Making the Most of User Entity Behavior Analytics: Expectations, Features and Best Practices

Tuesday, May 24, 2016

Brian Soldato


User Entity Behavior Analytics (UEBA) has recently emerged as an advanced approach to detecting cyber threats. UEBA solutions leverage machine learning to surface threats; and in many instances, do so much faster than legacy SIEMs or other solutions can. They zero in on anomalous events with great accuracy.

If this description reminds you of other analytics tools, that’s no coincidence. User behavior analytics has materialized as a security-specific application of the same basic principles involved in all smart business analytics.

How does it work? What should I expect from UEBA?

First, UEBA solutions collect information emerging from many nodes in the network. The best solutions will collect data from network devices, systems, applications, databases and users. Using this data, they then create a baseline to determine what normal means under different conditions.

Once the baseline is established, UEBA solutions continue to aggregate data, looking for patterns that are deemed not normal. These determinations assess just how, and how much, a new event is unusual in context, and prioritizes the event’s significance and possible business impact. Custom rules typically can also be created by user behavior analytics administrators to tailor the solution more closely to the organization and its unique services, data, and processes.

One important principle to understand is that UEBA addresses anomalous behavior much more than infrastructure events in general. This focused approach helps address some of the most puzzling issues organizations face today:

  • Determining when a valid privileged account has been compromised
  • Surfacing insider threats
  • Determining when a system or application has been compromised

Key Features of UEBA: What to Look for in Vendor Solutions

Many vendors have begun claiming UEBA capabilities in their products, and there is a small, but growing number of what I call true UEBA providers. These vendors' products all function in a similar way. Essentially, they are all built on a platform with a core engine running proprietary analytics algorithms that takes in data feeds from existing sources and analyzes the data. The tools then display their findings in a user dashboard. The goal is to provide information security and IT professionals with actionable information to address the threats.

At present, most of these tools don't actively respond to threats themselves, but merely provide security operators with the insight to determine whether action should be taken and the ability to orchestrate such action. Platforms available today will likely continue on a path to integrate with firewalls, endpoints, and other network nodes to enable automated response within the next year.

Security analytics algorithms are the "secret sauce" that command these platforms. When assessing UEBA platforms, security professionals should be sure to ask for details of how these algorithms work. Many vendors will claim that this is their intellectual property. However, if the vendor has an insider threat model, ask if the model is based on specific events and/or flow messages such as logins and data access from devices, applications and hosts with set thresholds. If it is, this likely isn’t machine learning, but pre-configured correlation rules. This is an easy way to determine whether the vendor is just marketing machine learning or actually has machine learning in their solution. Other important differentiators between UEBA products include the following:

  • Supported data sources – These are the types of data the tool integrates with, including the supported formats (CSV, Excel, databases, etc.) and types of log files (from hosts, applications, routers, firewalls, VPNs, file systems, and even big data solutions such as Hadoop). Ask about whether or not these are built-in pre-existing integrations or if these require professional services to build. Seek to understand if the UEBA solution only collects basic event and flow data or goes beyond to capture more details. If the former, there may be critical user, system, and application data that is left behind because, unfortunately, logs and flow don’t always contain all the activity. Lastly, consider if it is possible to configure these data sources directly from the platforms’ user interface.
  • Partnerships – Vendors that tend to have a wide array of partnerships tend provide a measure of just how credible the tool is and how well it is integrated.
  • The time is takes to establish a baseline – This relates to whether the tool establishes the baseline in an entirely automated and dynamic fashion, or requires the manual input of a user to tune and tweak it. Some platforms make determinations based on just a few days of historical records; others can take weeks to about a month. Experience tells us that longer records tend to provide far more accurate baselines, because they can take into consideration seasonal variations, such as the end-of-quarter close, or another big event. However, some platforms have much more compute capacity available for running multiple advanced algorithms that can do a better job at dynamic learning and can both improve the ability to surface threats more accurately.
  • Time to results (TTR) – Referring to how quickly after initial integration the solution begins to produce actionable threat results. There is no obvious metric here: A clear definition of results is delivering previously unknown insights around abnormal behavior following the initial configuration and establishment of a baseline.  Furthermore, some solutions claim they can do this in real-time—be sure to ask the vendor to define metrics around such claims, and if they provide a means to test such claims.
  • Dashboard flexibility – Understand if the UEBA platform was designed with the assumption that the dashboard operator would be a security analyst or manager or a less sophisticated user. Many UEBA tools can be customized to provide detailed or executive-level reporting.
  • Platform delivery – Understand how the platform is delivered.  Most vendors typically offer an on-premises version of the product (either software-only or an appliance). Most vendors also offer a cloud-based version as well. One major challenge with cloud products is that UEBA platforms require close integration with many data sources that companies consider proprietary or sensitive (e.g., financial data feeds, HR systems, medical records, etc.) and don't wish to expose this data to the cloud. The exception here is if the UEBA platform vendors secure that data over an encrypted channel from the cloud to the premises.  In the next few years sensitive data will increasingly move to the cloud, and so cloud-based delivery of UEBA is likely to become a more popular option for enterprises.

UEBA Best Practices: How to obtain optimal results

Basic best practices to get optimal results from your UEBA tools include:

  • Take both external and internal threats into account when choosing a UEBA solution.
  • Look for solutions that feature analytical strengths in areas important to your organization, such as insider threat and compromised credentials. Choose a solution that fully surfaces the threat, such as an insider taking intellectual property and emailing it out using their Hotmail or Gmail account.  Many UEBA platforms lack this basic ability.
  • Consider carefully which team members have access and who gets alerted.
  • Don’t assume standard accounts are harmless. Many attacks create a cascade effect, compromising assets in sequence to arrive finally at the control of a privileged account or escalation from an account without privileges.

UEBA platforms are very promising. In the near future, expect to see user behavior analytics platforms integrate more directly with infrastructure and with automated response. We are already seeing this with firewalls and other network devices that can be configured to take user behavior analytics-derived insight and create new traffic rules immediately, shutting down invasive threats long before human talent would even notice they’re there.

About the author: Brian Soldato is Director of Product Management for Seceon. A 17-year security technology veteran, Brian is responsible for driving Seceon’s product vision and strategy. Prior to Seceon, Brian led product management for various SIEM solutions, including Intel Security’s SIEM product line.

Possibly Related Articles:
Firewalls Network->General Breaches CVE
Network Security Anomaly Detection UEBA User Entity Behavior Analytics
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.