How UEBA helps increase cybersecurity

Organizations that want to add advanced analytical capabilities or machine learning capabilities to their IT security arsenal have a relatively new solution: a system for analyzing user behavior and entities - User and Entity Behavior Analytics (UEBA).

UEBA products define patterns in typical user behavior, and then detect abnormal actions that do not match these patterns and can pose security problems. In addition, UEBA systems detect atypical events in various entities (entities), which include workstations, software, network traffic, storage, etc., etc.

A variety of analytical methods are used to determine deviations, including machine learning. By the way, there is a class of UBA-systems, which, as it is easy to guess, analyze only the information that is associated with users and their roles. Data sources for UEBA systems are log files of server and network components, security systems, local logs from final working PCs.

Usually, UEBA solutions do their work after other cyber security tools have failed to detect threats within the network.

Although UEBA solutions appeared not so long ago, they quickly became popular in large corporations. According to Gartner, the sales volume of specialized UEBA solutions doubles every year. In addition, many vendors include UEBA functionality in other security tools, such as Security Information and Event Management (SIEM), network traffic analysis, Identity and Access Management (IAM), endpoint protection, or prevention tools. data leaks. Gartner analysts predict that within five years, individual UEBA products that will remain on the market by that time will turn into solutions of the new generation of SIEM, while the rest of the UEBA solutions will find their niche in other security technologies.


Algorithm of UEBA systems. Source: Gartner

Below is a brief description of the most popular products in the UEBA segment. More detailed information about the products can be found in the UEBA comparison table on ROI4CIO, based on a comparison of leaders (according to Gartner research results).

Exabeam Advanced Analytics

Exabeam provides security and management solutions that help organizations of all sizes protect the most valuable information. In their work, Exabeam products use machine learning and behavioral analytics technologies.
According to Gartner experts, Exabeam Advanced Analytics is one of the best in the UBA category. Compared to competitors, this solution is very easy to learn for system administrators or analysts, and therefore, its implementation time is much less. Analysts do not have to spend days or weeks collecting evidence and scheduling incidents based on information obtained from the SIEM. Thanks to the advanced analytics feature, the timeline for pre-built incidents marks anomalies and displays details to fully capture the event and its context.

What previously took weeks, can now be done in seconds. The user interface of the product is convenient, navigation and viewing of historical data are extremely fast. The solution contains hundreds of built-in models, some of which are unique, cannot be found among competitors, which is the main advantage of the product. The company offers qualified technical support for its solutions.

But the reporting tool, unfortunately, is practically absent. The user has the ability to print / export the contents of the browser window, send alerts about abnormal sessions to the SIEM system, or he can simply take screenshots. If you need something more, you need to resort to using an alternative tool. Viewing more than a dozen events on a timeline requires a high-resolution monitor, although even in this case, no more than 20 events fit. There is a custom search feature using the “Threat Hunter” search panel, which offers some nice functionality.

Micro Focus Security ArcSight UBA

ArcSight User Behavior Analytics provides companies with detailed information about their users, which greatly simplifies the generation of behavioral data to help mitigate threats. It helps to detect and investigate malicious user behavior, internal threats and abuse of accounts. Thus, it allows organizations to detect violations before they cause significant damage.

ArcSight User Behavior Analytics helps customers reduce the risk of cyber attacks and detect abnormal behavior by matching the logs of user identity management systems with other IT logs generated by applications and networks. In addition, the product provides a faster response to identified threats through deep integration with SIEM, as well as faster incident investigation. The fact is that UBA analyzes data associated with users, identifies deviations and compares them with analogues, historical activity and / or violations of predetermined expected behavior.

Thus, ArcSight UBA detects abnormal user behavior, which is very important for detecting hacking or account abuse. Micro Focus offers the most mature, proven security uses in UBA and symbiotic seamless integration with SIEM.

Forcepoint ueba

Forcepoint User and Entity Behavior Analytics (UEBA) allows security teams to proactively track anomalous, high-risk behavior within an organization. The analytical protection platform forms an unmatched context, combining structured and unstructured data to identify and block malicious, compromised, and careless users. Forcepoint detects various critical issues, such as compromised accounts, corporate espionage, theft of intellectual property and fraud.
Assessing the nuances of the interaction of people, data, devices and applications, Forcepoint UEBA determines the timing priorities for security groups. The software solution from Forcepoint is built on four principles:

Rich context. The product combines content collected from disparate data sources into a single whole. Thereby, complementing the capabilities of SIEM solutions and other IS solutions, to identify and prevent undesirable user actions.

Behavioral analytics. Forcepoint UEBA uses several types of strict behavioral and content analytics, focused on detecting changes, patterns and anomalies, in order to better detect complex attacks.

Search and detection. Provides powerful forensic investigation and detection tools through a contextual user interface for continuous monitoring and in-depth research.

Intuitive workflow. Provides proactive reporting that integrates fully with the system administrator’s workflow and existing client information architecture to optimize operational efficiency.

Splunk User Behavior Analysis

One of the main advantages of Splunk User Behavior Analysis is the detection of unknown threats and abnormal behavior using machine learning.

Splunk User Behavior Analysis offers the following features:

Advanced threat detection. The product detects deviations and unknown threats that traditional security tools miss.

Higher performance. Automates the merging of hundreds of detected anomalies into a single threat, greatly simplifying the life of a security analyst

Powerful incident investigation. The solution uses deep investigative capabilities and powerful basic behavioral characteristics for any entity, anomaly, or threat.

Improved visibility and detection. Automates the detection of threats using machine learning, which allows you to spend more time eliminating the threats themselves and enhancing security.

Accelerated threat hunt. Splunk User Behavior Analysis quickly identifies anomalous objects without human involvement. The solution contains a wide range of different types of anomalies (over 65) and threat classifications (over 25) for users, accounts, devices, and applications.

SOC supplemented resources. Automatically combines hundreds of anomalies observed in multiple entities — users, accounts, devices, and applications — into one common threat for faster response.

Securonix ueba

The Securonix UEBA solution provides advanced analytics capabilities based on machine learning. Among the advantages of the product are the following:

Reducing the risk of insider threats. Securonix creates a comprehensive risk profile for each user in a company environment, based on information about identity, employment, security breaches, IT activity and access, physical access, and even phone records.

The product identifies the true areas of risk by comparing the activity of users with their individual baselines, baselines of the groups in which they belong, and known indicators of threats. Results are evaluated and presented in interactive evaluation tables.

Clearer visibility in your cloud. It is worth noting features such as monitoring "from cloud to cloud" with built-in API-interfaces for all major cloud infrastructures and application technologies; detection of malicious activity by analyzing user rights and events; correlation of cloud and local data in order to add information about the context of the object. In addition, a cross-cutting analysis of threat patterns giving rise to a response should be indicated.

Proactive fraud detection in the enterprise. The product is able to identify complex fraudulent attacks, which usually avoid signature-based detection methods, using advanced no-signature behavior and anomalous-value analysis methods based on peer-to-peer nodes. Also worth noting are the functions of detecting account seizure, abnormal user behavior, transaction fraud, and violations related to money laundering.

Summary

UEBA / UBA class systems are an important element in identifying unknown types of threats, APT attacks, as well as employees who violate information security rules within the company. UEBA products are aimed at solving four basic tasks.

First, simple and advanced analytics of information from various sources using machine learning methods, periodically or permanently, in real time. Secondly, UEBAs are designed for the on-line detection of attacks and other anomalies that are usually not detected by classical information security tools.
Thirdly, this is the determination of the significance of events collected from various sources (systems like SIEM, DLP, AD, etc.) in order to be quickly responded by information security administrators.
Fourth, a powerful response to events, ensured by the fact that the information security administrators possess comprehensive and detailed information about the incident.

More UEBA products and more detailed information on them can be found in the UEBA comparison table on ROI4CIO.



Review author: Oleg Pilipenko, for ROI4CIO