Account abuse occurs with insiders as well—people like employees, contractors, and vendors who have been assigned credentials and access rights. The abuse can be accidental or intentional. Either way, the only way to know that someone is doing something inappropriate is to monitor their behavior and compare it to a known baseline and to peer group behavior.

Unusual behavior – whether it’s coming from a human user or a machine entity – is a leading threat indicator. Observing behavior in real-time, making predictions about future behavior, and understanding if it poses a risk, are key to preventing harm from threats.

#

The Three Pillars of UEBA

The cybersecurity industry is moving towards behavior as the leading threat indicator. A user account can be taken over, but the threat actor doesn’t know what typical behavior for the legitimate account owner is. When behavior appears to be unusual, it quickly can be identified as anomalous—but is it really risky?

Consider that someone logs into the enterprise network from a new IP address. Is that person working remotely, or has someone stolen the credentials and logged in from a strange location? The single most critical factor in differentiating merely anomalous behavior from risky behavior is context. That context comes from the three pillars of behavior: identity, access, and activity. Detecting and stopping insider threats and cybercriminals involves monitoring and linking all three.

#

Identity

Every human user and machine entity is going to have an identity within an organization’s computing systems. Identities may be kept in a directory service or an identity and access management (IAM) system. Every data record or log entry will be associated in some way to a specific identity. This helps to build a baseline of behavior and activity for that identity. Different accounts – for example, an email account or a SaaS app account – are associated with an identity. Being able to link numerous accounts to a single identity is key to building a 360 degree view of a user.

Roles may also be associated with an identity. The person could have any sort of role — a customer, an employee, a customer service representative, a cashier, a medical billing agent, an investment broker, etc. Roles help to establish an expectation of what activity is acceptable for an identity. For example, you wouldn’t expect a customer to be able to access your financial systems, but that access is both acceptable and expected for an employee in a business accounting role.

#

Access

The next building block of context is access. Understanding what users are doing with their access rights is critical. A core component of behavior is the ability to understand access rights at the entitlement level.

Access is a great tool for building peer groups. And while most in the industry use HR profiles like Title and Manager for peer grouping, using access peer groups can often produce more accurate results. Suppose HR decides to make a generic job description in IT called Analyst, and they put everyone in job titles like analyst level one, analyst level two, and so on. So now you’re trying to look at risky behaviors, and when you start looking at the analyst peer group, now you have to ask, are the analysts security analysts, systems analysts, or perhaps business analysts? Using access profiles can eliminate that issue. A security analyst is going to have different access than a business analyst, and a business analyst will have different access than a programming analyst. Even within security, a SOC security analyst will likely have different access than an identity and access management team member. So even if you have somewhat generic job descriptions, access profiles will help you solve that problem.

Another benefit of collecting access for peer grouping is that it can be combined with activity to identify dormant accounts and unused access. By removing that unneeded or unused access, you can reduce risk then to your organization.

#

Activity

Every type of activity in a computing environment is logged somewhere. Activity logs can answer the questions, what are users and entities doing, when are they doing it, and where are they doing it? But activity alone fails to provide enough context and visibility. The gap with access must be closed to evaluate risk. Analyzing the access and activity of a user for their accounts and entitlements is ground zero for predictive risk scoring. Identity helps tie all of this together. Without identity, there’s no link between accounts, entitlements, or activities. Without that link, it’s nearly impossible to identify risk behaviors in order to remediate them.

• Watch the webinar The Three Pillars of Behavior | Gurucul Webinar

#

How User and Entity Behavior Analytics Work

The UEBA process starts with ingestion of massive amounts of activity and other data from sources spanning the enterprise. This would include, but not necessarily be limited to:

• Security data and intelligence from firewall, IDS/IPS, anti-virus, threat intelligence feeds, and more
• Infrastructure logs from gateways, servers, DNS, and so on
• Application audit logs
• Network logs, including NetFlow and packet capture
• Device attributes and configuration details
• Cloud services

All this data goes into a big data lake, where it is normalized for consistency and correlated according to identity and access groups in order to build behavioral baselines and a picture of expected behavior patterns for every user and entity. As new data comes in – as it does continuously – it is fed into an engine where machine learning models analyze the data in near-real time. An individual identity’s data is compared to its own baseline, as well as to its peer group baseline, to look for anomalies.

When an anomaly is found, it is put into context with more data and a risk score is calculated. When a risk score reaches a predetermined threshold, an alert is raised for an analyst to investigate further. If the UEBA system is integrated with a SOAR (Security Orchestration, Automation, and Response) solution, an automated response may be issued.

#

The Benefits of User and Entity Behavior Analytics

UEBA provides both technical and business benefits, such as:

#

Address a Wide Range of Cyber-Attacks

Because UEBA works on subtle changes in behavior of both human users and machine entities, it is able to detect a variety of cyber-attacks, including insider threats, account takeovers, ransomware attacks, brute force attacks, DDoS attacks, compromised devices, and more. UEBA is a broad-based cybersecurity solution that uncovers risk from known as well as unknown threats.

#

Reduce Alert Fatigue in an Overworked Staff

Security teams are often overwhelmed with too many alerts requiring follow-on investigation or some sort of response. UEBA reduces false positives and prioritizes alerts so that only the most important events demand attention. This makes it possible for your security experts to focus on the most credible, high-risk alerts, and may even reduce the need for additional technical staff.

