Until recently, security systems could only defend against what they knew. Security teams would painstakingly define correlation rules to specify what constitutes suspicious activity, or systems would scan software or traffic patterns, searching for previously known attack signatures. In today’s threat landscape, this approach is still important but is not enough to defend against sophisticated attackers with an increasingly advanced attack toolset.
Behavioral profiling is the foundation of many security tools and approaches, which attempt to identify attacks or behavior that is not known, and does not match any predetermined pattern, but nevertheless deviates from the norm. Just like a human security guard who notices “something strange” and decides to take a look, behavioral profiling and analysis help automated security systems identify that something is not right with a user account, a machine or a network, and help security teams investigate and respond to the incident.
In this post you will learn:
- What is behavioral profiling
- Types of anomalies
- What is user and entity behavior analytics (UEBA)
- UEBA security use cases
- How UEBA and SIEM improve modern security workflows
What is behavioral profiling?
Behavioral profiling is the use of machine learning and advanced analytics to analyze security data, and define profiles of typical behavior for users or computing systems. This makes it possible to identify anomalies in behavior, which may be malicious activity by attackers.
The need for behavioral profiling arises because attackers are becoming more sophisticated. It is no longer possible to easily identify all attacks using signatures (for example, a binary file known to be malware) or rules (for example, blocking a user if they try to log in more than five times in one hour). Attackers may use tactics, techniques and procedures (TTP) that are unknown to the organization’s security defenses. But the common denominator of all attacker activity is that it deviates from normal behavior.
Behavior analysis identifies trends and patterns that deviate from the norm and bring them to the attention of security staff. This can help:
- Identify attacks early on when attackers are taking their first steps.
- Stop attackers that are already inside and covertly manipulating an organization’s systems.
- Find the root cause of security incidents and help defend against similar incidents in the future.
Types of anomalies in behavioral analysis
Behavioral analysis typically focuses on one of the following dimensions of user or system behavior, to detect anomalies:
- Schedules—most employees have a predictable work schedule. Servers or applications may also run certain tasks or workloads at predetermined times. A user login or system process occurring outside the regular times represents an anomaly.
- Applications and ports—employees signing in to an application they have never used before, or a server connecting to a port or system (internal or external) that it does not typically connect to, should raise suspicion, especially if the application or port can be used to transfer data outside the organization.
- Regions and IP addresses—employees logging in from an unusual IP address, or from an unexpected geographical location, represents an anomaly.
- Devices—a user logging in from an unknown device represents an anomaly. The login could be an attacker using compromised credentials, or a legitimate user on an unsecured device such as a public computer.
- Device usage—behavioral analysis can identify that a user is operating their device differently than usual, for example, typing at different speeds, moving the mouse in different patterns, or using different applications than usual at different times. A server or application could be generating different traffic or I/O signal patterns compared to normal operations.
- Network traffic—behavioral analysis can create a profile for normal network traffic, flowing on specific ports or within specific network segments. Any part of the network that sends or receives traffic at unusual volumes, using different patterns or with unfamiliar payloads, could represent an anomaly.
What is UEBA?
User and entity behavior analytics (UEBA) is a security solution that has behavioral profiling and analysis at its heart. It uses automated detection of anomalies to alert security teams about suspicious behavior, by comparing users to their normal behavior or the behavior of their peers (e.g. individuals in the same department), or by comparing IT systems and networks to their normal behavior.
An important part of UEBA systems is the use of thresholds to identify when an anomaly is considered a security threat. For example, if a user always starts work at 8 a.m., and one day logs in at 7 a.m., this is an anomaly but is not unusual enough to warrant investigation. A UEBA tool computes risk scores that measure the extent to which events are out of the ordinary. For example, a login at 4 or 5 a.m., combined with other unusual characteristics such as the user’s location, the device used and other activities could push the risk score high enough to create an alert.
Learn more in our in-depth guide to user and entity behavior analytics.
UEBA security use cases
Which security scenarios can behavioral profiling and UEBA systems help with? Here are a few common threats that traditional security solutions can often miss, but UEBA can identify and stop.
- Compromised credentials—if an attacker obtains the credentials of a legitimate user, their activity can appear identical to that of the legitimate user. Only UEBA systems can identify that the user account exhibits anomalous behavior.
- Executive accounts and devices—sophisticated attackers can directly attack endpoints in use by CEOs, CFOs and other senior executives. UEBA can help identify when an executive asset has been compromised and is behaving anomalously.
- Compromised system or host—when attackers take control of a server or other machine within a corporate network, they can remain undetected for years. UEBA can help identify that the system’s behavior changed at some point and help investigate if malicious activity is taking place.
- Insider threats—malicious insiders are a growing security concern and are virtually undetectable by traditional security methods. UEBA solutions can detect when a user is performing risky or unusual activities, such as data transfer, escalation of privileges, or accessing unusual applications or systems, which may signal malicious behavior.
- Lateral movement—attackers start by penetrating one endpoint or system, and then move laterally to gain access to more systems and user accounts. UEBA can view multiple systems as a whole and identify the anomalous activity as it moves laterally across the network
- Data exfiltration—when data is transferred outside an organization, it could be a user connecting to a legitimate external service, an attacker transferring stolen data, or malware communicating with a command and control center. UEBA systems analyze data transfer and identify if the destination is legitimate and if the data transferred makes sense for the current user and context.
Learn more in our article on UEBA use cases.
Using UEBA and SIEM to improve modern security workflows
Gartner has added UEBA to its vision for next-generation security information and event management (SIEM) technology. A next-gen SIEM should combine UEBA, to help organizations make sense of security events, identify anomalies and better respond to incidents.
Exabeam is a SIEM platform with an integrated UEBA engine that performs detection and automated investigation of security incidents.
Exabeam not only identifies indicators of compromise, but also identifies attacker tactics, techniques and procedures (TTP), and enables threat hunting capabilities powered by behavior analysis, letting security analysts take a proactive approach to threat prevention.
Exabeam’s UEBA capabilities include:
- Rule and signature-free incident detection—identifies abnormal and risky activity without requiring operators to define manual correlation rules, and without relying on known threat patterns.
- Automatic timelines for security incidents—stitches together security events into a timeline that shows an entire security incident, which may span multiple users and entities on the network.
- Peer groupings—identifies groups of similar users, machines, or other entities, and analyzes their behavior collectively, to see when an individual exhibits unusual or risky behavior.
- Lateral movement—detects attackers as they switch between IP addresses, user accounts and machines, to gain access to more sensitive assets. UEBA can help identify the unusual activity as it is moving across the network, and reveal the attacker’s journey.
Learn more about Exabeam’s UEBA-integrated SIEM platform.