What is UEBA?
UEBA stands for User And Entity Behavior Analytics.
USER + Entity
Modern cybersecurity solutions strive hard to monitor the behavior of human users (your employees, customers, partners' employees, etc). They go even further and monitor the behavior of non-human 'ENTITIES' too, that means they are capable of monitoring 'machines' also.
For example, on day if a given branch office of your company, suddenly starts receiving 1000s more of requests than usual, then there is very high-likelihood that your IT administrator might not notice this, as a potential DDoS attack. But your UEBA would surely recognize this enhanced number of incoming requests and take some pre-defined action.
UEBA solutions are fundamentally there to recognize any peculiar behavior or suspicious instances where something falls outside of NORMAL everyday pattern or usage.
Another example is that if a PARTICULAR USER, say John Doe, who usually downloads files up to 20 MB per day, starts downloading files of say 5-GB, then your UEBA system would recognize it as an anomaly. Based on rules, it may automatically disconnect John Doe from the network. Else it may send some alter to your Network admin.
People who are frequent users of Facebook, may have realized that the UEBA technologies of Facebook are capable of raising a red-flag, every time you log-in from a computer which you have not logged-in before. Facebook raise the red-flag even if you merely try to login from another browser than your normal browser. UEBA at Facebook definitely goes strict with you, if you or anybody else try to log-in to your account from the new geo-location where you haven't logged-in before. It will force you to provide more factors to key-in before it allows you access to your account. It is all UEBA in action...
I would say that UEBA is a cybersecurity solution that basically uses algorithms and machine learning to detect anomalies in the behavior of not only you, your users in a corporate network but also your routers, servers, and endpoints in that network.
How Does UEBA Work?
In short, your UEBA solution will create a baseline of standard behavior for all users and entities within your corporate network and look for deviations to the baseline, alerting you or your security teams to anything that could indicate a potential security threat.
In order to create these baselines of behavior, it need to collect LIVE data that user actions (such as applications used, interactions with data, keystrokes, mouse movement, and screenshots), activity on devices attached to the network (such as servers, routers, and data repositories, etc), as well as security events from supported devices and platforms. Advanced analytical methods are then applied to this data to model the baseline of activity.
Once this baseline of behavior has been established, the UEBA solution will continuously monitor behavior on your network and compare it to the established baseline, looking for all behaviors that extend beyond an established activity threshold to alert appropriate teams of the detected anomaly.
Some sort of agent of UEBA solution has to be installed on every machine & every device that is used by you, your employees and other users who are connected to your network, including your remote users. If your employees of using their own devices, then even those devices need an agent and it should be installed. You should request your employees to, if possible, to install the agent on their home Wi-Fi routers too.
Once it is rightly done, then there is nothing much you need to do, because your UEBA solution (with the help of those agents) would keep seamlessly collecting data (or logs) from all those devices and their network usage. Slowly and slowly, the algorithms of your UEBA will learn, determine and further refine its understanding of what is NORMAL, what is OPTIMAL, behavior with respect to each human user, each device.
How much time it would take to learn all this?
There is no fix rule. However, your IT admins can decide how long the 'Learning' mode will last before the system goes into 'Testing' mode.
3-Main Components of UEBA
There are three main components of a UEBA solution:
Analytics collects and organizes data on what it determines to be normal behavior of users and entities. The system builds profiles of--how each User/Entity normally acts regarding application usage, communication and download activity, and network connectivity. Statistical models are then formulated and applied to detect unusual behavior.
It is hugely important to have a strong 'Integration' with other security products and systems which are already in place at your company. This integration is MUST. Your company is surely having some security stack implemented already. But there might be some old legacy systems that may not respond well to modern threat-landscape. And you must be fore-warn of those...
The beauty of UEBA is that it is not supposed to obviate or replace your existing security products that are being used across your company.
When you implement UEBA with proper integration, your UEBA system would be able to compare data collected from various sources, including logs, packet capture data, and other datasets, and then, to integrate these data to make the system more robust.
This part is also important because it is about how the findings of your UEBA system will be presented or communicated to your security team. If presented well these information helps you a great deal in devising appropriate responses to anomalies. How would you configure the presentation part of it, it depends on your organisation.
For example, some UEBA systems will simply create an alert, either for the employee or the IT administrator, to suggest further investigation. Other UEBA systems will be set up to take immediate action—by automatically shutting off network connectivity for that employee due to a suspected cyberattack, for example.
Why Do Companies Need UEBA?
In the beginning this set of technologies were called UBA (User Behavior Analytics) and focused only on human users. But later Gartner expanded the scope by added 'E' to it, where E denotes ENTITY. As I mentioned here that these other entities would include managed and unmanaged endpoints, servers, and applications (whether cloud-based, mobile-based, or on-premises based). All these entities along with users, should often be profiled in order to pinpoint threats more accurately.
The result is that UEBA solutions are able to more accurately pinpoint anomalies and potential threats. More often they can pinpoint so many things that would otherwise go unnoticed by traditional security monitoring processes such as SIEM or DLP.
The rise of UEBA has been driven by the fact that traditional security products, e.g., web gateways, firewalls, intrusion detection and prevention tools, and encryption products like VPNs, are no longer able to protect your organizations against intrusion. Sophisticated cyber-attackers will find a way to enter your system in some way.
That's why the detection even of the seemingly SMALLEST anomaly is crucial.
Another issue here is that social engineering/phishing-attacks are also on the rise. Threat-actors do not attack your organization's hardware but rather your people, e.g., convincing them to click on hyperlinks, to download software, and to send passwords.
You also know that in most situations, infecting one computer is only the start of a potentially large-scale cyberattack.
UEBA seeks to detect even the TINIEST of unusual behaviors and prevent a small phishing scheme from escalating into a massive data breach.
I have no doubt that UEBA can have a tremendous impact on the security posture of your organization.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM