UEBA
UEBA
UEBA
(UEBA)
What is user and entity behavior analytics? (UEBA)
User and entity behavior analytics (UEBA), also known as user behavior analytics
(UBA), is the process of gathering insight into the network events that users
generate every day. Once collected and analyzed, it can be used to detect the use
of compromised credentials, lateral movement, and other malicious behavior.
The Gartner Market Guide added ‘Entity’ to User Behavior Analytics due to
increasing threats from external forces, rather than just individual users. These
external forces include, but are not limited to, routers, servers, applications, and
other network devices that could possibly be compromising.
As networks have become more complex, it’s become easier than ever to
successfully infiltrate a corporate network and masquerade as an internal
employee, circumventing external defenses. If an attacker is able to penetrate a
network and remain there undetected, they can repeatedly steal sensitive data
and cause monetary damage. User Behavior Analytics exposes stealthy, attacker
activities by uncovering patterns in user behavior to identify what’s “normal”
behavior, and what may be evidence of intruder compromise, insider threats, or
risky behavior on a network.
User and Entity Behavior Analytics enables you to more easily determine whether
a potential threat is an outside party pretending to be an employee or an actual
employee who presents some kind of risk, whether through negligence or malice.
UEBA connects activity on the network to a specific user as opposed to an IP
address or an asset. This means that if a user starts to behave in a way that’s
unusual or unlikely, even if it isn’t flagged by traditional perimeter monitoring
tools, you’ll be able to spot the behavior quickly, determine whether it’s
anomalous, and start an investigation if needed.
For example, stolen credentials are a common attack vector used by penetration
testers and real-world criminals alike. Whether the criminal obtains credentials
via phishing attacks , malware, key logging, or even a third-party data breach, all
they need is one correct username and password combination to work; once
they’re able to login they can silently move within a network undetected.
However, once an attacker is in, they usually start to act in ways unlike a normal
user, such as by moving laterally between assets. The intruder moves from step
to step in what’s often called the “attack” or “kill chain,” looking for increasingly
interesting targets to raid and data to exfiltrate.
The ability to baseline what kind of user behavior is normal on a network and
what isn’t is critical. User behavior analytics provides you with the data to
identify trends and easily spot outliers, so you can more easily and quickly
identify and investigate potential threats and break the attack chain .
To spot trends and make connections, first you must have a way to gather key
behavioral data in one centralized location, so it can be parsed by analytical tools
later. Traditionally, user behavior analytics are added on as a layer to
existing security information and event management (SIEM) deployments.
User and Entity Behavior Analytics are one part of a multilayered, integrated IT
and information security strategy to prevent attacks and investigate threats. It
can be an incredibly powerful tool to detect compromise early, mitigate risk, and
stop an attacker from exfiltrating an organization’s data.
In summary