Security breaches have become increasingly common in the digital world. UEBA helps organizations detect and respond to these incidents.
User and Entity Behavior Analytics (UEBA) was previously known as User Behavior Analytics (UBA). It is a cybersecurity solution that uses analytics to gain an understanding of how users (humans) and entities (networked devices and servers) in an organization typically behave to detect and respond to anomalous activity in real-time.
UEBA can identify and alert security analysts on risky variations and suspicious behavior that could indicate:
- Lateral movement
- Privileged account abuse
- Privilege escalation
- Credential compromise or
- Insider threats
UEBA also further assesses the threat level and provides a risk score that can help establish an appropriate response.
Read on to learn about how UEBA works, why organizations are shifting to UEBA, the major components of UEBA, the role of UEBA in incident response, and UEBA best practices.
How does User and Entity Behavior Analytics work?
User and entity behavior analytics first collect information on the expected behavior of the people and machines in your organization from data repositories such as a data lake, a data warehouse, or through SIEM.
UEBA then uses advanced analytics approaches to process this information to determine and further define a baseline of behavior patterns: where an employee logs in from, their privilege level, files, servers they often access, time and frequency of access, and devices they use for access.
UEBA then continuously monitors user and entity activities, compares them to baseline behavior, and decides what actions could result in an attack.
UEBA can know when a user is going about their normal activities and when an attack is happening. Though a hacker may be able to access an employee’s login details, they will not be able to mimic their regular activities and behavior.
A UEBA solution has three main components:
Data analytics: UEBA collects and organizes data of users and entities to build a standard profile of how each user acts typically. Statistical models are then formulated and applied to detect anomalous activity and alert the security team.
Data integration: To make the system more resilient, UEBA compares data obtained from various sources – such as system logs, packet capture data, and other datasets – with data collected from existing security systems.
Data presentation: Process through which the UEBA system communicates its findings and the appropriate response. This process typically involves issuing a request for the security analysts to investigate unusual behavior.
The role of UEBA in incident response
User and entity behavior analytics use machine learning and deep learning to monitor and analyze the usual behavior of humans and machines in your organization.
If there is a deviation from the regular pattern, the UEBA system detects it and performs an analysis that determines whether the unusual behavior poses a real threat or not.
UEBA ingests data from different log sources such as a database, Windows AD, VPN, proxy, badge, files, and endpoints to perform this analysis. Using these inputs and learned behavior, UEBA can fuse the information to make up a final score for risk ranking and send a detailed report to the security analysts.
For example, UEBA can look at an employee coming in over VPN from Africa for the first time. Just because the employee’s behavior is abnormal doesn’t mean it’s a threat; the user may simply be traveling. However, if the same employee in the human resource department suddenly accesses the finance subnet, UEBA would recognize the employee’s activities as suspicious and alert the security team.
Here is another relatable scenario.
Harry, an employee at Mount Sinai Hospital in New York, is desperate for money. On this particular day, Harry waits for everyone to leave the office then downloads patients’ sensitive information to a USB device at 7 pm. He intends to sell the stolen data on the black market for a high dollar.
Luckily, Mount Sinai Hospital utilizes a UEBA solution, which monitors the behavior of every user and entity within the hospital network.
Although Harry has permission to access patient information, the UEBA system increases his risk score when it detects a deviation from his usual activities, which typically involve viewing, creating, and editing patient records between 9 am and 5 pm.
When Harry tries to access the information at 7 p.m, the system identifies pattern and timing irregularities and assigns a risk score.
You can set up your UEBA system to simply create an alert for the security team to suggest further investigation, or you can set it up to take immediate action like automatically shutting off network connectivity for that employee due to the suspected cyberattack.
Do I need a UEBA solution?
A UEBA solution is essential for organizations because hackers are carrying out more sophisticated attacks that are becoming more and more difficult to detect. This is especially true in cases where the threat is coming from within.
According to recent cybersecurity statistics, more than 34% of companies are affected by insider threats worldwide. And in addition, 85% of businesses say it’s difficult to quantify the actual cost of an insider attack.
