User and entity behavior analytics (UEBA) is one of the fastest-growing areas within enterprise security, growing at a compound annual growth rate of 48 percent per year, according to Gartner. Modern enterprise IT security solutions use this technology to detect and remediate advanced threats that are unable to be addressed by legacy solutions.
UEBA solutions use a different approach with variations of artificial intelligence and machine learning, advanced analytics, data enrichment, and data science to effectively combat advanced threats. The UEBA solution combines all the data sources together for analysis and automatically synthesizes results. Analysts get a lower volume but higher fidelity feed instead of drowning in alerts.
UEBA is valuable to the enterprise because it has a low maintenance overhead. The ML system tunes itself via behavioral modeling. The organization gets a future-proof solution for unknown attacks that look for abnormalities instead of a limited, pre-determined set of activities. UEBA is the only way to effectively address all of the top 10 security use cases described below.
1. Compromised User Credentials
User account credentials are keys to legitimate access, and stolen credentials are the number one vector for data breaches, according to the Verizon 2018 Data Breach Investigations Report(p.8). Legacy security tools are unable to detect and identify unauthorized access allowing the attacker to access sensitive data or internal resources.
2. Privileged-user Compromise
A privileged user has authorized access to high-value resources, such as a sensitive database, a user-rights management system, or an authentication system. When a hacker obtains privileged-user credentials, the attack can proceed directly to those high-value assets with impunity. The UEBA solution should monitor suspicious activity by departed employees or contractors, and identify human errors dealing with or overexposure to sensitive data.
3. Executive Assets Monitoring
Hundreds of millions of dollars are stolen each year via wire transfers driven by webmail schemes that trick company executives into approving these transfers. Getting access to executive computing assets such as the CEO’s or CFO’s laptop may give hackers data about sensitive earnings, mergers and acquisitions, budget planning, product and services planning, or competitive information. An effective UEBA solution must be able to automatically build asset and behavior models that identify executive systems and monitor them for unusual access and usage.
4. Compromised System/Host/Device Detection
It is very common for attackers to take control of systems, hosts or devices within an organizational network, and carry out attacks stealthily for months or years. The UEBA solution should monitor several vectors, including user accounts; servers; network devices, non-trusted communication sources, insecure protocols, and other signs of malicious behavior; and anti-virus/malware monitoring to detect protection disablement or removal, or status of threat updates.
5. Insider Access Abuse
Insider threat detection is challenging because “trusted” behavior doesn’t set off alerts in most security tools; the threat actor appears to be a legitimate user. The UEBA solution must be able to detect when a user (privileged or not) is performing risky activities that are outside of their normal baseline. Some of the techniques used by UEBA include detecting logins at unusual hours, at an unusual frequency, or accessing unusual data or systems; changes or escalation of privileges for critical systems; correlating network traffic with threat intelligence to discover malware communicating with external attackers; and discovering data exfiltration.
6. Lateral Movement Detection
The process of lateral movement entails systematically moving through a network in search of sensitive data and assets. Perhaps the attack began by compromising a low-level employee account. Once inside, the hacker probes other assets for vulnerabilities in order to switch accounts, machines and IP addresses. Opportunity knocks once the attacker secures administrative privileges. Lateral movement is extremely difficult to detect by legacy security tools because parts of the attack are scattered across the IT environment, spread among different credentials, IP addresses and machines. The seemingly unrelated events all appear to be normal. The UEBA solution uses behavioral analysis to connect the dots between “unrelated” activity and stops these attacks before damage occurs.
7. Data Exfiltration Detection
Data exfiltration happens when sensitive data is illicitly transferred outside an organization. It can happen manually when a user transfers data over the internet or copies it to a physical device and moves it outside the premises. Exfiltration may also be automatic, which often occurs as the result of malware infecting local systems. In this use case, the UEBA solution detects network traffic to command and control centers and identifies infected systems transmitting data to unauthorized parties. UEBA monitors for unusual amounts of network traffic over protocols that facilitate large data transfer compared to the baseline of a user or machine transferring the data.
8. Account Lockouts
An account lockout disallows access to a user. This security feature aims to protect an account from anyone or anything trying to guess the username and password. A lockout occurs after a login failure exceeds a set parameter of permitted attempts. In some cases, the user must appeal to an administrator to be re-granted the right to log into the account. Reacting to each request can consume hours of time for administrative research. This UEBA use case helps to automate the risk assessment process and quickly render a verdict on account risk. Done effectively, the UEBA solution could save up to a full headcount annually at a larger organization.
9. Service Account Misuse
A service account is used in lieu of a normal system account to run specific application services. Service accounts are supposed to improve security; if it is compromised, losses will be limited as opposed to the compromise of a general system account. But typical security tools provide limited or no visibility into service accounts. This limitation is bizarre because service accounts have high privileges – and are high-value targets for attackers. For example, the SAP “Firefighter” account often has significant privileges within that critical application. Service Account Misuse is a valuable use case for UEBA. By employing its behavioral analytics capabilities, the UEBA solution will automatically identify service accounts and flag any abnormal behavior within them.
10. Security Alert Investigation
Security alert investigation using legacy security tools is an onerous process. Alerts typically consist of arcane data in raw log files that defy comprehension, even for seasoned security analysts. Alerts may scream “time is of the essence!” but the investigation itself demands manual correlation of various log files, interpreting meaning, manually culling ancillary data sources for clues, and spending considerable time trying to determine the root cause of an alert incident. UEBA can dramatically improve the productivity of SOC analysts in conjunction with a modern security information and event management solution. It uses machine-built timelines to offer a better interface for threat hunting even by a junior analyst.
The detection capability and advanced notice to attacks provided by UEBA use cases is a huge, incalculable benefit to organizations because it enables security teams to stay in front of danger and quickly remediate active threats. The UEBA capabilities in Exabeam Security Management Platform address all of the top 10 security use cases described above. If these benefits are attractive to your organization, we invite you to learn more by reading details in our white paper, Top 10 Use Cases for UEBA.