Understanding UEBA: What It Does and How It Works
With cyberattacks increasing every year, it's common for businesses to opt for security solutions that will protect their assets, including their networks and systems.
One popular solution is UEBA, or user and entity behavior analytics, a category of solutions that perform behavior analytics. How do these tools work to protect your enterprise's assets, including computers and networks? UEBA is a powerful set of security tools. However, you can't truly understand its features and functionality without knowing the basics.
What Is User and Entity Behavior Analytics?UEBA is a category of security solutions that uses machine learning and deep learning technologies. These model the behavior of devices and users on a company's networks, according to Imperva. Its goal is to identify bad behavior, infer security issues, and alert network security teams to deal with the detected devices or users.
In other words, UEBA is "software that analyzes user activity data from logs, network traffic and endpoints and correlates this data with threat intelligence to identify activities - or behaviors - likely to indicate a malicious presence in your environment," according to RSA by Dell. By using machine learning, it establishes baseline "normal" behavior and gets smarter over time. That enables it to apply both static rules and statistical analysis to quickly detect suspicious activity. RSA by Dell explains that UEBA "is a force multiplier for security teams" looking to stay ahead of threats.
How is UEBA better? UEBA improves on older, more traditional security tools. These usually identified security issues by using predefined rules and statistical analysis of ongoing events. These methods worked for known threats - those that were identical or similar to existing hazards. However, these tools don't work against unknown or insider threats. The reason: Most insider threats appear to be, or work like, regular user activities. That's where UEBA comes in handy; it can detect suspicious activities without patterns or rules.
How Is UBA Different from UEBA?User Behavior Analytics (UBA) is another category of security tools that uses advanced analytics to analyze and model users' behavior on corporate networks to detect anomalies. The goal is, again, to find security incidents and alert network security teams to secure the detected devices and users.
Of course, it's not enough to detect and track suspicious activities. It's not just users who may hack into networks or systems, but also various devices connected to these networks, including - but not limited to - portable devices, routers, and servers. That's why UBA wasn't successful.
It was slowly replaced by UEBA. As its name implies, UEBA security solutions are more powerful than those of UBA. UEBA can detect more complex abnormalities and attacks across devices and users. A few vendors may say that UBA is UEBA, but there is a distinct difference in their approaches.
"For example, in the case of a big change in the user's behavior, we can conclude that his credentials can be compromised and somebody else uses the network on his behalf. Sudden changes in behavior may also indicate violations related to the deliberate actions of the employee," according to Infosec Institute. "It is the ability to profile and analyze the activity of users and IT infrastructure objects that are implemented in a relatively new segment of the IT security market"called UEBA."
How Do UEBA Security Solutions Work?As with all machine learning and deep learning systems, UEBA first creates a baseline of behavior patterns. It starts with system logs, collecting behavioral data from them and analyzing them to learn the baseline behavior of devices and users. Once those are established, it continuously monitors the logs and other areas, like network packets, for behaviors and compares them with its sets of baseline behaviors, all with the goal of detecting abnormalities.
How does baselining work in UEBA? UEBA security solutions depend on the baselining process for analyzing and detecting abnormal activities and behaviors. When a device or user behaves differently, it calculates a risk score for the deviations. If the risk score is under the configured threshold, it does nothing. Otherwise, it notifies the system's security teams.
The 3 Pillars of UEBA SolutionsGartner, the global research and advisory firm, discussed the three pillars of UEBA solutions in its "2019 Gartner Market Guide for User & Entity Behavior Analytics" report. It noted that the three pillars include use cases, data sources, and analytics.
1. Use Cases of UEBA SolutionsThe security solutions in this category report the abnormal behaviors of network devices and users. They detect, analyze, and alert anomalies present in users' or devices' behavior. These solutions are mostly relevant for various use cases, unlike specialized analysis systems. For example, UEBA may detect compromised users, malicious insider users, zero-day attacks, and more.
2. Data Sources of UEBA SolutionsThese solutions opt for various data sources, including multiple types of data from a general repository. They collect and ingest the available data. For instance, these repositories may include event, network, or system logs, data warehouses, network flows and packets, or external system threat intelligence software, such as security information and event management (SIEM).
3. Analytics by UEBA SolutionsUEBA solutions opt for various analysis methods when analyzing data. They may use supervised machine learning, unsupervised machine learning, statistical modeling, and rule-based analytics systems for understanding data. Using data analysis, they create baseline profiles, then detect abnormalities by comparing those baseline profiles with the devices' or users' behaviors.
UEBA solutions offer a great way to protect networks and systems from attacks. By knowing what's "normal," UEBA can alert system authorities when something abnormal crops up. The first line of defense, in most cases, depends on knowing what's an offense.
The post Understanding UEBA: What It Does and How It Works appeared first on The Tech Report.