Decoded: UEBA (user and entity behaviour analytics)

User and entity behaviour analytics is a powerful tool in the security team's toolkit. The technology lets organisations detect insider threats, targeted attacks and financial fraud as they happen. Our latest Decoded article explains how UEBA works.

By Aled Herbert

Tue 1 Aug 2017 @ 12:18

We seem to be hearing a lot about threats originating from inside the perimeter these days rather than outside. What's going on?

Cybersecurity defences and budgets used to be predominantly focused on securing the perimeter and keeping intruders out. But in recent times the notion of a perimeter surrounding an organisation's IT estate and data has become less useful. Increasingly, attacks are originating from within the organisation from employees or intruders using their credentials. In fact, user accounts have become critical attack vectors for cyber criminals intent on data theft or damaging systems.

How common are these kinds of attacks?

So-called insider attacks are on the rise. According to research in 2016, one in three organisations experienced an insider attack in the previous 12 months. Meanwhile, research from IBM reported that 55 per cent of attacks were carried out by insiders.

What are the different kinds of inside threats?

Inside threats can take many forms. Company credentials have been compromised and used by an external agent or even by disgruntled employees or rogue insiders, maybe even getting a job with an organisation for this purpose. Credentials could also have been compromised through data breaches or brute force password attacks.

Privileged accounts are particularly at risk from being targeted as they give attackers access to more of the network than normal credentials. Privileged accounts are increasingly targeted by hackers through sophisticated social engineering techniques.

This is a growing problem for security teams with responsibility for monitoring hundreds if not thousands of user accounts without automation. After all, you can only defend against insider threats if you know they're there.

But help is at hand. Security teams can employ user entity and behaviour analytics (UEBA) to detect and shut down attacks before serious and lasting damage is done.

So what do UEBA systems do?

Originally defined by Gartner as a “cybersecurity process about detection of insider threats, targeted attacks, and financial fraud”, UEBA is a sophisticated and maturing suite of technologies that let SecOps see at a glance if something out of the ordinary is happening on the network.

UEBA technology gathers large amounts of data on user activity and behaviour from disparate data sources. The system then learns the behaviour of users and entities (meaning devices, servers and other endpoints) by applying scenario-based algorithms that use machine learning, statistical analysis, peer group analytics and other techniques.

Once the system has established a baseline of what 'normal' user or entity behaviour looks like it can detect and report anomalies and unusual activities far quicker than manual checks.

Can you give me an example?

If User A typically logs in at 09:00, fires up Outlook and some productivity applications and glances at Internet Explorer over lunch, then all is well. However, if one morning User A instead logs in at 03:00 from an overseas location, exports a large amount of data from a company database and logs on to a cloud storage website then some alarm bells start to ring.

What else can UEBA systems do for my enterprise?

The technology can help you build more secure and resilient systems. Algorithms can adapt, risk tolerances cane be changed and baselines reset. In other words, the system learns over time and becomes more effective at detecting insider threats. UEBA can also help organisations improve security by identifying weak links in any chain.

Sounds like the insider threat is solved.

We still need to guard the perimeter, or what remains of it, but security professionals need to adapt to the increase in the number of attacks and respond to the increasingly sophisticated ways in which systems can be breached. But UEBA is now a potent weapon in the cybersecurity arsenal.