What is User and Entity Behavior Analytics and why does it matter?
By Dr. Christine Izuakor - April 22, 2019
A lot could happen within 100 days. One could start a new company, travel around the world or train for a marathon. One hundred days is also around the average time that attackers spend frolicking around compromised networks before being detected. For countries in Europe, Middle East, and Africa the number goes up to 175, or almost half of a year. To make matters worse, the longer a breach remains undetected the more expensive it becomes. Anything detected beyond 100 days increases the average breach price tag by $3 million. For the companies that survive these setbacks, the light at the end of the tunnel may not be as close at it seems. These reports also show that almost 50% of companies who experience one significant attack, end up getting successfully attacked again within a year.
All hope is not lost. Being able to detect when something strange is happening within the network and take action quickly can help reduce all of these risks, and leading-edge user and entity behavior analytics (UEBA) can help.
What is UEBA?
The concept of behavior analytics gained popularity in the early 2000s. Businesses sought to monitor and track consumer behavior for better marketing and product sales in the e-commerce industry. Over time, impactful applications of behavior analytics surfaced in other industries such as gaming, social media, and even information security. Across each of these disciplines, researchers and innovators realized that tons of data already being collected through existing channels could be analyzed using artificial intelligence algorithms to break down and better understand behavior. UEBA became critical to cyber security as people realized the value of creating these kinds of algorithms to assess user activity logs and evaluate cyber risk in near real-time.
How does UEBA work?
The fundamental operating principle of UEBA is to create a picture of what normal user and organizational behavior looks like, in order to know what can be considered abnormal behavior. Once you have a baseline to compare against, you can begin to alert on suspicious user behavior.
Creating a baseline of normal behavior can be accomplished by collecting various data points such as account and document access, data uploads, App usage, and more. This is overlaid with information regarding actions completed by the user such as transaction type, session duration, time of day, geographical location, and more. Using this information, for example, if a user profile shows a registered location of New York but there is activity happening in London the transaction may be considered as anomalous behavior.
Abnormal does not always mean malicious. In the prior example, the user could have travelled to London for business and while the activity appears abnormal it’s not malicious. Without intelligent context, traditional anomaly-based tools were often flooded with false positives. This limited the trust many security professionals had in using static rule-based tools to trigger autonomous actions and prevent attacks - which is the ultimate goal of the technology to begin with. Modern UEBA has advanced ways of overcoming this age-old challenge to more accurately identify when abnormal behavior is likely malicious. The machine learning technology does this by not only analyzing and correlating big data, but by also adding context such as 3rd party threat data and situational information to make more conscious conclusions regarding risk resulting in higher levels of accuracy. In other words, say goodbye to never ending false positives that once plagued traditional tools.
How can companies benefit from UEBA technology?
UEBA can significantly reduce breach detection times. There are quite a few tell-tale signs that can suggest a company may have been compromised. Common examples include a single device using multiple different use credentials across the network, detection of aggressive port scanning, elevations in access for normal users, and more. While these are still relevant things to watch out for, attackers are getting creative in how they mask their activity so as not to trigger alarms. If your company’s detection capability is limited to the obvious signs, you may as well start imagining all of the things your new undetected resident is doing in their first 100 days on your network. Instead, UEBA technology can intelligently overlay relevant context to accurately escalate risky behavior.
UEBA focuses on the entire user and entity environment instead of just zeroing in on systems. Behind every attack, there is a human being. These people can be unaffiliated malicious attackers, malicious insiders, or error prone users. By focusing on individual user activity, no matter which group a user falls within, companies gain more useful insight into activities on their network. Traditional focus on networks, while still a valuable approach, can leave helpful red flags hidden in the noise of endless transactions over large complex networks. Furthermore, by shifting from a simple comparison of normal vs abnormal to focusing on a holistic view of risks associated with transactions, false positives and false negatives are reduced. The relevant question becomes, using all of the data and context available how risky is this transaction for this user or resource?
Insight from the technology can also indirectly expose system vulnerabilities and errors. While all detections may not be malicious, UEBA can help improve overall security posture through identifying gaps and errors in processes. For example, let’s say an existing employee took on a new role in the company. Her prior role required elevated access, but her current role does not. If based on her new group and the patterns in access levels of her peers, UEBA determines it’s strange for her to have elevated access, it then triggers alerts. The company then realizes that their processes for updating access levels during job changes is broken. While the user wasn’t malicious, the UEBA technology exposed a gap in the account management and access provisioning process that the company could then work to close.
UEBA enables companies to advance beyond traditional rules-based anomaly detection to intelligently respond to incidents from a variety of threat actors. With the help of artificial intelligence and machine learning algorithms, UEBA technology is rejuvenating the trust the industry lost in rules-based detection systems.
What will you allow to happen on your network for the next 100 days?