What is user and entity behavior analytics (UEBA)?
User and entity behavior analytics is another term for user behavior analytics. As the threat landscape evolved, so did the market definition of UBA. The addition of “entities” indicates malicious behavior by both humans as well as devices, applications and networks, and correlates user activity from multiple sources. According to Gartner, which coined the term UEBA, the E “recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior.”
In other words, the behavior of entities — especially users, devices, system accounts and privileged accounts — can be mined to reveal anomalies, even when they occur at a low frequency and over extended periods of time. Few security tools have the capability to detect a threat if it doesn’t fit a specific profile, but UEBA is able to stitch together a number of variables to better home in on potential threats. By using UEBA, you’re protecting your organization against threats that can infiltrate the perimeter, or that already exist within.
What is the difference between UBA and UEBA?
User behavior analytics and user and entity behavior analytics are essentially synonymous. Most UBA solutions also cover the “entity” aspect that led Gartner to coin “UEBA.” However, UEBA is arguably the more common term because it makes the key distinction between user and entity behavior. (“UBA” is also the name of the Splunk UEBA tool that helps organizations fight insider threats through multidimensional behavior baselines, dynamic peer group analysis and unsupervised machine learning.)
How does UBA/UEBA work?
UBA/UEBA works by looking at the deviations in a user or asset’s behavior when compared to past actions or peer groups. A UBA solution will create a baseline for each user, device, application, privileged account and shared service account, then detect standard deviations from the norm. It will subsequently assign a score to indicate the intensity of the threat in question, letting the enterprise not only review alerts on a daily basis, but also watch top malicious users and take preventive action.
How do you resolve threats with UBA/UEBA?
Rather than providing a torrent of alerts triggered by static rule violations, UBA delivers a shorter list of threats to resolve, along with supporting evidence to explain why a specific threat should be of concern.
Security analysts have a number of options for resolving threats discovered by UBA. In addition to viewing threats through the user interface, threat information can be emailed to remediation staff such as IT/security help desks; published to a security dashboard; or forwarded to an external ticketing or security system. Depending on where your UBA solution plugs in, you might also have an automated response that fires off when an incident or event is detected.
What is behavioral analytics (BA)?
Behavioral analytics is an area of data analytics that provides insight into the actions of people. Any person or machine that interacts with a company, system, platform or product can be a subject of behavioral analytics.
Behavioral analytics tools ingest a high volume of raw event data from user interactions across multiple channels, looking at everything from user journey to social media engagement to unique sessions to time on page. This type of data can include advertising and marketing metrics, like conversion rate or cost per click, as well as pipeline and monetary value. Behavioral analytics can also include information about demographics and geography.
- Ecommerce and retail: Makes recommendations based on sales trends.
- Online gaming: Looks at usage and user preferences for existing and future releases.
- Application development: Determines how users interact with an application to predict future usage and preferences.
- Security: Detects compromised credentials and insider threats by locating anomalous behavior.
What is the role of machine learning in UBA?
Machine learning plays a critical role in UBA and is absolutely key to powering a scalable data platform that supports advanced analytics. The threat detection capabilities in a UBA solution can correlate anomalies across multiple data sources within any environment that generates machine data.
Analytics tools based on machine learning methodologies require no signatures or human analysis, enabling multi-entity behavior profiling and peer group analytics. This provides a far more nuanced monitoring and response capability for UBA.
The result is automated, accurate threat and anomaly detection. By stitching together threat indicators detected by a variety of algorithms, machine learning helps the software or solution identify high-probability threats.
With machine learning, analysts and security operations center (SOC) teams can perform rapid investigations, find meaningful insights, determine the root cause of an incident, draw on historical trends and share findings without being bogged down by thousands of alerts and false alarms. Put simply, organizations can improve detection speed, analyze impact and respond quickly to any security incident.
How do you use UBA with SIEM?
UBA is a vital component of any SIEM (security incident and event management) system. UBA tools work in concert with SIEM solutions to provide insight into behavioral patterns within the network. By combining both solutions, you reap the benefits of threat detection techniques that examine both human and machine behavior.
Expanding your SIEM to ingest behavioral anomalies detected by UBA also provides additional context around known and unknown threats, as well as identifies the threats more accurately. This can save analysts’ time and increase your SOC efficiency by eliminating false positives and only surfacing high-fidelity threats that can’t typically be detected through rules-driven correlation.
What is UBA’s role in a security operations center (SOC)?
UBA plays a critical role in the security operations center, identifying unusual changes in end-user behavior. UBA can filter alerts before they’re raised to the SOC team, giving them time to focus on urgent and complex threats.
UBA allows SOC analysts to seamlessly and easily:
- Identify insider threats with behavior modeling and peer group analytics.
- Focus on insider threat detection through anomaly scoring.
- Automate incident response and monitor threats continuously.
How do you choose the best UBA tool?
When choosing a UBA tool, weigh four key features: threat review, user feedback learning, streamlined workflow and kill-chain detection.
