Traditional measures such as web gateways, firewalls, IPS tools, and VPNs are no longer sufficient to keep corporate systems secure from modern cyber attacks.
UEBA systems help detect modern threats by enhancing the context and quality of security alerts by monitoring non-user entities (e.g. servers) and leveraging machine learning. This provides SOC teams with behavioral security insights and improves zero-trust security initiatives.
1. Detecting malicious insiders
Malicious insiders are internal or former employees who intentionally harm an organization by misusing their access to systems and data.
Data alone, such as log files or event logs, cannot always identify these individuals; however, UEBA may. UEBA offers information about individuals rather than IP addresses, hence, it may detect individual users who violate security standards by identifying and correlating:
- insider activities based on variances in user/device activity compared to self/peer group baselines,
- suspicious or malicious activity,
- alerts from external tools
Real-life example: A cloud access security broker (CASB) API + UEBA solution detected an insider who authenticated using numerous IP addresses.
The solution sent alerts of “access attempts from certain IP blocks” and generated the “risky countries” alert that shows IP addresses from countries.1
2. Detecting user account compromise
One of the most common insider use cases is the breach of a trusted user account, where user credentials are hacked and used by a party other than the legitimate user. This use case includes detecting shared account activity and overall account fraud.
UEBA can employ behavior modeling to detect any variation from regular user activity, indicating that the account is operated by someone other than the legitimate owner. Detection includes:
- detecting anomalous AD activity
- disabled accounts
- account recovery
- terminated users
Real-life example: A DLP + UEBA solution detected a user who downloaded over 2,000 files from a corporate OneDrive instance and uploaded over 400 files to personal Google Drive.
Detections involved:
- Potential sensitive file movement
- Potential corporate data movement
- A user-based spike in sensitive data uploaded to personal apps
- A user-based spike in files downloaded2
3. Detecting device compromise
Detecting endpoints that have been penetrated or infected with malware is difficult.
This differs from the previously mentioned “Compromised User Account” use case (above), since malicious behavior on a host may be detected, however, it may not always be associated with a specific user account.
UEBA can detect malware activity using behavior-based modeling, regardless of how the initial infection was delivered. Detection strategies include tracking changes in:
- communication patterns of devices
- communication with external domains or IP addresses, and domain characteristics.
Real-life example: Law firm Winthrop & Weinstine implemented a UEBA solution for detecting and responding to cyber-attacks. The firm centralized security data and displayed communication patterns of IP addresses. This helped find the host and device compromises.3
4. Detecting lateral attacks
Lateral movement by a trusted insider entails screening and expanding access to multiple resources.
UEBA solutions can effectively identify lateral attacks by monitoring user and entity behavior trends throughout the network. UEBA solutions can detect deviations in typical behavior baselines by analyzing:
- Sudden privilege escalation
- Unusual access to sensitive resources
- Abnormal authentication patterns
Some examples of lateral movement that UEBA can detect include:
- Pass the hash (PtH) – a credential theft in which an attacker retrieves authentication to create a new user
- Brute force logins – a trial and error to crack login credentials,
- Internal spearphishing
- SSH hijacking
5. Identifying network policy breaches
Companies use policies against sharing user accounts to maintain adequate user access. However, implementing these standards may be difficult, particularly in large workplaces with numerous people and systems.
UEBA can identify simultaneous or near-simultaneous logins from geographically diverse places, which is unlikely to occur in typical individual use. This entails:
- Monitoring unusual data transfers: Policies usually govern data movement within and outside an organization. UEBA can recognize deviations, such as sudden large data transfers and transfers to unauthorized networks, which could indicate a policy breach.
- Detecting unauthorized device connections: Many policies restrict which devices can connect to corporate networks. If an unknown device attempts to connect, UEBA can identify this as a breach and alert the security team. This is critical in securing BYOD environments.
- Enforcing role-based access control (RBAC): UEBA can help enforce RBAC policies by analyzing each role’s access patterns. If a user accesses files or systems beyond their role permissions, UEBA identifies this as a violation. For more: RBAC examples.
6. Detecting data exfiltration
This use case is important even if your team is already capable of detecting compromised accounts and endpoints. Since authorized users may engage in data exfiltration.
