What Is UEBA?

User and entity behavior analytics (UEBA) is a powerful tool in cybersecurity that detects unusual behavior from traffic patterns on the network. Attacker actions vary once they compromise a network, so organizations need a way to detect malicious activity quickly to contain the breach. The attacker could steal files, store malware on a storage device, query databases, take control of user devices, or simply eavesdrop on network traffic. All network activity can be monitored, but any positive detection must be distinguishable from legitimate user activity to avoid false positives. UEBA detects unusual traffic patterns and alerts administrators without interfering with legitimate network traffic and user behaviors.

A computer network could have thousands of devices and users that generate traffic daily. The cloud, work-at-home employees, and public-facing connections add to a rich target environment for attackers. The traffic generated by users and devices is typically monitored for anomalies, but few tools monitor behavior patterns. UEBA helps security professionals identify anomalies by using baseline activity statistics and comparing them to current user behaviors. These behaviors could be legitimate or malicious, and a UEBA tool distinguishes the billions of bytes traveling across the network from the few potentially malicious ones.

Analytics are what makes UEBA a powerful tool in security. In older cybersecurity defense, simple triggers were defined to indicate when a file was accessed or when authentication failed. UEBA often uses artificial intelligence (AI) and machine learning (ML) algorithms to determine if any of these actions are legitimate user authentication or the actions of an attacker.

UEBA has several functions in cybersecurity, including:

• Detection of insider threats: Insider threats are typically employees, but they can also include third-party vendors with access to the network. Data breaches from insiders could be malicious or unintentional, e.g., when an employee gets tricked into falling victim to an attack.
• Detection of compromised accounts: When an employee falls victim to phishing, an attacker uses the stolen credentials to access the network and to steal stored data.
• Detection of brute-force attacks: Attacks on user accounts are common in public-facing environments in the cloud. A brute-force attack can persist indefinitely without something in place to stop it.
• Detection of a compromise: When all other cybersecurity systems fail to block an attacker, a UEBA will stop attackers already inside the perimeter and active on the network.

Without UEBA systems, organizations would be unable to detect a data breach and take steps to remediate the compromise. The longer an attacker has access to a network; the more data can be exfiltrated. Detection of an attacker could take months, and UEBA systems lower the amount of time an attacker has access to critical systems before being caught.

After a network compromise, an attacker often performs stealthy actions to avoid detection. Most cybersecurity systems block attackers from accessing the network, but very few systems can detect suspicious traffic patterns after a breach. UEBA intelligence focuses on identifying strange patterns based on a standard baseline within the environment.

Suppose that you have sensitive file content containing corporate intellectual property. Lawyers and other executives randomly access this file, but only a few times a year. An attacker could gain access to this file in several ways. The first way could be a phishing campaign where an attacker steals a lawyer’s username and password. Another method could be malware on the network to steal files and send them to an attacker-controlled server. An insider could take a copy of the file and email it to an external email.

Any activity performed by the attacker would generate traffic. Suppose that the attacker or malware on the network scans for intellectual property and finds the file. Activity on the file could require authentication or authorization, so scanning and accessing the file would generate unusual traffic compared to a single user authenticating on the network and opening the file. The attacker would take a copy, an unusual behavior compared to previous access attempts from legitimate users. A UEBA takes a baseline snapshot of normal traffic patterns on this file and then compares it to current activity. Because the attacker doesn’t know normal file access behavior, any behavior would likely be different from normal network activity. The UEBA would then identify the unusual activity and alert administrators to a potential breach.

UEBA is also beneficial for insider threats. Insider threats are a commonly overlooked issue. Organizations assume that employees can be trusted, but rogue employees who mean to do harm can perform malicious activity with much fewer obstacles than an outside attacker. Rogue employees could be a part of corporate espionage or just out to harm corporate data. In some cases, insider threats are not malicious but stem from a hacked employee account or successful phishing scam. Activity from insider threats would also be unusual because the user would attempt to access files that they don’t usually have access to or make copies of files that typically don’t have much activity.

Most organizations use a security information and event management (SIEM) tool to detect unusual activity on the network, so a UEBA seems redundant. However, a UEBA tool works differently than a SIEM and can work in conjunction with a SIEM. A SIEM is a rule-based system that takes log files from several different systems, analyzes the data, and then provides information to analysts. It will also provide alerts and suggestions that help analysts make decisions.

A UEBA tool works somewhat differently. It will detect unusual user behavior using AI, algorithms, and risk scoring to determine if traffic patterns are those of legitimate users or attackers. These tools will work with big data and incorporate machine learning in its analytics, reporting, and alerting systems. Overall, it’s best to use a SIEM with a UEBA for maximum security after a compromise.