As a result, security teams are shifting towards newer detection, and incident response (IR) approaches. To balance and boost their security systems, security analysts are merging technologies like user and entity behavior analytics (UEBA) with conventional SIEMs and other legacy prevention systems.
UEBA provides you a more powerful insider threat detection system compared to other traditional security solutions. It monitors not only anomalous human behavior but also suspicious lateral movements. UEBA also tracks activities on your cloud services, mobile devices, and Internet of Things devices.
A sophisticated UEBA system ingests data from all the different log sources and builds a detailed report of the attack for your security analysts. This saves your security team the time spent going through countless logs to determine the actual damage due to an attack.
Here are some of the many use cases of UEBA.
Top 6 UEBA Use Cases
#1. UEBA detects insider privilege abuse when users perform risky activities outside of the established normal behavior.
#2. UEBA fuses suspicious information from different sources to create a risk score for risk ranking.
#3. UEBA performs incident prioritization by reducing false positives. It eliminates alert fatigue and makes it possible for security teams to focus on high-risk alerts.
#4. UEBA prevents data loss and data exfiltration because the system sends alerts when it detects sensitive data being moved within the network or transferred out of the network.
#5. UEBA helps detect lateral movement of hackers within the network who may have stolen employee login credentials.
#6. UEBA also provides automated incident responses, enabling security teams to respond to security incidents in real-time.
How UEBA improves UBA and legacy security systems like SIEM
UEBA does not replace other security systems but represents a significant improvement used alongside other solutions for more effective cybersecurity. UEBA differs from user behavior analytics (UBA) in that UEBA includes “Entities” and “Events” such as servers, routers, and endpoints.
A UEBA solution is more comprehensive than UBA because it monitors nonhuman processes and machine entities to more accurately identify threats.
SIEM stands for security information and event management. Traditional legacy SIEM may not be able to detect sophisticated threats by itself because it is not designed to monitor threats in real-time. And considering that hackers often avoid simple one-off attacks and instead engage in a chain of sophisticated attacks, they can go undetected by traditional threat detection tools like SIEM for weeks or even months.
A sophisticated UEBA solution addresses this limitation. UEBA systems analyze data stored by SIEM and work together to monitor threats in real-time, allowing you to respond to breaches quickly and effortlessly.
Therefore, by merging UEBA and SIEM tools, organizations can be much more effective at threat detection and analysis, address vulnerabilities quickly, and avoid attacks.
User and Entity Behaviour Analytics best practices
Here are five best practices for user behavior analytics that give insight on things to do when building a baseline for user behavior.
#1. Define use cases
Define the use cases you want your UEBA solution to identify. These can be the detection of privileged account abuse, credential compromise, or insider threats. Defining use cases helps you determine what data to collect for monitoring.
#2. Define data sources
The more data types your UEBA systems can handle, the more precise the baselining will be. Some data sources include system logs or human resource data such as employee performance history.
#3. Define behaviors about which data will be collected
This could include employee’s working hours, applications and devices they frequently access, and typing rhythms. With this data in place, you can better understand possible reasons for false positives.
#4. Set a duration for establishing the baseline
When determining the duration of your baselining period, it is essential to consider the security goals of your business and the activities of the users.
The baselining period should not be too short or too long. This is because you may not be able to collect the correct information if you end the baseline duration too fast, resulting in a high rate of false positives. On the other hand, some malicious activities may be passed as normal if you take too long to collect the baselining information.
#5. Update your baseline data regularly
You may need to rebuild your baseline data regularly because user and entity activities change all the time. An employee may get promoted and change their tasks and projects, level of privilege and activities. UEBA systems can be automatically set to collect data and adjust the baseline data when changes happen.
As we become increasingly reliant on technology, cybersecurity threats are becoming more complex. A large enterprise must secure its systems that hold sensitive data of its own and its clients to avoid large-scale security breaches. UEBA offers a real-time incident response system that can prevent attacks.