UEBA can identify the loss or theft of confidential data outside the company via several attack vectors, including:
- network security infrastructure (firewalls and proxies)
- online cloud storage
- attached storage (USB), and email
7. Privileged access misuse prevention
A privileged account is a user account with more access and permissions than a standard account. These accounts are used by system administrators and managers.
Serious consequences, such as data breaches or system disruption, may occur if these accounts are compromised.
UEBA helps to reduce this risk by continuously monitoring privileged user behavior patterns. If a privileged person accesses sensitive data or systems outside of their normal scope or at unusual times, UEBA can identify this as anomalous behavior and alert the SOC team.
8. Security alert automation and investigation
Organizations may encounter alerts from security products such as anti-malware, DLP, and network access control that require further investigation. For example, SOCs need help with alerts that lack essential information such as the host, file hash, and user data.
UEBA solutions can provide detailed context for third-party security alerts, enabling SOC teams to quickly access all relevant information by simply entering the alert ID.
Real-life example: Union Bank implemented a UEBA solution to collect all DLP events and establish a baseline activity for detecting unusual behavior. The solution allowed the bank to filter out false positives and focus on high-risk situations.4
9. Account lockout investigation
Account lockouts are a major drain on administrative resources, particularly in larger companies. It is usual for large-scale companies to dedicate a full-time position each year just to researching user accounts. Admins spend hours for every locked-out account examining whether it is a simple error or a possible hijacking of an account.
A UEBA system can automate this process by checking:
- The domain controller’s event logs to find the cause of the lockout.
- The user’s device for any cached credentials that may be causing the lockout.
- Active sessions that could be causing the lockout.
10. Account creation monitoring
Attackers may infiltrate a network by installing malware on one system and then using this entry point to create unrelated new accounts. Even if IT restores the compromised machine, the attackers remain in the system using a new credential.
A UEBA solution can monitor account creation and quickly detect:
- unauthorized credential creation
- fraudulent digital accounts using stolen or synthetic IDs
- accounts have been used for spamming or violating the rules
11. Third-party and supply chain risk monitoring
Organizations commonly allow third-party suppliers or partners access to their systems as part of their operational procedures. However, this exposure raises the risk of external cyber threats.
UEBA tools can monitor third-party activities and interactions with the organization’s resources in prioritization and investigate supply chain threats such as unauthorized access attempts and data exfiltration.
Real-life example: Lineas, the largest private rail freight company in Europe, deployed a UEBA solution to allow its users to focus on behavioral supply chain analytics rather than logs and existing use cases.
With the UEBA solution, the company was able to add a multitude of logs and gain insights, which helped them gain visibility into hosts, accounts, network traffic, and data repositories.5
12. Insider risk monitoring
UEBA captures and analyzes how users regularly interact with your IT systems. Any difference from conventional employee behavior (for example, unusual working hours) is reported for further inquiry, assisting in the detection of insider threats.
This helps SOCs obtain an overview of user activity analytics and identify and reduce insider risks caused by malevolent intent or negligent behavior.
13. Forecasting software and hardware breakdowns
Software: UEBA can also collect and analyze application logs and response times in software applications. If it detects an increase in errors or a slower response time in transactions that have previously resulted in software crashes, it may send a software issue alert.
Hardware: UEBA may monitor resource consumption indicators such as CPU, memory, and network traffic in hardware components such as servers, storage devices, and network equipment. If it detects spikes or deviations from standard operating processes, it alerts to a hardware issue.
14. Adhering to GDPR compliance
The European Union’s General Data Protection Regulation (GDPR) places obligations on enterprises to keep account of who accesses personal data, how it is used, and when it is removed. UEBA solutions can assist businesses in complying with GDPR by monitoring user activity and access to sensitive data.
15. Maintaining zero trust security
A zero-trust architecture requires complete visibility into all network users, devices, assets, and entities. UEBA provides security analysts with detailed, real-time insight into all end-user and entity activity, including which devices are seeking access to the network and which individuals tare rying to exceed their rights.
