Organizations need to approach cybersecurity threats using an in-depth security methodology. This approach leverages layered security that provides prevention, detection, and response capabilities. Yet organizations invest a lot of time and resources into preventative controls. Advanced adversaries are prepared to bypass defenses by blending in as a normal user in the environment and laterally move across the enterprise. The challenge with layered security is each control point generates hundreds, if not thousands of logs per second. Security operation centers are inundated with noise and false alerts which makes it difficult to detect an adversary in the network.
What is UEBA?
Gartner defines user and entity behavior analytics (UEBA) as a solution that uses analytics to build the standard profiles and behaviors of users and entities across time and peer group horizon. Activity that is anomalous to these standard baselines is presented as suspicious and packaged analytics applied to these anomalies can help discover threats and potential incidents.
UEBA solutions build baselines for user and entity profiles to identify normal activity. The solution also leverages machine learning (ML) for descriptive and predictive models. Descriptive models look into the past to answer, “What happened?” Predictive models understand the future and answer, “What could happen?” ML is an important component of UEBA as it automatically builds models, learns from historical data, and identify deviations of normal behavior. To take advantage of the more advanced form of ML known as deep learning (DL), you can use a deep learning platform, which may help you run your UEBA model more efficiently.
As a previous incident handler, I recall working through several incidents where I had to manually analyze and conclude normal behavior for a user. For example, if a user established two concurrent VPN sessions from two different locations and accessed several servers during that session, I would go back three to six months and begin to manually analyze the data set. Depending on the analysts’ experience, it is more likely that each analyst would provide a different conclusion due to the manual nature of the exercise.
Through ML, UEBA can help you gain an understanding of how users (humans and service accounts) and entities (machines) normally behave within your environment. A UEBA platform prioritizes the highest–risk users and entities in an environment to make the best use of an analysts’ time. The challenge with legacy SIEMs is that static correlation rules generates a large number of false positives and are single–dimensional. The difference with a UEBA tool is the platform’s detection engine is multi-dimensional as it aggregates the anomalies per user and entity when it deviates from its normal behavior. Once the user and entity exceed a threshold established by your organization, the user and/or entity become notable for the analyst to prioritize. Prioritizing users and entities address the concerns CISOs and SOC Mangers have about alert fatigue – this is where analysts become desensitized to a large number of alerts and may miss the important ones.
During initial deployment, legitimate user activity may be flagged as abnormal, which can happen frequently during the initial learning stages, your analysts can tag the activity as normal behavior. Subsequently, the UEBA system machine learning integrates that data to reduce similar false positives.
Combining accurate user behavioral data with machine learning allows analysts to more accurately monitor users and entities while providing deep visibility into their respective activities. Here are a few examples demonstrating this UEBA ability:
- Abnormal data downloads—a user regularly downloads a maximum of 100 MB of data every day. One day, the user suddenly downloads gigabytes of data. The system will detect this anomaly and add points to the user’s profile.
- Stolen credentials—an adversary compromised an employee’s username and password and used the credentials to access an executive’s system; however, the adversary’s behavior deviates from the normal behavior of the owner of the credentials. For example, if the compromised credentials are regularly used within a certain region during certain times and from specific machines, the adversary’s behavior will deviate throughout the entire attack chain. The adversary will attempt to laterally move within the environment, an activity the UEBA platform will detect.
- Abnormal transactions—the UEBA system used by a financial institution can detect a situation in which a bank clerk is conducting fraud by initiating and approving a large number of transfers. The system will recognize that the typical transaction patterns of that clerk (the insider user) is different from a baseline of normal behavior and will flag the activity for a supervisor to investigate.
- Advanced persistent threats (APT)—APT attacks are conducted by a group of skilled hackers who target a website by infiltrating and moving laterally through the organization over a period of months, while carefully avoiding detection. While each of those steps may evade traditional detection techniques, together they create an anomalous picture. UEBA solutions can identify anomalous behavior of a subset of users or entities within a group, and alert analysts to coordinated malicious activity.
Benefits of UEBA and machine learning
Using machine learning with UEBA provides the ability to learn a behavior and integrate it into the detection engine which saves analysts an enormous amount of time from writing and modifying complex correlation rules. Correlation rules are static which require analysts to create multiple iterations of the same rule to account for every possible scenario – this leads to many false positives. UEBA dynamically adapts to an environment and can detect subtle changes in behavior that is difficult to do with static correlation rules. The dynamic nature and detection capabilities of UEBA benefits your cybersecurity in many ways including:
- Detect breach of protected data—if you have protected data, it is not enough to just keep it secure. You should know when a user accesses this data when he or she does not have any legitimate business reason to access it. The UEBA system will detect this situation and alert you when it happens.
- Detect insider threats—an employee could go rogue, stealing data and information by using their access. UEBA can help you detect data breaches, sabotage, privilege abuse, and policy violations made by your staff. For example, if an adversary compromised a system administrator’s credentials, the adversary could potentially move data within the environment including offline storage (OST) files, documents, and presentations containing sensitive or proprietary data. Through my years of working in a security operations center, I would find one or two true positive DLP incidents out of 100 or more alerts. UEBA helps reduce that number to identify true insider threats.
- Flag changes in permissions and creation of privileged users—some attacks involve the use of privileged users. UEBA alerts you when privileged users are created, or if there are accounts that were granted unnecessary permissions. According to the MITRE ATT&CK framework, one of the tactics, techniques, and procedures (TTPs) leveraged by adversaries is to establish persistence through the technique Create Accounts (T1136). UEBA helps identify abnormal account creations based on the user’s baseline. For example, if a system administrator’s account is regularly used to create accounts from 9 a.m. – 6 p.m. ET when an adversary compromises the admin account and begins to create accounts outside that time frame, a UEBA tool will identify the activity. The UEBA tool can also identify other anomalies such as the privileges it is granted, which system the privileges were granted from, the network zone of the system, and other factors.
- Detect brute force attacks—cyberattacks sometimes target your cloud-based entities as well as third-party authentication systems. With UEBA, you can detect brute force attempts, allowing you to block access to these entities. For organizations that regularly monitor failed logins, there is not enough time in the day to look through a list of 200 accounts that generated a failed login and identify which ones are potentially malicious. A UEBA tool can help prioritize the accounts that generated an abnormal number of failed logins based on the account profile and provide the contextual information to make a decision.
- Reduce false positives—the UEBA system is constantly learning how to be more accurate and avoid false alarms. This approach reduces false positives because multiple abnormalities must occur before an analyst is alerted. Machine learning and UEBA prevents getting a mass of false positive alerts.
UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a more proactive approach to security and gaining more visibility into user and entity behavior, you can build a stronger security position and more effectively mitigate threats and prevent security breaches.