There are many ways of keeping a network secure. The best methods usually involve software solutions that fight malicious code or keep an eye out for unauthorized access attempts from the outside. However, one aspect often taken lightly or even ignored is attacks from within the network – by users behind the firewall.
These sorts of attacks can be curbed using UEBA tools.
Well, what is UEBA?
User and Entity Behavior Analytics (UEBA) is a cyber security process that involves:
- We are monitoring the data of normal usage and behavior of users and entities.
- Setting a baseline using this data.
- Tracking their current activities in real-time to spot any deviations from the baseline.
These deviations are then analyzed to find any indications of malicious activity by a user or entity.
UEBA leverages network events – usually large datasets stored as logs and audit trails – to model the typical and atypical behaviors of users and devices on the network.
The process uses machine learning, algorithms, statistics, and analysis of threat signatures on past data. It then compares to current day-to-day activities of users, which are then classified as “normal” or potentially real “threats“.
As an example, let’s assume that a user typically downloads 15MB of data every day. If they were to start downloading gigabytes of data suddenly, it would be out of the norm and classified as a deviation that would require attention.
Some activities that could be detected using this method include compromised credentials, lateral movements, and other malicious activities.
A critical point to understand here would be that UEBA doesn’t track security events or monitor devices. Instead, it focuses on the network activities of users and devices as they go about their business. Therefore, it can be said that this is a tool that keeps an eye on insiders – usually employees – who have had their credentials stolen or have intentionally gone rogue. In addition, it is used to stop account holders who already have access to the network and its connected assets from carrying out targeted attacks or attempting to commit fraud. Finally, it also tracks applications, devices, and servers to ensure these malicious users aren’t exploiting them.
Difference between UBA and UEBA
Before UEBA, we had UBA – User Behavior Analytics. This process only focused on the human aspect; it kept track of users and nothing else.
Now, UEBA extends UBA to include entities like routers, endpoints, and servers. This created a more robust security tool to detect complex attacks by correlating user, device, and IP address inputs.
This extension became a necessity when it was recognized that, in case of a threat, the entities could also be used as sources of information as well as helping administrators to pinpoint the sources of threats accurately.
This is even more important today as we see the rise of every kind of connected device that makes up what we now call “The Internet of Things” or IoT. As the number of these devices grows, so does the number of potential entry points of attack.
How does UEBA work?
The UEBA process involves connecting network activities to specific users instead of hardware or their IP addresses.
The data source is usually general data repositories – such as logs and audit trails – that are stored in data lakes or data warehouses. The source data can also come from Security Information and Event Management (SIEM) tools.
Note: UEBA integrates information in logs, packet captures, and similar cross-organizational datasets that are usually captured by SIEM tools. This is why UEBA and SIEM are often implemented together.
This unique approach of monitoring human and entity behaviors paints a clear picture of any unusual activities that may not even be noticed, let alone flagged, by traditional perimeter monitoring tools. Moreover, even the slightest deviations can be configured to trigger threat alerts, allowing administrators to judge if it is indeed an early indication of a threat.
Data that is used for the analysis contains information like:
- Where a user logs in from
- The files, applications, and servers they regularly use
- The roles and privileges they have been assigned
- The location, frequency, and time of access
- The connectivity or IoT devices used for access
UEBA uses these inputs to identify non-malware-based attacks, assess threat levels, create risk scores, and decide whether or not it should be brought to the attention of administrators. The tool can even help guide them towards the appropriate response.
Using this data, UEBA can catch a culprit who, for example, has gained access to a user’s account because they won’t be able to emulate their victims’ activities exactly.
What is the scope of UEBA? Or, what can it protect?
Apart from attacks from within an organization’s network, UEBA can also monitor cloud assets that are provisioned dynamically or accessed remotely – something that would be hard to do using traditional security tools, primarily if they have been implemented on-premises, within the local network.
What attributes does UEBA look into?
A good UEBA tool will monitor several attributes to help it spot and alert suspicious activities quickly and accurately. In addition, the combination of features will allow for a more inclusive baseline that covers multiple human characteristics, which will make it harder to fool.
Some essential attributes to monitor include:
- Communication involves keeping track of email, chat, and VoIP data to track the people with whom users are interacting.
- System – their digital footprints and how they behave when connected is a valuable source of information that can be extracted from endpoints, browsers, shared files, and log-in habits; this data can also be removed from SIEMs.
- Human Resources – the motivation behind every suspicious activity and why it may be a malicious attempt can be extracted from HR employee performance reviews and Active Directory (AD).
- Physical location data – tracking physical movements around the premises can provide valuable information; this can be extracted by monitoring badge data, login locations, and travel histories.
As we can see, bringing all these datasets together can paint a clear picture about a user, their activities, and – if applicable – their malicious intentions.
How is a baseline built?
One question that needs to be asked here is how to go about building the baseline that will help keep track of a user. Well, there are a few steps to go through:
- Defining use cases – it should be clear, right from the outset, what is going to be tracked. Examples would be spotting malicious users, compromised accounts, known security threats, or a combination of all.