Open source UEBA tools
| Tool | Functionality |
|---|---|
| OpenUBA | Ingests and analyzes logs for abnormal behaviors using machine learning and behavioral profiling models |
| Graylog | Collects logs from servers and applies machine learning-based anomaly detection through its interface |
| Wazuh | Monitors telemetry data for threat detection and anomaly analysis |
| Apache-Metron | Provides real-time insights into security telemetry through big data platforms |
| HELK | Provides threat hunting capabilities using the ELK stack and Apache Spark for real-time data analysis |
| Apache-Spot | Detects network traffic anomalies indicating suspicious user or entity activities |
Read more: Open source UEBA tools.
UEBA vs SIEM
| Feature | UEBA solutions | SIEM solutions |
|---|---|---|
| Detection approach | Self-learning, behavior-based threat detection | Rule-based, using predefined rules and thresholds |
| Machine learning usage | Uses both supervised and unsupervised machine learning | Typically lacks advanced machine learning capabilities |
| Suitability for insider threats | Strong for insider threat detection | Limited effectiveness in detecting insider threats |
| Ability to detect sophisticated attacks | Great for detecting low-and-slow attacks (e.g., lateral movement, data exfiltration) | Limited to signature-based attacks and known attack patterns |
| Scalability | Ideal for larger businesses with complex security needs | Suitable for small to large businesses; may require tuning for scalability |
| Examples | Exabeam, Rapid7 InsightIDR, Varonis UEBA | ManageEngine Log360, Splunk, IBM QRadar |
- SIEM focuses on security event data rather than user or entity behavior. This means that SIEM collects and analyzes data from security logs, firewall logs, intrusion prevention logs, and network traffic, whereas UEBA uses user and entity-related sources and a variety of logs.
The core use case for SIEM is real-time security monitoring, event correlation, incident detection, and response.
- UEBA can detect insider threats, account compromises, privilege abuse, and other abnormal behavior or data transfer activities. UEBA uses machine learning algorithms and statistical modeling to establish “normal” behavior baselines, whereas SIEM employs rule-based correlation and pattern recognition.
UEBA can also be integrated into SIEM systems to improve user and entity behavior analytics, and SIEM solutions frequently offer UEBA capabilities as modules. Some vendors such as ManageEngine Log360 or Microsoft Sentinel offer unified SIEM products that provide SIEM and UEBA capabilities in a single solution.
FAQ
What is a UEBA system used for?
A UEBA system identifies and responds to cybersecurity threats by monitoring user and network activity. It aids in the detection of anomalous behaviors, misconfigurations, and potential vulnerabilities, allowing security teams to take necessary steps to secure their systems.
What are the three pillars of UEBA?
Gartner defines the three pillars of UEBA (user and entity behavior analytics) as follows:
1. Use cases: UEBA systems should monitor, detect, and alert to deviations in user and entity activity across multiple use cases.
2. Data sources: UEBA systems should be able to retrieve data from generic data repositories or via a SIEM without deploying agents directly in the IT environment.
3. Analytics: To discover anomalies, UEBA uses several analytical tools such as statistical models, and machine learning.
How do UEBA tools help organizations?
UEBA tools collect logs and alerts from all connected data sources and analyze them to create baseline behavioral profiles of your organization’s entities (e.g. users, hosts, IP addresses, and apps) over time and peer group boundaries.
These tools can then leverage anomaly-based threat detection to provide comprehensive user and entity insights into unusual activity and assist you in determining if an asset has been hacked. This helps SOCs to prioritize investigation and incident response. For more: Incident response tools.
Note that, unlike user behavior analytics (UBA), UEBA has an extended scope. While UBA focuses only on evaluating user activity, UEBA encompasses the behavior of both users and network entities, including:
-network devices
-routers
-databases
Further reading
External Links
- 1. ”NETSKOPE ADVANCED UEBA CASE STUDIES”. Netspoke. May, 2023. Retrieved October 27, 2024.
- 2. ”NETSKOPE ADVANCED UEBA CASE STUDIES”. Netspoke. May, 2023. Retrieved October 27, 2024.
- 3. Rapid7's MDR is Winthrop & Weinstine's 24/7 "eyes and ears" - Rapid7.
- 4. Exabeam Allows Union Bank to Focus on Actual High-risk Incidents | Exabeam. Exabeam
- 5. Exabeam Equips Lineas with the Tools to Secure the Availability of Their IT Systems | Exabeam. Exabeam
Comments
Your email address will not be published. All fields are required.