It is ubiquitous these days for hackers to break into networks and cause damage. Malicious emails with infected attachments – so-called Phishing and Social Engineering are part of everyday life today. Systems and tools quickly become outdated and security gaps are uncovered on a daily basis that can endanger a company’s information security.
User and Entity Behavior Analytics (UEBA) helps
The problem with user monitoring tools is that they only monitor individual sessions. Modern hackers, however, are aware of this danger. As a result, attacks are carried out in ways that are not directly apparent to these tools in a single session and in a single system. Attackers distribute their “work” over several servers and take long breaks. It is impossible to capture such activity through session monitoring. To counter this approach, the UEBA was developed.
UEBA (User and Entity Behavior Analytics) is a cybersecurity process ...
… who analyzes and studies user behavior. With the help of this data, the UEBA can learn normal user behavior. In return, it then recognizes abnormal behavior or deviations from “normal” patterns. For example, if a certain user regularly downloads files with a total size of 10MB every day, but suddenly downloads gigabytes of files, the system will detect this anomaly and report it immediately.
User and Entity Behavior Analytics, or UEBA for short, uses machine learning, algorithms and statistical analyzes to determine when there is a deviation from defined patterns and when these anomalies lead to a potential real threat. File, flow and package information can also be analyzed.
In order to achieve an analysis of users and entities, the UEBA does not rely on the direct monitoring of devices and users or rules, but on the analysis of information that comes from many different sources, system and application protocols, security solutions, SIEM, user directories, Orchestration tools, even workstations.
With the help of the most advanced analysis methods ...
… then created a reference line for user behavior. All information that a UEBA then recognizes as “normal” user behavior can be found within these reference lines. If an event crosses these boundaries, an alarm is triggered. In particular, insider threats, for example employees who are dissatisfied with the company and want to harm it, can be thwarted. However, attackers who have compromised a system can also be detected in this way, as it is not difficult for them to circumvent the rules of a SIEM, but to imitate the “normal” behavior of a system or user.
How does UEBA work: A little insight
The principle of UEBA is simply explained here with a short example:
Hackers can use a wide variety of methods (Brute-Force attack , Man-in-the-Middle , Phishing or social engineering) nowadays it is easy to find out the credentials (user name and password) of an internal employee.
Let us assume that we have found the correct credentials of a certain person with administrative rights and thus gained access to a network. We would not be able to behave in the way the victim would without prior research and inside knowledge. So if a user behaves differently than in the “normal case”, UEBA warnings will sound.
Therefore, UEBA is a very important component of IT security with which you:
Therefore, UEBA is a very important component of IT security with which you:
Internal employees steal data and information by using their own access. UEBA can help detect data breaches, sabotage, abuse of permissions and policy violations by employees.
2. Recognize brute force attacks
Hackers sometimes target cloud-based entities as well as third-party authentication systems. With the help of UEBA, brute force attacks can be detected and access to these entities can be prevented.
3. Detect changes in permissions
Some attacks involve the use of so-called super users with admin rights. UEBA can be used to detect when a super-user has been created or if there are any accounts that have been granted unnecessary permissions.
4. Detect breaches of protected data
It is not enough to keep protected data safe. There should be transparency as to when a user is accessing these files, even for legitimate business reasons.
UEBA and SIEM
The SIEM (Security Information Event Management) is used to provide a comprehensive overview of the security of an IT system guarantee. It uses data and event information that, along with rules, identify “normal patterns and trends”.
UEBA works in the same way, with the exception that user and entity behavioral information is collected from a wide variety of sources and evaluated using advanced analysis methods and machine learning to detect anomalies.
And that’s the big difference: SIEM works with rules. And these have to be created and maintained by hand. Advanced hackers can easily circumvent these rules. In addition, SIEM rules are designed to detect threats in real time, while advanced attacks typically take months or years to run.
For good IT security, it is therefore advisable to use both a SIEM and a UEBA. A comprehensive security and detection function can only be guaranteed if the two systems work together.
