What is UEBA?
UEBA stands for User and Entity Behavior Analytics, and is a security process focusing on monitoring suspicious behaviour. Both user behavior and behavior in other entities such as cloud, mobile or on-premise applications, endpoints, networks, and external threats. Utilizing Machine Learning, UEBA builds baselines for every entity in the network, and actions are evaluated against these baselines.
Behavioral analytics allows analysts to answer the question: What is normal and what is abnormal? Which relieves analysts from creating complicated predefined rules to define what is permitted. Thereby enabling them to achieve situational awareness before, during, and after responding to breaches. Simply put, with UEBA you track all users and entities while helping analysts determine what to look for.
What’s the difference between UEBA and UBA?
Previously, the term User Behavior Analytics (UBA) described the process of tracking, collecting, and assessing user data and activities within the IT infrastructure. But in 2015, the analyst firm Gartner published a market guide defining the term User and Entity Behavior Analytics. UEBA has the same capabilities as UBA, with the addition of being able to track user activity and the activity of devices, applications, servers, and data. Instead of analyzing user behavior data, UEBA combines user behavior with behavior from entities.
Benefits of a UEBA solution
UEBA integrated with a SIEM solution can cover multiple security use cases with a single platform. In particular, User and Entity Behavior Analytics provides insider threat detection. Which can uncover either outside attacks that have penetrated an organization’s perimeter or behaviors that may be threatening to company operations from within. UEBA also improves the effectiveness of existing security tools, supports entity monitoring, and helps organizations comply with industry regulations.
Key benefits of a UEBA solution include:
- Automated Threat Detection: Utilizing machine learning and behavioral analytics, enterprises can counter the shortage of experienced cybersecurity analysts and optimize existing resources in performing threat detection.
- Reduced Risk: Compromised user accounts are the keys to the kingdom, resulting in the most damage from a breach. Early detection of compromised credentials is essential in mitigating risk and data loss.
- Reduced Mean Time To Respond (MMtR): User and Entity Behavior Analytics has high fidelity risk scoring and reduces the time to respond to attacks, giving time back to the security team.
- Reduced noise: Behavioral analytics help eliminate false positives, so security teams can focus on uncovering activities carrying the real risk, and prioritize response to the most critical incidents in the organization.
UEBA vs. SIEM
In the early days of UEBA, machine learning analytics was often employed on single sources of data. However, it quickly became apparent that a UEBA solution’s results were entirely dependent on the quality of data and the correlation of data from multiple data sources. Combining the SIEM that contains all of the enterprise security data and applying advanced User and Entity Behavior Analytics has emerged as the ideal solution. Consequently, it’s not UEBA vs. SIEM anymore, but rather SIEM augmented with UEBA. The rules- and thresholds-based approach of traditional SIEMs and other existing security tools produce many false positives and a flood of alerts. When the SIEM is augmented with UEBA, it supports analysts in threat hunting, reduces time spent on false positives, and empowers security teams to focus on critical threats.
User and Entity Behavior Analytics reduces time-to-value
Having SIEM as a data source for UEBA not only provides a pool of valuable log data, it also enables your SOC to work smarter by cutting the response time. As a result, there is no need to do any mapping or customization. Which lowers time to value dramatically. The deployment architecture is easily scalable for increasing the number of entities and data volume. UEBA builds baselines for every entity in the network by leveraging machine learning and big-data analytics capabilities. Actions are then evaluated against these baselines. Consequently, it becomes less critical to define the right rules and thresholds in the SIEM, saving your analysts time.
UEBA risk scores
The ultimate difference of a SIEM augmented with UEBA will unfold once you start viewing the information presented by UEBA. Which provides a risk score for users and entities. The output from the UEBA can be correlated with SIEM events. This provides more insight into the context of incidents. Using a modern SIEM with UEBA, you can enrich the original log data using the machine learning algorithms’ information and better discover suspicious user behavior in the SIEM itself. The high-risk activities and contextual information are then presented to the analyst for further investigation. Enabling faster and more informed decisions. The advanced behavioral analytics allows your cybersecurity team to work smarter by accelerating detection and response to threats, without increasing your team’s workload.
UEBA and the insider threat
Detecting insider threats before they have the potential to succeed in compromising an organization remains a significant challenge for enterprises today. The 2020 Insider Threat Report by Cybersecurity-Insiders found that 68% of organizations observed that insider threats have become more frequent in the past 12 months. According to the 2020 Verizon Data breach report, more than 25% percent of breaches took months or longer to discover. Meaning, by the time breaches were detected, the damage had already occurred. Finding the indicators of compromise (IOCs) quickly is critical. Once credentials are compromised, and the attacker controls the account, classic controls are no longer sufficient. Once an attacker has credentials, effective detection is to monitor abnormal behavior in the infrastructure using UEBA.
This has proven useful to counteract the three most common types of insider threats:
Potential Account Compromise:
With UEBA, detecting suspicious behaviors and compromised accounts become increasingly useful and intuitive. Once the UEBA detects suspicious activity indicators in a network, it will connect the anomalies to give analysts a complete overview of activities, geography, authentication, and the users or entities involved.
Another common approach for advanced persistent threats (APTs), prolonged attacks, and more complex breaches is when machines are compromised and act as staging platforms for further attacks. UEBA typically uses endpoint and network data to build baselines and detect anomalous activity. It also applies analytics to detect traffic that originates from machines.
Internal Attacks and Lateral Movement:
Once a foothold is established, the attacker attempts to understand the network and search for valuable data. Attackers will use scanning applications or operating system commands to understand better how to move around and access targeted data within a network. UEBA will use a mix of endpoint, Active Directory, and other data repositories to watch for behaviors that differ from normal baselines. These include; unusual activity by day of week or time of day, unusual access to servers, file shares, applications or other resources, an unusually high amount of access to specific resources, abnormal application usage, and anomalous access patterns to storage.
Best practices for UEBA
- Define Use Cases: When considering deploying a User and Entity Behavior Analytics solution, you should clearly define the use cases that need to be addressed. It would help if you also described the desired output from the UEBA solution for each of these cases. This will ensure that it’s delivering value against crucial pain points.
- Consider data sources: You should make sure that the User and Entity Behavior Analytics solution can support your priority use cases’ necessary data sources. Check if these use cases can be implemented out-of-the-box with prepackaged analytics and determine the expected effort level for custom use cases.
- Proof of Concept: You could include a proof of concept (POC) phase in your process. In this regard, it’s important to remember that a UEBA POC can last 30 days to give the machine learning algorithms time to learn your organization’s data and construct baselines using live or historical data.