User Entity Behavior Analytics (UEBA)

The range of use cases for User and Object Behavior Analysis (UEBA) is wide, allowing risks to be identified and assessed at an early stage.

User Entity Behavior Analytics - user and entity behavior analysis (UEBA) reveals hidden risks for the company. UEBA uses advanced data analytics to scan data streams from various sources for signs of attacks, reconnaissance and data theft.

In this case, behavior analysis refers to the actions of both people and systems or entities.

Examples of this include situations where a user suddenly downloads large amounts of data, a system suddenly tries to connect to another system that it does not normally interact with, or something else unusual happens.

UEBA has many applications in the following main areas:

- Information Security

- Network and Data Center Operations

- Administration

- Business transactions

Cybersecurity: UEBA Use Cases

UEBA looks for signs of different types of threats or violations in logs, configuration files, and other data sources. This is the key to the next use cases.

Lateral movement detection

Network logs may indicate that a system is attempting to communicate with other systems that it does not normally interact with, potentially indicating that it has been compromised and is being used as a launching point for lateral attacks on other systems.

Identifying compromised accounts

System and network logs can show people or accounts trying to do things they wouldn't normally do and shouldn't do. This may indicate that the account's credentials have been compromised and a third party is using it to explore capabilities and vulnerabilities or to steal sensitive data.

Insider Threat Detection

Behavioral analysis can detect an account that is using higher levels of privilege than normal or is attempting to access systems that it does not normally interact with. These are possible signs that an insider is abusing the power of his account.

Trojan account creation detection

Analysis may detect unusual bursts of account creation, deletion, or modification activity, such as the creation of large numbers of system administrator accounts or the loss of certain access rights to existing accounts. This behavior may indicate that the attacker is setting up local accounts to perform further operations.

Account Sharing Policy Violation Tracking

UEBA systems can detect signs that users are sharing their credentials rather than just working on their accounts, which increases the likelihood of compromise by attackers.

Prospective and retrospective UEBA

UEBA can be used predictively or retrospectively for cybersecurity purposes. In the future, security teams or service providers will use it to detect attacks as they occur, with the goal of triggering a — preferably automated — response.

Cybersecurity teams, service providers, and law enforcement agencies then use UEBA to examine logs and other data as part of a forensic investigation into an attack that has already occurred.

UEBA can detect attack precursors and filter out the various activities that make up an attack. This information can be used to mitigate an attack as well as strengthen defenses, and can then be shared through threat intelligence channels.

UEBA systems focus on use cases, analytics, and data to assign risk scores to specific behaviors.

Use cases for the operating area

The same features that make UEBA a powerful security tool—filtering meaningful information from various usage and performance data streams—also make UEBA software useful to systems operations teams.

Key use cases include the following.

Predicting upcoming hardware and software failures

Anomalous behavior may indicate current or impending failures in hardware, operating systems, middleware (such as database management systems), application servers, and applications.

For example, an increasing number of transmission errors on a particular port on a network switch may indicate a hardware failure or connectivity problem on that port.

Conducting a root cause analysis

A single problem can sometimes affect multiple systems and functional levels. Threat analysis is necessary to understand the relationships. For example, scattered transaction failures across multiple employee-facing and customer-facing applications, as well as intermittent issues with the database server and application containers running on a particular Kubernetes cluster, could be due to an underlying SAN issue.

UEBA can meet the operational needs of enterprises and cloud service providers, who can use it both prospectively and retrospectively. You can use UEBA tools to determine the cause of disparate problems that have no apparent connection when they occur.

Likewise, these tools can be used after a failure to see if there were indicators of a problem that may have been detected earlier, and whether they will be detected if they reoccur.

Other Uses of Behavioral Analysis

Beyond IT itself, a company can use a behavioral analytics tool to track and understand employee and customer behavior for management and business purposes. These are not the same products used in operations or security, but they use the same techniques and fall under the umbrella of behavior analysis.

When reviewing employee behavior, companies must always comply with applicable laws, company data protection policies, and ethical employee management principles. Although these tools have a high potential for misuse, they can provide important information.

Understanding Performance

Behavior can provide insight into individual and team productivity and show why some individuals or teams are more productive than others in a given context.

Understanding the actual team structure

Behavioral analysis can also reveal communication patterns between employees, which can provide useful information about them. For example, which employees are considered managers, assistants, or mentors by other employees.

Fraudulent Transaction Detection

Banks and other financial services institutions, as well as service providers such as telephone companies, have long used such technologies to detect fraud. These systems were among the first applications of analysis methods using UEBA tools. In these contexts, tools focus on anomalous behavior such as the following:

- unusual use of ATM cards or online banking;

- unexpected credit card billing patterns;

- strange patterns in insurance payments;

- fare fraud on intercity transport;

- calls from a robot

By focusing on what people and systems do, UEBA tools uncover useful information in a growing variety of use cases.

Rapid advances in artificial intelligence and machine learning will broaden and deepen the range of tools available and their ability to analyze data spread across time, geography, and systems.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.