Guide to Evaluating UEBA: Top 10 Criteria
Many vendors claim to offer user and entity behavior analytics (UEBA) capabilities, but a variety of implementations make comparative evaluations difficult. Find out the top 10 criteria for evaluating an effective UEBA technology to guide the selection of the right solution for your business.
User and entity behavior analytics (UEBA) solutions use artificial intelligence and machine learning, advanced analytics, data enrichment, and data science to effectively combat advanced threats. The UEBA solution combines all the data sources together for analysis and automatically synthesizes results. Analysts get a lower volume but higher fidelity feed instead of drowning in alerts. UEBA is valuable to the enterprise because it has a low maintenance overhead. The ML system tunes itself via behavioral modeling. The organization gets a future-proof solution for unknown attacks that look for abnormalities instead of a limited, pre-determined set of activities.
Many vendors claim to offer UEBA capabilities, but a variety of implementations make comparative evaluations difficult. The below list can be used by your organization to guide the selection of an effective UEBA technology.
Shows normal activity as well as anomalies
“Normal” activity is the typical behavior for a given user and that user’s peers, and it is required to show context. For example, does this user normally access a particular server, or that sensitive database? Does this user normally access the network via a VPN from Ukraine? Does this user normally upload large files to Dropbox? Also, do the user’s peers normally do the same things? The UEBA should demonstrate the ability to show both normal and anomalous activity within a user session timeline. This lets investigators understand the situation in a broader context, which significantly reduces the amount of time spent on data gathering, validation, and subsequent investigation.
Normal behavior is also proof that the detection results aren’t from a static correlation rule because rules only fire when the bad condition is met. There would be nothing to show under non-malicious conditions.
Connects a host to IP-to-user for establishing identity automatically
Hostnames are numerous and typically don’t provide much useful identifying information. IP addresses are reassigned continuously, and account credentials are often shared (especially administrative accounts). Host to IP-to-user mapping positively attributes activity on a specific host to a specific person using a specific IP address, at a particular time. The UEBA should demonstrate the ability to positively and automatically link a host to an IP and an identity, even when shared accounts are used. This makes threat detection much more effective. Connecting these dots manually can take hours of work, so performing it automatically drastically reduces the amount of time to investigate and take remedial action.
Detects lateral movement
A key indicator of a compromised account is lateral movement. During reconnaissance, a hacker will move throughout the network to hunt for valuable information, hopping between user credentials and devices to obscure their movements and avoid detection. The UEBA should demonstrate the ability to track lateral movement even as the user changes accounts, machines, or IP addresses. This capability ensures both effective detection and more accurate incident investigations.
Creates timelines of all incidents automatically
Activity data is produced in the form of events, but detection and response require timelines. Stitching events into coherent timelines typically requires significant manual effort, taking hours or days. A full timeline should include every activity by the user and any other entities interacted with during a session from log-on to log-off, using data from all related endpoint, network, security, and other systems. The UEBA should demonstrate the ability to produce coherent timelines of user activity, quickly and automatically. Many UEBA tools do not provide a timeline for incident investigation; some provide a partial one at best. A machine-built timeline offers a better interface that’s easily used by a junior analyst. Instead of presenting discrete events, a machine-built timeline presents the results with context and risk scoring to help rapidly distill the essence of a threat – and how to fix it if needed.
Deploys and shows value quickly
As your organization considers UEBA options, look for deployment capabilities that can be stood up in a day or less; does not require professional services for configuration and deployment, and provides built-in use cases without requiring everything to be customized from the ground up. The UEBA should demonstrate design and ability to deploy and begin operating in less than 48 hours and show clear value within one week.
Evolves to meet future needs easily and without additional costs
The UEBA should demonstrate an ability to be scaled and extended to new functionality without professional services or new engineering builds from the vendor. Vendors requiring lots of services to set up and tune their deployment will often require the same level of effort at requisite cost when customers change their environment, add new data sources, or try to tackle new use cases. Customers shouldn’t be penalized for evolving business initiatives. An effective UEBA makes it easy to show value as needs change over time.
Deploys without giving VPN access to the vendor
Many UEBA solutions require extensive service and heavy customization during deployment and after production cutover. This work is usually performed by offsite or offshore engineers and requires VPN access to your network. For many firms in regulated industries, this is a problem. The UEBA should demonstrate the ability to be deployed and supported without external VPN vendor access. The UEBA shouldn’t introduce new security risks, it should minimize them.
Moreover, you want the evaluation to mirror those you’ll have in your production environment (i.e. without vendor VPN access) so you know what you’re getting into.
Does not require agents or network taps to be deployed
Some UEBA solutions require additional infrastructure to be deployed to collect required data, typically either endpoint agents (installed on every device) or network taps. This imposes a dependency that can extend the pilot by months. The UEBA needs to demonstrate the ability to operate without installing external agents or taps. While taps and agents can provide useful additional information, there are UEBA solutions, such as those that analyze log data, that provide value without requiring the deployment of additional infrastructure.
Provides proactive threat hunting capabilities
Threat hunting with a UEBA solution entails performing simple and complex searches of collected security data. It should not require an in-depth understanding of a proprietary query language, rigorous attention to syntax, or the need to stitch together results from multiple, simpler searches. Nor should it take hours to return a result. Threat hunting capability driven by machine-built timelines with an extensive set of dropdowns cover a wide variety of potential arguments, operate on sessionized (i.e., highly indexed) data, and return complete incident timelines – instead of providing one more set of seemingly unrelated event records.
Integrates with SOAR for automation
Security orchestration automation and response (SOAR) is a big topic in the context of UEBA. After detecting a threat, a typical SOC analyst’s workflows often require multiple products with multiple interfaces and credentials. This wall of glass panes actually reduces visibility, speed and productivity with a flurry of manual actions sometimes referred to as “swivel chair incident response.” SOAR is an additional capability that augments a UEBA solution with a centralized approach and single console to pull in data and push actions to other systems. Essentially, the integration of UEBA technology with SOAR tools automates incident response. Look for a UEBA solution with semi-automated or fully automated incident playbook actions. It will help your SOC analysts to experience higher productivity and accelerate incident response for better enterprise security.
Evaluating the variations of vendor implementations of UEBA can be challenging, but our guide of the top 10 criteria gives you a clear path to make the comparison process easier. To read more about evaluating UEBA products across common use cases, check out our white paper: “Top 10 Use Cases for User and Entity Behavior Analytics.”