In the introduction to this blog series on "A Closer Look Inside UEBA: Top 5 FAQs", I discussed how many customers and security professionals we speak with have a lot of questions about User and Entity Behavior Analytics (UEBA). Some of these questions include: what is it, what are the different terms and why does it matter in organizations today.
Let’s start out with the basics. What is UEBA vs SUBA vs UBA? UEBA is the term defined by Gartner for User and Entity Behavior Analytics. The concept can also be referred to as SUBA for Security User Behavior Analytics (which is the term that Forrester Research coined) as well as UBA for User Behavior Analytics. I’ve also just heard it called more simply “Behavioral Analytics” or even “Behavioral Analysis.”
These different terms are mostly used interchangeably and define UEBA as analyzing the behaviors of people that are connected to an organization’s network as well as entities, or endpoints such as servers, accounts, laptops, applications, etc, that store proprietary data. The “people” in this case could be employees (also called insiders), groups of people, as well as third party vendors or contractors that have access to different parts of the network.
UEBA is used for threat detection - both for external breach detection and also for identifying rogue insiders. From a behavioral perspective, it learns what people and entities do on a normal basis -- where do they normally log in from, what file servers and applications are they accessing, what devices do they normally log in from, what privileges do they have, how strong are their passwords, etc. This is done to establish a baseline of what is usual behavior. By understanding what is normal from users and entities, when something unusual does happen, UEBA will detect it. (For example, perhaps a user is suddenly accessing a server they don’t usually access and they are doing it from a foreign location.)
Most UEBA solutions learn the behavior of users, groups and devices to establish baselines and apply risk scoring that adapts over time based on activity. If a security incident occurs, the risk score goes up or changes according to the type of threat. This not only helps with identifying threats, but it also helps organizations keep track of who their insecure and privileged users are, identify stale accounts, weak passwords, shared or risky endpoints, and more.
By learning behavior, it makes it possible to detect and identify security risk or threats such as:
- Credential compromise
- Rogue / insecure Insiders
- Privileged user abuse
- Malicious hackers
- Password brute force attacks
UEBA has emerged because most log-based analysis solutions, like SIEM, are backward looking and don’t become more accurate over time. It’s difficult to collect and correlate all of the events. They often generate a large volume of incidents, or alerts, that require 24x7 coverage and manual response from the security team to determine if there is a real threat. And often that determination takes quite a bit of time due to lack of resources, or even the technical skills to accurately identity what happened. During that time, attackers are free to roam the network.
With UEBA constantly learning, it can provide much greater visibility and insights to not only more quickly detect a potential threat, but also help an organization reduce their attack surface by identifying and eliminating learned security weaknesses.
In a day and age when insider threats and external breaches are on a sharp rise1, Security organizations need to look beyond their concerns at the perimeter and taking a closer look at insider threat detection. UEBA helps with that.
In the next blog post in this series "Traditional UEBA vs Behavioral Firewall for Breach and Insider Threat Prevention" I talk more about next generation UEBA solutions, like Behavioral Firewalls, and how they differ from traditional solutions by combining the detection capabilities and benefits of UEBA with actionable response in order to prevent threats and have a more proactive security posture.
1 Verizon's 2016 Data Breach Investigations Report