In my previous blog post, I talked about user behaviors that you want to model in order to capture a wide array of anomalies as well as how to use them to detect patterns of suspicious user activity.
But what is User Entity Behavior Analytics (UEBA)?
The industry defines UEBA as a tool capable of detecting anomalous patterns in an organization’s user base, network, data, or IT assets by analyzing user activities in real-time and comparing them with previously established baselines of normal behavior. The analytics provide the context of user actions so organizations can easily understand their implications, helping security personnel to accurately identify user threats and address potential threats efficiently and appropriately.
User behavior analytic solutions have been around for four years now, and have been some of most hyped solutions in the security space — especially as data breaches and insider threats continue to grow. In 2016, Gartner named UEBA one of the top 10 technologies that every information security strategy should employ, saying:
UEBA provides user-centric analytics around user behavior, but also around other entities, such as endpoints, networks and applications. The correlation of the analyses across various entities makes the analytics’ results more accurate and threat detection more effective.
Unfortunately, the number of organizations that have been able to benefit from these technologies has been mostly limited to early adopters and the largest of enterprises. There are a number of disadvantages of traditional UEBA solutions that have prevented their wider adoption:
- Deployment of UEBA infrastructures is complex
UEBA solutions typically require their own infrastructure and full-time resources to manage and maintain them. If you’re part of a Windows or Active Directory (AD) administration team, chances are you don’t have a dedicated team of security specialists to devote to the solution. As a result, the vast majority of organizations simply don’t have the resources and expertise to install and use the technology.
- They require a great deal of configuration and tuning
User behavior analytics products are usually very flexible in supporting many different log sources — but that means there is a lot of up-front configuration required to map those log sources to the analytics engine’s data model. And there is typically a lot of tuning required to ensure that each log source is represented proportionally as part of the overall analytics.
- User behavior alerts are presented in a separate console
Alerts that are generated by the UEBA solution are presented in an isolated, proprietary console that is not integrated into your organization’s existing security and auditing systems.
So how can you harness the power of user behavior analytics and avoid the pitfalls inherent in generic UEBA solutions?
The answer is embedding UEBA into your existing security and auditing solution, and focus on the use cases which are most important to you.
Embedded user behavior analytics has a number of advantages:
- Analytics are pre-configured to process your audit data
A powerful analytics engine is configured, out of the box, to recognize the high-fidelity AD and Windows logs from your existing auditing solution. Because the UEBA solution is tightly integrated with the source system, user threat alerts are presented in the context of the activity that was captured by the auditing solution, accelerating the investigation and follow-up time.
- No tuning necessary
The analytics engine would have pre-existing knowledge of the format, contents and context of your audit logs and be trained to model user behavior and identify anomalies for these data sets. That means you don’t have to invest months of effort mapping log sources to data models and tuning indicators in order to get accurate and manageable results.
- Extract value from the solution immediately
Embedded UEBA leverages the power of machine learning and advanced big data analytics to baseline user behavior and detect anomalous activities that could indicate user threats or a network breach. It is also predictive, training its models to evolve as more data is analyzed and additional behaviors are identified — so the results improve in accuracy even further over time. The solution continues to monitor the environment and make adjustments to reflect real-time conditions. And once a short history of user activity is analyzed — say, thirty days or so — the solution will identify the real-time risk level of users in your environment.
But organizations don’t have to struggle, investing time in order to extract value from their UEBA solution. Embedded UEBA can allow you to use your accumulated experience with AD and Windows security to enrich your existing auditing infrastructure for security and compliance purposes.
Change Auditor Threat Detection employs pattern-based UEBA to model individual user behavior and detect anomalous activity that could be indicative of suspicious or compromised users. Change Auditor Threat Detection will be generally available September 2018.
My final blog post in this series will use a relatable analogy to illustrate the concepts discussed in this and prior posts.