Lower

Lower Risk to the Organization

As potentially risky anomalies are discovered earlier in the kill chain, the organization has a chance to respond to minimize the potential of damage. The longer an undetected infection lives in the enterprise environment, the more damage it can do. Take, for example, a ransomware attack. If UEBA can detect it in the earliest stages, and an early response is executed, the organization can avoid loss of data, business disruption, and a potential large ransom payout. Without detection and response, the damage could easily cost millions of dollars due to loss of business and restoration of files.

#

UEBA in SIEM

Security information and event management (SIEM) is a solution that ingests, interprets, and extracts security metadata from any device, application, and on-premise or multi-cloud environment. The SIEM tool attempts to identify threats by correlating all the information it gathers from logs and other sources. Correlation is enabled by taking the disparate types of log and event data, parsing it, and storing it in a format that is useful for analysis. Correlation rules are combined with real-time analysis of events to help detect threats in a SIEM system. The analytics in next-generation SIEM tools is machine learning-based rather than being rules-based, as legacy systems are.

Sounds very similar to how we just described UEBA, no? While SIEM tends to be more focused on log and event information related to suspicious network behavior, UEBA software emphasizes user and entity behavior. While there are some areas of overlap, UEBA is a complementary extension of SIEM applied to a different aspect of information security.

• Learn about Gurucul’s SIEM solution at Automate Threat Detection & Remediation with Next-Gen SIEM

#

The Differences Between UEBA and NTA

Network Traffic Analysis (NTA) is the discipline of monitoring all traffic flows across on-premise, edge, and cloud infrastructures, providing a holistic overview of network traffic communications. While such monitoring can have cybersecurity applications, NTA is also used for network performance monitoring, capacity planning, troubleshooting, availability monitoring, and SLA compliance enforcement.

Similar to UEBA, NTA uses analytics to discover network communication patterns, build a baseline of normal traffic patterns, and monitor for potential threats. For example, a device on the network that has recently been infected with malware might be observed suddenly communicating with an external IP address that is known to be a malicious site (a command & control site, or C2). This anomalous behavior can trigger an alert for a security analyst to investigate.

Here are some ways that NTA can be applied toward cybersecurity:

• Detect traffic to/from unusual geo locations that may be indicative of account sharing, account takeover, or improper use of a VPN.
• Expose DNS tunneling to detect traffic to unusual DNS servers and surges in outbound DNS queries.
• Identify unknown IoT devices on the network.
• Monitor complex cloud, hybrid or on-premise architectures with east-west network traffic, which can help identify attacker lateral movement and spreading of an infection across resources, as well as north-south traffic for command and control activity to external malicious hosts that could be for downloading more malware, sharing encryption keys for ransomware or even externally monitoring current ransomware status, and data exfiltration.

But unlike UEBA, NTA does not create baselines for user and entity behavior or compare such behavior to that of peer groups. Observations of network traffic patterns are far different from observations of what humans and machines actually do on a network. The two solutions – NTA and UEBA – are distinct in what they observe and measure, but they can be complementary security solutions in a large enterprise environment.

• Learn about Gurucul’s NTA solution at Network Traffic Analysis | Insights for Security Teams | Gurucul

#

UEBA with Gurucul

Gurucul leads the market in demonstrating UEBA results where others cannot. The product consumes the most data sources out-of-the-box and leverages the largest machine learning library. Using big data, Gurucul provides user and entity behavior analytics delivering actionable intelligence for security teams with low false positives.

Gurucul UEBA delivers a single unified prioritized risk score per user and entity. This risk score is the key indicator used to drive down-stream automated security controls and processes. Find threats, including unknown unknowns, quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules, or signatures.

• Learn more about Gurucul’s UEBA solution at User & Entity Behavior Analytics UEBA | Gurucul

Some common use cases for Gurucul UEBA include:

#

Insider Risk and Threat Monitoring

Identify high-risk profiles with risk-based user and entity behavior analytics, data mining, anomaly, and behavior detection. Help security teams by creating a baseline using profiling attributes from HR records, events, access repository, log management solutions and more.

#

Host / Device Compromise Detection

Detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection with our UEBA solution. Correlate a wide range of parameters including endpoint security alerts, vulnerability scan results, risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more.

#

Anomalous Activity Monitoring

The Gurucul UEBA solution detects attacks using ML algorithms tuned to inspect various parameters like timestamp, location, IP address, device, transaction patterns, high-risk event codes and network packets. Identify any deviation from the normal behavior that may be indicative of a threat.

#

Lateral Movement Detection

Gurucul UEBA can detect techniques used by threat actors as part of an attack campaign. Identify unusual activity and suspicious access as threat actors attempt to traverse the network in search of better vantage points to download additional malware, communicate to external servers, and eventually find the location of sensitive data.

• Read more about use cases at User and Entity Behavior Analytics Use Cases – Gurucul.

#

Conclusion

UEBA transforms behavior data into risk-prioritized insight that enables security teams to respond to threats in the environment. UEBA is an important layer of cybersecurity that is especially adept at detecting a variety of attacks, including malicious insider activity, account compromise/takeover, social engineering attacks, ransomware attacks, compromised devices, and more. Using true machine learning to detect unusual behavior of users and machine entities, UEBA can detect risky behavior in its earliest stages, helping to minimize potential damage.

UEBA is complementary to other cybersecurity solutions such as SIEM, NTA, and SOAR (security orchestration, automation, and response). There are numerous use cases for and benefits of UEBA.

Learn more with these resources:

• Watch the webinar How Mature Behavior Analytics Accelerates Detection of Persistent Threats
• Watch the webinar UEBA Explained: Using User & Entity Behavior Analytics to Stop Advanced Threats

The post What is UEBA and How Does It Work? appeared first on Gurucul.