Defending Your Organization with User and Entity Behavior Analytics (UEBA)

User and entity-centric threats are a growing concern for security teams. In fact, according to the 2017 Verizon Breach Study, 69 percent of organizations report a recent insider data exfiltration attempt. Compounding matters, 91 percent of firms report inadequate insider threat programs.

User and Entity Behavior Analytics (UEBA) plays a crucial role in detecting the actions of users (and other entities) that put your company at risk. Effective UEBA solutions perform profiling and advanced anomaly detection through diverse and complementary analytical methods, including scenario- and behavior-based techniques. By employing multiple methods, you can detect threats across the full spectrum of known (e.g., DDoS and drive-by attacks) and unknown threats (e.g., insider threats and zero-day malware).

Scenario- and Behavior-Based Analytical Methods

Scenario-based approaches operate in real-time, detecting known threats by employing established tools, tactics, and procedures (TTPs). Scenario analytics applies diverse techniques, including advanced statistical analysis (rate and trend analysis) and advanced correlation. This means analyzing broad sets of environmental data to detect specific known scenarios along the Cyber Attack Lifecycle (also known as the Cyber Kill Chain).

Figure 1: Cyber Attack Lifecycle

To detect unknown threats, you need behavioral analytical capabilities made possible by supervised and unsupervised machine learning (ML). Deep behavioral profiling works to detect anomalies by identifying unusual patterns that don’t conform to expected or previously learned user behavior. In practice, this approach enables you to develop a profile baseline for each user, as well as a dynamic peer group to readily detect outliers in live user data.

When applied together, behavior-based analytics and scenario-based analytics for UEBA deliver analytics in depth to protect your organization from malicious, compromised, and accidental user-based threats. Next, let’s explore the security use cases UEBA is best suited to address.

UEBA Security Use Cases

Account Compromise

A strong UEBA solution should easily detect if a hacker accessed a network user’s credentials or reputation, regardless of the attack vector or phishing technique used. This includes the detection of attacks such as pass-the-hash, pass-the-token, brute-force attacks, and lateral movement following an attack. For successful account compromise detection, the technology will need to recognize indicators of compromise across any asset the user touches, including endpoints and networks.

Insider Threats

Insider threats are primary UEBA drivers for many security teams due to the challenge of accurately detecting when an insider threat is occurring. These threats include malicious insiders, compromised insiders, and negligent insiders.

This is an area where UEBA solutions can help. By establishing baseline behavior for your users, the solution should detect and alarm on unusual, high-risk behavior that falls out of that baseline profile. These anomalies are based on several factors, including time, host, authentication classification, and location.

Privileged Account Abuse

A UEBA solution should identify specific attacks on privileged users who have access to sensitive information. This can be accomplished by detecting compromised credentials and lateral movement to the systems that contain this privileged data. Defining and maintaining a list of privileged users and groups can help your UEBA solution validate permission changes and quickly disable accounts with observed privilege escalation.

In addition to privileged accounts, you’ll also want your UEBA solution to monitor when sensitive, high-value assets are accessed. By identifying and assigning threat risk levels, your UEBA solution should monitor high-profile or high-value assets to generate high-priority alarms for your security team.

Data Exfiltration

An effective UEBA solution can monitor and alert your team to indicators of data exfiltration as they occur, in real time. This will allow your team to investigate and stop the exfiltration before damage occurs. Automated responses can be extremely valuable in lowering your team’s mean time to respond — ultimately protecting your organization from a high-profile data breach.

LogRhythm UEBA’s Solutions

With LogRhythm’s UEBA solutions, you can quickly detect and respond to user-based threats. UEBA uncovers threats with diverse analytical methods, including scenario- and behavior-based techniques, which deliver comprehensive visibility across the full spectrum of threats. Additionally, to enhance understanding of a user’s actions across multiple identifiers, TrueIdentity maps account identifiers to a single accurate identity.

Whether it’s an integrated component of the LogRhythm NextGen SIEM Platform or a standalone product, there is a solution available to broaden your UEBA capabilities that fits the specific needs of your organization. To learn more about LogRhythm’s UEBA solutions, you can read the in-depth review by SANS Analyst, Dave Shackleford below.

Read SANS Review

SANS Puts LogRhythm UEBA to the Test

Understanding Insider Threats with UEBA

User Threat Detection—There’s a Module for That

Friend or Foe? A Use Case on How to Detect an Insider Threat