Definition
User and entity behavior analytics (UEBA) is a method for detecting potential threats from network inconsistencies. UEBA tools employ machine learning and AI to establish a baseline for device and user behavior on a network and monitor it for suspicious anomalies.
UEBA Benefits
- Flags suspicious activity early to prevent cyber-attacks.
- Protects from unknown threats since it detects suspicious behavior.
- Covers a wide range of attacks by monitoring both machine and user behavior.
How UEBA Works
UEBA offers security insights by using machine learning and data analytics to analyze large volumes of data from different sources. This establishes a baseline of normal user behavior, which UEBA monitors to detect any deviations from the norm.
Data is sourced from security tools, threat intelligence feeds, authentication databases, network equipment, and ERP/HR systems. Behavior deviations are scored on a risk level to rank the severity of threats. The scoring metrics help avoid false positives, identify threats, and propose solutions.
UEBA Use Cases
UEBA use cases are divided into two; tactical and strategic use cases.
Tactical Use Cases
- Malicious insiders: These individuals with authorized access can evade detection by traditional security measures, but UEBA can analyze user behavior to identify suspicious activity, such as policy violations.
- Compromised insiders: Attackers who obtain legitimate credentials through phishing or other means can move laterally across the network. UEBA detects abnormal behavior, even with valid credentials, to stop unauthorized access.
- Compromised entities: Organizations using IoT devices with inadequate security measures are vulnerable to attacks. UEBA identifies abnormal behaviors in these connected devices, helping prevent data breaches or disruptions.
- Data exfiltration: Both insider threats and external attackers aim to steal sensitive data. UEBA monitors real-time data access patterns, detecting abnormal activities like unusual downloads or access attempts.
Strategic Use Cases
- Implementing zero trust security: Zero trust security verifies all users and entities, inside or outside the network, before granting access to applications and data, requiring continuous authentication and authorization throughout a session.
- Maximum visibility: A robust zero-trust architecture requires visibility into all network users, devices, and activities. UEBA provides real-time insights into end-user and entity behavior, facilitating proactive threat detection.
- GDPR compliance: UEBA tools aid organizations in complying with GDPR by monitoring user behavior and tracking access to sensitive data, ensuring compliance with data protection requirements.
UEBA vs. UBA
UEBA and UBA differ because UEBA is more advanced and includes entities (E) for monitoring nonhuman activities and machine models such as servers. Both entity and user activity are interconnected since they’re linked to machine entities such as routers. The E was introduced to achieve a more sophisticated and holistic approach to threat identification.
UEBA Analytics Methods
Some UEBA solutions use traditional methods to detect abnormalities. Such methods include known attack patterns, manually-defined rules, and relationships between security events. Traditional methods are deterministic and cannot identify new types of threats hence, modern techniques are helpful:
- Supervised machine learning: It uses known behaviors to analyze new behaviors and determine similarities.
- Bayesian networks: It create behavioral profiles by combining supervised machine learning and rules.
- Unsupervised learning: It detects abnormal behavior based on learned normal behavior without discerning if it’s good or bad.
- Reinforced/semi-supervised machine learning: It combines unsupervised learning with feedback for model fine-tuning and noise reduction.
- Deep learning: It predicts outcomes for new security alerts by training on data sets and performing self-identification of features.