By understanding how users behave and tracking legitimate processes, organisations can enlist user and entity behaviour analytics (UEBA) to spot security breaches.
A remote machine took over an employee account at a large national grocery chain by circumventing the VPN two-factor authentication protocol… A travel booking company was attacked when hackers entered through an affiliate network, so that the company could not block the IP address… An “enterprise user” accessing a cloud service was actually a malware process originating from an underground network…
In each of these cases, companies enlisted user and entity behaviour analytics (UEBA) to thwart theft and disruption. “Most enterprise security is based on yesterday’s security concepts that use rules and signatures to prevent bad occurrences,” said Avivah Litan, vice president and distinguished research analyst at Gartner. “What’s needed is rapid detection and response, enabled in part through behavioral analytics.”
UEBA essentially maps how legitimate processes take place in an enterprise (the forest) and learns how to distinguish and stop illegal breaches (the trees). UEBA has three main components:
-- Data Analytics: First, UEBA applications identify user and entity behaviours, and build peer groups and other profiles. By establishing baseline behaviours and patterns (often starting with historical data), anomalies can be detected by using statistical models and rules to compare incoming transactions with existing profiles.
-- Data Integration: Flexible UEBA applications are able to integrate structured and non-structured information in to an existing security monitoring system. The information base will include datasets like logs from security information and event management, network flow data and packet capture data.
-- Data Presentation and Visualization: UEBA applications present analytic results quickly, in a manner that allows enterprise security and business teams to readily recognise patterns of unauthorised access and users, and act upon the infractions.
Enterprise security teams are often inundated with alerts, in some cases millions a day. Even worse, they are not prioritised and the crucial breaches are buried with the rest of the alerts. Once a UEBA application is in place, and it has learned to recognise “normal” behaviours, it will:
-- Find bad actors via rapid detection of attacks and other infractions without disrupting the business
-- Improve alert management by reducing the number of alerts and prioritising the ones that remain
-- Improve alert investigations by reducing the time and number of staff required to investigate those alerts (since the underlying data for the correlated alerts is typically readily available)