- Threat review and exploration: This allows the user to visualize a broad range of suspicious behavior and gain context across multiple sources, including users, accounts, devices and applications.
- User feedback learning: With user feedback learning, security teams can customize anomaly models based on the organization’s processes, policies, assets, user roles and functions. Anomaly scoring creates a methodology around an array of events to better improve accuracy as well as indicate the intensity of a threat.
- Streamlined threat workflow: Reducing billions of raw events to thousands of anomalies, then to mere hundreds of threats, speeds up review and resolution. Leveraging machine learning algorithms, statistics and anomaly correlations improves your ability to identify malicious insiders without human analysis.
- Malware and insider detection and attack vector discovery: This means you can detect movement of malware across apps and devices, as well as malicious insider proliferation, in real time. You can also detect behavior-based irregularities (e.g., unusual machine access, unusual network activity) or pinpoint botnet or command and control activity (e.g., malware beaconing, etc.) and much more.
Ultimately, choosing the best UBA tool for your organization depends on your set of priorities and concerns. Check out Gartner’s “Reviews for User and Entity Behavior Analytics Solutions” to learn about industry leaders in this space, and how they can help you take your security journey to the next level.
How do you get started with UBA?
Generally, you’ll start using UBA with four basic steps: ingest data, configure workflows, target use cases, and customize your models.
Getting data into your UBA solution is the first step toward understanding your user data. Your tool should provide a number of options for identifying, validating, then ingesting data from multiple sources across your infrastructure — from reading simple, well-known log file formats, to invoking programs to handle custom data formats.
Once you’ve successfully prepped your environment and onboarded relevant event data, the next step is to configure your workflows. Integrated workflows allow security teams to quickly respond to incidents by opening tickets or placing surveillance on high-risk users. By hammering out a streamlined investigation and feedback loop, security teams won’t have to scramble when trouble comes.
Next, you’ll need to determine what use cases you’d like to address with your UBA tool. This can be anything from data exfiltration to account compromise and misuse. You should also involve your organization’s security architects and engineers so they can provide feedback. Remember, while most UBA solutions will provide use cases that can apply to almost every customer in the form of rule sets, they aren’t necessarily priorities of your business. The needs and objectives for retail, e-commerce, financial services, the public sector, etc., vary immensely.
Last but not least, you’ll need to customize your anomaly scoring models. Providing input on key assets or users/departments can increase the risk score accordingly (for example, data exfiltration involving staff in your organization’s research lab may be more of a threat than data theft on your marketing team). Your UBA tool should also increase the score if it deviates from peer group profiles. If a specific risk-scoring logic is not applicable to your environment, adjust it up front.
As you decide how to implement UBA in your organization, consider:
- How much and what type of behavioral data you’ll have available.
- The level of internal expertise you have — and whether you have the ability to train security personnel to implement and manage UBA.
- How large and sprawling your network of users is (e.g., number of remote locations and the degree of user mobility).
How do you get the most value out of UBA?
To fully realize the value of your UBA/UEBA solution, follow these four best practices: Create a roadmap, use continuous monitoring, establish procedures, and uplevel your security team’s skills.
- Create a roadmap: What do you want UBA to do for your business? For example, is your top priority putting an end to data exfiltration? Or detecting compromised or infected accounts? Establish specific goals to ensure that you pick the right tool to achieve what you set out to do. Then create milestones for rolling out the capabilities.
- Continuous monitoring: Once you’ve deployed UBA, you can’t expect the tool to work if you fail to maintain it. Even the most intuitive tools require you to continually review the system and make adjustments as your business adapts.
- Establish procedure: You must establish criteria for generating alerts and determining the actions the tool should perform in response to suspected malicious activity. Otherwise, your security team will be overwhelmed with notifications. Establish those procedures and keep tweaking them to reduce false alarms and keep your staff focused on real threats.
- Close the skills gap: UBA makes life easier for your security department, but it doesn’t replace your people. You need to train staff to implement, maintain and continually fine-tune the solution to keep up with the changing security landscape.
The bottom line: Why wouldn’t you use UBA?
In a world of escalating cyber threats — as well as escalating regulatory environments and more profound consequences for security breaches — security teams increasingly rely on UBA technology for event correlation, threat intelligence, security data aggregation and more.
Almost a quarter of organizations represented in the Ponemon Institute’s 2018 Cost of Insider Threats: Global identified the root cause of a data breach as a malicious insider or criminal attack. The average cost per incident was approximately $607,745, with the average total cost of a data breach coming in at $8.76M. These attacks are often identifiable by the behavior of users within the compromised network.
Enterprise security depends on quickly identifying and remediating security issues to avoid this kind of monumental loss, and any security team would be well advised to study the capabilities of various UBA systems to identify the one that best serves its needs.
- Threat Hunting and Anomaly Detection With Splunk UBA
- Splunk User Behavior Analytics: The Whiteboard
- Splunk User Behavior Analytics (UBA): Methods and Best Practices to Get Started Now
- Top Technical Questions on Splunk UBA