User and Entity Behavioral Analytics (UEBA) Overview
The human factor is one of the key issues of information security. On the one hand, humans are common sources of various threats to information security, and on the other hand, monitoring the behavior of legitimate users in the information system allows us to identify possible malicious activities. For example, in the case of a big change in the user’s behavior, we can conclude that his credentials can be compromised and somebody else uses the network on his behalf. Sudden changes in behavior may also indicate violations related to the deliberate actions of the employee.
It is the ability to profile and analyze the activity of users and IT infrastructure objects that are implemented in a relatively new segment of the IT security market, which is called UEBA – User and Entity Behavioral Analytics.
A place for analytics
From an architectural point of view, UEBA systems are like solutions designed to monitor information security alerts and events – SIEM, and some vendors call them NGSIEM – Next Generation SIEM.
UEBA systems consist of:
- Agents that collect information about users’ activities
- Central storage where all information is collected from all sources
- An analysis module that performs event analysis (often in real time) and responds to the most dangerous actions using predefined rules
Sometimes, third-party systems such as DLP, IDM, SIEM can act as agents or a repository of information about users’ activities. Very often an analysis module uses the infrastructure of another application to receive data and provides signals about identified suspicious activity.
The methods for detecting suspicious behavior are actively developing thanks to the emergence of accessible machine learning and artificial intelligence technologies. They can detect anomalous behavior of users and a drastic change in the style of their work without preliminary training.
Nevertheless, in some cases, the results of such an analysis require a manual check by the analyst to confirm or refute suspicionshypothesis triggered by the UEBA system. It is great for SOC (security operations center) to have a similar module that would give its operators additional information about suspicious activities of users and draw their attention to certain chains of events.
UEBA solutions can be implemented as separate products or as extensions to already existing systems, for example, SIEM, DLP or PAM (Privileged Access Management), etc.
From a practical point of view, the information security departments can solve the following tasks using the UEBA toolkit:
- Identification of compromised accounts. An analysis of users’ behavior can help determine at what point the user begins to behave suspiciously, showing activity in those areas that were not previously inherent in him. Unfortunately, the UEBA system will not be able to answer the question of what caused the unusual behavior – be it the leakage of account credentials, the Trojan program, or simply the change of job privileges. IT security managers should answer these questions, but UEBA system can draw their attention (promptly) to suspicious activity. First, the main objects of control here are the accounts of privileged users, as well as those employees who have access to critical business data.
- Identification of internal threat actors. This part of the UEBA complements the DLP solutions, which are now the main ones for searching for so-called insider threats. Of course, it is quite difficult to distinguish a malicious insider from a Trojan program infiltrating a computer, which is why classic DLPs cannot always solve such a problem. However, it is analytics of user behavior that can more accurately identify an employee who installed a Trojan program by mistake from a real attacker who obtained login credentials and is trying to get to the valuable information.
- Monitoring of employee access rights. One of the most difficult tasks of ensuring security is restricting the rights of users. On the one hand, they must have enough rights and have access to all necessary information systems, on the other hand, they should be blocked from accessing all other systems and services. It is often difficult to achieve such an ideal balance – users always have some redundant access rights. The user behavior analysis system can help identify necessary rights and clean out redundant ones.
- Detection of targeted attacks. In this case, it is the unusual behavior of users or applications that they install that will allow revealing hackers’ who use malicious programs or compromised login credentials using already installed applications.
Modern technologies used by UEBA
To solve all the above problems, modern UEBA tools use big data analysis technologies and various artificial intelligence mechanisms that are designed to search for anomalies, profile user activities and detect abuse of access rights.
To do this, they collect and identify users’ behavior patterns, organize users into groups, and compare them to the standard ones to identify deviations and violations. The larger the array of data on user behavior is, the more accurately the behavior model will be built, which will, in turn, allow more accurately predict slight deviations from the norm and reveal the suspicious users’ behavior.
At the same time, UEBA solutions allow building profiles not only of users but also IT infrastructure objects like telecommunications equipment, servers, applications, network traffic, etc. This allows detecting attacks not only based on anomalies in users’ work but also in IT systems.
For each anomalous behavior of the user, the UEBA solution increases the risk value for it, and when it reaches a certain threshold, it starts signaling to the security administrator about the suspicious users. This approach allows, on the one hand, to create use cases for the most common violations, and on the other hand to minimize the number of false positives.
Unfortunately, UEBA systems are not out-of-the-box solutions. It is necessary to do a lot of work to configure these tools.
UEBA modules have already appeared in SIEM solutions, such as IBM QRadar, ArcSight, and Splunk. However, there are some solutions where the analysis of user behavior is the main competitive advantage, such as the Exabeam.
There are a lot of information security threats that can be identified only through behavioral analysis of events recorded in the local network of the company. Using UEBA solutions for these tasks will provide security administrators with an effective additional tool for detecting advanced attacks.