ProSec GmbH

+49 261 45093090

  • About us
  • Services
    • Detection services
      • Classic penetration testing
      • Pentest as a service
      • Web application pentest
      • Vulnerability analysis
      • Red teaming
    • Solution services
      • IT security consulting
      • Data protection
        • GDPR
    • Education services
      • User awareness
      • Trainings
        • Junior penetration tester
        • Penetration tester web
        • Penetration tester network
  • Wiki
  • Jobs
  • Contact

User and Entity Behaviour Analytics (UEBA)

User and Entity Behaviour Analytics

It is ubiquitous these days for hackers to break into networks and cause damage. Malicious emails with infected attachments – so-called Phishing and Social Engineering are part of everyday life today. Systems and tools quickly become outdated and security gaps are uncovered on a daily basis that can endanger a company’s information security.

User and Entity Behavior Analytics (UEBA) helps

The problem with user monitoring tools is that they only monitor individual sessions. Modern hackers, however, are aware of this danger. As a result, attacks are carried out in ways that are not directly apparent to these tools in a single session and in a single system. Attackers distribute their “work” over several servers and take long breaks. It is impossible to capture such activity through session monitoring. To counter this approach, the UEBA was developed.

UEBA (User and Entity Behavior Analytics) is a cybersecurity process ...

… who analyzes and studies user behavior. With the help of this data, the UEBA can learn normal user behavior. In return, it then recognizes abnormal behavior or deviations from “normal” patterns. For example, if a certain user regularly downloads files with a total size of 10MB every day, but suddenly downloads gigabytes of files, the system will detect this anomaly and report it immediately.

User and Entity Behavior Analytics, or UEBA for short, uses machine learning, algorithms and statistical analyzes to determine when there is a deviation from defined patterns and when these anomalies lead to a potential real threat. File, flow and package information can also be analyzed.
In order to achieve an analysis of users and entities, the UEBA does not rely on the direct monitoring of devices and users or rules, but on the analysis of information that comes from many different sources, system and application protocols, security solutions, SIEM, user directories, Orchestration tools, even workstations.

With the help of the most advanced analysis methods ...

… then created a reference line for user behavior. All information that a UEBA then recognizes as “normal” user behavior can be found within these reference lines. If an event crosses these boundaries, an alarm is triggered. In particular, insider threats, for example employees who are dissatisfied with the company and want to harm it, can be thwarted. However, attackers who have compromised a system can also be detected in this way, as it is not difficult for them to circumvent the rules of a SIEM, but to imitate the “normal” behavior of a system or user.

Would you like to have your IT system regularly checked for weak points professionally?

Then find out more about our Pentest as a Service!

Pentest as a service

How does UEBA work: A little insight

The principle of UEBA is simply explained here with a short example:
Hackers can use a wide variety of methods (Brute-Force attack , Man-in-the-Middle , Phishing or social engineering) nowadays it is easy to find out the credentials (user name and password) of an internal employee.
Let us assume that we have found the correct credentials of a certain person with administrative rights and thus gained access to a network. We would not be able to behave in the way the victim would without prior research and inside knowledge. So if a user behaves differently than in the “normal case”, UEBA warnings will sound.

Therefore, UEBA is a very important component of IT security with which you:

Therefore, UEBA is a very important component of IT security with which you:

Internal employees steal data and information by using their own access. UEBA can help detect data breaches, sabotage, abuse of permissions and policy violations by employees.

2. Recognize brute force attacks

Hackers sometimes target cloud-based entities as well as third-party authentication systems. With the help of UEBA, brute force attacks can be detected and access to these entities can be prevented.

3. Detect changes in permissions

Some attacks involve the use of so-called super users with admin rights. UEBA can be used to detect when a super-user has been created or if there are any accounts that have been granted unnecessary permissions.

4. Detect breaches of protected data

It is not enough to keep protected data safe. There should be transparency as to when a user is accessing these files, even for legitimate business reasons.

UEBA and SIEM

The SIEM (Security Information Event Management) is used to provide a comprehensive overview of the security of an IT system guarantee. It uses data and event information that, along with rules, identify “normal patterns and trends”.

UEBA works in the same way, with the exception that user and entity behavioral information is collected from a wide variety of sources and evaluated using advanced analysis methods and machine learning to detect anomalies.
And that’s the big difference: SIEM works with rules. And these have to be created and maintained by hand. Advanced hackers can easily circumvent these rules. In addition, SIEM rules are designed to detect threats in real time, while advanced attacks typically take months or years to run.

For good IT security, it is therefore advisable to use both a SIEM and a UEBA. A comprehensive security and detection function can only be guaranteed if the two systems work together.

Bild des stellvertretenden Geschäftsführers Immanuel Bär

Would you like to find out more about possible security measures for your IT?

Just give us a call – traditionally but also via the contact form!

To contact form

Zuletzt aktualisiert am August 16, 2021

OUR LOCATIONS

  • Headquarters:
  • ProSec GmbH
  • Robert-Koch-Straße 1-9,
    D-56751 Polch, Germany

  • Berlin office:
  • ProSec GmbH
  • Friedrichstr. 123,
    D-10117 Berlin, Germany

 

  • Munich office:
  • ProSec GmbH
  • Franz-Joseph-Str. 11,
    D-80801 München, Germany

TOP-SERVICES

  • Penetration testing

  • Vulnerability analysis

  • Trainings

  • IT security consulting

  • Social engineering

All rights reserved. © 2022 ProSec GmbH | Imprint | Privacy policy | Sitemap