- Defining data sources – here is where the origins of the data are determined to build the behavioral profiles of each user. Examples of sources include logs, emails, social media platforms, HR review reports, network data packet flows, and SIEMs.
- Defining the behaviors to monitor – a UEBA solution should cover as many attributes as possible. It is at this point that the details are described. These could be office hours, typing speeds, corporate applications and data accessed, websites visited, mouse dynamics, and non-IT data like HR inputs about employee job satisfaction levels.
- Defining the baseline establishment time – although employees usually act the same day-in and day-out, external factors like payroll days, budget closing weeks, or flu season could create habit changes in the working day. These factors should be taken into consideration and avoided as the baseline schedule is being planned. The data collection can take anywhere from a week to 90 days, during which the UEBA “learns” about the users and establishes a baseline. Administrators should also have enough time to make sure the baselines are indeed sensible.
- Defining policies and providing training – once the UEBA solution is ready to go, security policies should be implemented, and the users must be made aware of them. Where required, training should be given to ensure everyone knows what and how to access the information they are only authorized to be privy to. Finally, everyone should be brought onboard – HR, legal departments, administrators, security teams, and the users themselves.
- A trial period – any system should undergo a trial period before it is introduced into production. The same applies to UEBA. During the trial period, bugs and discrepancies can be observed and ironed out.
- Go-live and monitoring – once the UEBA is live, close monitoring is required to ensure all systems perform as expected. Tweaks and corrections may be necessary during the first few months. Overall, the baseline should be adjusted to cater to any new attributes introduced into the organization like new schedules, security system upgrades, and employee transfers.
Three Pillars of UEBA
Based on the information we have seen so far, we can now define the three pillars of UEBA. These pillars stipulate what a UEBA does, how it does it, and the result.
Therefore, according to Gartner, UEBA solutions are defined across three dimensions:
- Use cases – UEBA solutions monitor, detect and report malicious activities by users and entities on a corporate network. They should also remain relevant in the analysis of trusted host monitoring, fraud detection, and employee monitoring, for example.
- Data sources – a UEBA solution should not be deployed directly on the network or even in the IT environment for it to be able to collect data. Instead, it should extract the data from data repositories like data lakes, data warehouses, or through a SIEM.
- Analytics – UEBA solutions should detect anomalies using various analytics approaches that include machine learning, rules, statistical models, threat signatures, and more.
What are the advantages of UEBA?
Now that we have defined and seen what a UEBA solution can do, let’s have a look at the advantages it brings to the table:
- It is primarily a tool that can help stop many insider cyber attacks like compromised accounts, brute-force attacks, unauthorized creation of new accounts, and data breaches.
- It covers a scope that most organizations usually ignore and cannot be tracked by traditional tools like anti-viruses or antimalware solutions – the insider threat.
- Deploying UEBA cuts the number of security analysts who need to keep a corporate network safe; these solutions are automatic, work round the clock, and send out alerts in real-time.
- A UEBA solution can reduce the budget and overhead required for an organization’s cyber security upkeep.
- Human error, caused by administrators having to sift through vast amounts of activity data manually, can be avoided; threat analysis and mitigation can be performed in minutes, in real-time, and accurately.
- UEBA is a unique security approach in that it involves adopting multiple systems and data sources and not conforming to tracking predefined correlation rules or attack patterns; the AI is always learning.
Are there any disadvantages to using UEBA?
It would be unfair to say that there are no disadvantages to implementing UEBA. And so, here they are:
- UEBA generates data that is more complex than the average, traditional security solution. Therefore, it requires a trained professional to implement, run, and monitor the system. The analytics also requires a learned eye to avoid jumping to conclusions due to false-positive results.
- Although it is a security system, it is not enough to protect a system entirely on its own. Remember, it only tracks the human and entity behaviors and nothing more. Some organizations might see this as a shortcoming, especially when they consider the need for additional security software – but it isn’t. It’s just not purposed for stopping attacks – just alerting malicious internal users.
UEBA implementation best practices
Here are a few points to consider when aiming for a successful UEBA implementation:
- Always consider threats from both within and outside the network – all policies, rules, and baselines should consider users located anywhere.
- All accounts should be considered – remember, hackers can always upgrade their privileges to increase their access capabilities.
- The UEBA should be sent to the appropriate security team members – not back to the users themselves or other unauthorized personnel, for example.
- AS WE HAVE SEEN ABOVE, the UEBA scope is limited – administrators shouldn’t take their focus off the other traditional security tools.
- Train all users to minimize false positives or unintentional trigger alerts.
- Also, train security staff to read analyses correctly to avoid jumping to erroneous conclusions.
UEBA is a necessity
In conclusion, we need to say that adopting a UEBA solution is a necessity in today’s world of intellectual property theft, technology leaks, hacks, and data breaches – all done from the inside. It has always been said that users were the weakest link in cyber security. Combining that information with employees harboring malicious intent makes it easy to see why we need these types of solutions.
It, therefore, makes sense to keep corporate data safe with the help of UEBA solutions. What do you think? Let us know; leave us a comment.