UEBA in Enterprise SecOps

User and Entity Behavior Analytics (UEBA) is the analysis of user and entity behavior data to detect suspicious behaviors associated with security threats. UEBA tools establish baselines where ‘normal’ behavior can be defined and from which unique behavior can be quantified and tracked.

Source: 20th Century Fox Film Corporation

When unusual behavior is detected, the weight of the unusual behavior is determined relative to various entity attributes assigned to the respective user/entity. Additional characteristics, such as asset ownership, can be determined by UEBA tools and weighted appropriately to determine the ‘normalness’ of a logged and/or correlated behavior within the network.

Over time as the tool ingests more and more information about the environment it can ascertain a picture of normalized web activity data, geolocation data, and identify the files typically accessed by you, your team, and other teams across the company in a way that reflects typical system behavior.

Entities who are engaging in behavior that deviates from the baselines are assigned a weighted value representing the severity to which the behavior deviates from the norm. Examples of unusual behavior include logins from atypical locations, logins from new devices, or accessing data outside of normal hours. Types of UEBA use cases are discussed in greater depth at the end of this post.

These tools can support security operations after a breach occurs by providing the proper documentation required to gain insight into security gaps and change policies and procedures during incident review. Data collected from UEBA tools can also be used to supplement asset management programs to identify asset ownership by analyzing user-asset behavioral data.

Okay — can you give me an example?

Let’s provide some very basic hypothetical context to show why User and Entity Behavior Analysis tools can help security operations. Typically in a SIEM, account logins are tracked but not logically correlated. For instance, when account user Erika Baker logs into her workstation, this event is recorded in a log, which is collected, ingested, and stored by the SIEM. A security analyst could search for this login, or any stored login event, by searching for user=‘erika.baker’ or similar depending on the search language used.

Let’s say that Erika now logs into a database using a shared administrative account dbadmin. A traditional SIEM with would identify this user by its username as dbadmin — but would not correlate the login with Erika. A UEBA tool can identify and correlate this login as Erika; it does so by utilizing additional SIEM data to make a connection between the activity of users within the network and the activity of the machine hosting the database, in this case.

This advanced data analysis is supported by machine learning algorithms to detect unique trends across many values and combinations of data sets quickly so that the security analyst can be freed to investigate positive indicators of unusual behavior as they occur, or in some cases even before they occur.

Returning to our hypothetical enterprise, the baselines that have been collected over the course of several months show Erika consistently logging into the company VPN from the US. Recently, however, the logins have been coming from Russia and China. Due to the highly unusual nature of this behavior, you can alert the appropriate administrator to reset Erika’s password and investigate into this security incident further. Ideally, the UEBA tool identifies behaviors similar to these earlier so that consequences can be averted.

Who Uses UEBA tools?

If you haven’t yet heard of the 20 CIS Controls, they are frequently used in enterprise to guide the growth of internal security programs. These controls serve as “ a short list of high-priority, highly effective defensive actions that provide a ‘must-do, do-first’ starting point for every enterprise seeking to improve their cyber defense.” (CIS, 2019)

Enterprises with an established security program seeking to mature their current security model often choose to integrate UEBA products into their toolset. Foundational CIS Control #16: Account Monitoring requires that the organization:

“Actively manage the life cycle of system and application accounts — their creation, use, dormancy, deletion — in order to minimize opportunities for attackers to leverage them.” (Center for Internet Security, 2019)

With respect to the CIS Controls, UEBA tools should be integrated after an organization has successfully implemented all of the basic security controls into their Security and IT operations. These controls are meant to equip organizations with the appropriate data and resources required to responsibly monitor, collect, store, and respond to company security data.

Beyond the CIS controls, healthcare, financial, and energy related organizations will seek out UEBA solutions in order to satisfy governance or service-level requirements related to data collection, retention, monitoring, and security.

Additionally, many European businesses will find themselves seeking a UEBA solution following the EU’s full-adoption of General Data Protection Regualation (GDPR) legislation in March 2018. GDPR enforces better private data protections and greater fines; it requires organizations to have greater visibility into data protection in order to detect and subsequently within 72 hours disclose data breaches that might “result in a risk for the rights and freedoms of individuals”.

UEBA technology assists organizations by identifying suspicious behavior before it substantially disrupts the organization. Regardless of sector, when implemented effectively UEBA tools can help detect unwanted behavior, break the attack chain earlier, and reduce overall mean time to resolution (MTTR) of security incidents in order to minimize potential damages to the company and affiliates.

UEBA Use Cases

UEBA tools typically seek out the same or similar trends in data for unusual behavior anomalies or trends indicative of a security event or compromise. The following are a list of 10 common UEBA Use Cases (Gartner, Mar 2017):

I write about DFIR, GRC, and defensive security topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store