UEBA Systems, or How to Expose a Wolf in Sheep's Clothing?

Back in the 19th century, Nathan Rothschild made an oracular utterance: "He Who Owns Information Owns the World." Now his words are as true and relevant as never before. With the right information, you can make incredible profits, raise your business to new heights, become the first in your field, or ruin a successful competitor. The more critical the data is, the harder it is to protect. The market demands new technologies to eliminate modern information threats. One of them is User and Entity Behavioral Analytics (UEBA).

What is UEBA?

UEBA is a fairly young class of systems using a brand new approach in the fight against modern threats. With machine learning capabilities, statistical analysis tools, and big data on users and IT infrastructure (servers, workstations, switches, etc.), UEBA solutions reveal behavior patterns and then track deviations from them—both in real-time and post facto.

UEBA use the following data sources:

• Server and network equipment logs.
• Security logs.
• Logs from user workstations stations.
• Information from authentication systems.
• Messages in social networks, messengers, email, etc.

UEBA systems can create profiles of the entire IT environment, which helps to identify threats related not only to users but also to IT infrastructure components.

What is this for?

UEBA systems can solve a wide range of tasks. However, their primary use case is the detection of different categories of threats by analyzing typical patterns of user and entity behavior, followed by the detection of "wolves in sheep’s clothing." They track the following anomalies:

• unauthorized data access and transfer;
• suspicious behavior of privileged users;
• malicious or unauthorized employee activity;
• unconventional access and use of cloud resources and much more.

There are also some non-standard scenarios not related to cybersecurity, such as insider threat prevention or employee monitoring.

A separate solution or a function?

UEBA systems can be provided as a standalone solution or integrated into the product.

• Specialized UEBA platforms focus on a wide range of user and entity behavior analysis tasks.
• Built-in UEBA systems are part of complex products and are focused on solving a more specific set of tasks.

UEBA platforms offer more extensive capabilities, more sophisticated analytics, and increased functionality, but built-in UEBA systems can be more efficient for specific tasks as they access only the necessary data.

Currently, many vendors—Aruba (HP), Exabeam, Forcepoint, Fortinet, InfoWatch, Microsoft, Palo Alto, Securonix, Splunk, Varonis, VMware, and others—integrate UEBA functionality into their solutions.

Popular specialized UEBA solutions

Forcepoint UEBA. The solution allows security teams to monitor high-risk abnormal behavior within the organization proactively. An analytical security platform combines structured and unstructured data to generate the context required to detect and block malicious, compromised, and negligent users. The product also identifies various critical issues such as compromised accounts, industrial espionage, theft of intellectual property, and fraud.

By assessing the nuances of interaction between people, data, devices, and applications, Forcepoint UEBA defines the priorities for security groups.

Securonix UEBA. The product provides advanced analytical capabilities powered by machine learning. The solution has the following advantages:

• Reducing the risk of insider threats by creating a risk profile for each user in the company based on identity, employment, typical security breaches, IT activity, access rights, physical access, and even phone contacts.
• Identifying the real risk areas by comparing user activity with their individual profiles, their group profiles, and known threat indicators.
• Improving the visibility into the cloud: cloud-to-cloud monitoring with built-in APIs for all major cloud infrastructures and application technologies, detection of malicious activity by analyzing user rights and events, correlation of cloud and local data to enrich the entity context, and end-to-end analysis of threat patterns that should be responded.
• Proactive detection of online fraud: the product identifies complex fraudulent attacks using advanced signatureless behavior and peer-to-peer anomaly detection methods; it also detects account theft, abnormal user behavior, transaction fraud, and money laundering operations.

UEBA application in different types of solutions

The following several kinds of solutions can be distinguished in terms of UEBA use cases:

Audit and protection. Products aimed to improve the security of structured and unstructured data storages (DCAP) belong to this group. One of the products mentioned by Gartner in this category is the Varonis cybersecurity platform, which analyzes user behavior to monitor changes in access rights to unstructured data and their use for different data storages.

CASB systems offer protection against a variety of threats in cloud-based SaaS applications by blocking unwanted devices, users, and application versions from accessing cloud services with an adaptive access control system. All top-notch CASB solutions from vendors such as Cisco, Oracle, Palo Alto Networks, Symantec, and Microsoft have the UEBA functionality.

DLP solutions focus on detecting the transfer of critical data beyond the corporate perimeter or other cases of its misuse.

The DLP operation principle is all about understanding the content. Context, such as user, application, location, time, event speed, and other external factors, get less attention. Effective DLP products must recognize both content and context. This is why many vendors (e.g., InfoWatch, Solar Dozor, and Forcepoint) are beginning to incorporate UEBA functionality into their solutions.

Employee monitoring. This function includes recording and reproducing employee actions, usually in a data format suitable for court proceedings.

Continuous monitoring of users often generates an overwhelming amount of data that requires manual filtering and human analysis. Therefore, UEBA optimizes the work of monitoring systems by highlighting only high-risk incidents. An example of such a system is Fortinet's FortiInsight.

End device security. Endpoint detection and response (EDR) and endpoint protection platforms (EPP) solutions provide powerful tools and operating system telemetry on end devices.

User-connected telemetry can be analyzed with integrated UEBA functions.

Online fraud. Online fraud detection solutions detect deviations indicating that the customer account has been compromised by a fake person, malware, or unsecured connections/browser traffic interception.

Most solutions that prevent online fraud combine the functions of UEBA, transactional analysis, and device performance measurement, while more advanced systems also analyze relations in their identity database. One of the developers of such solutions is Group-IB.

IAM and access control. IAM and Identity Governance and Administration (IGA) systems use UEBA for behavioral and identity analytics scenarios such as anomaly detection, dynamic grouping of similar entities, login analysis, and access policy analysis.

IAM and privileged access management (PAM). PAM solutions control the usage of superuser accounts by logging how, why, when, and where administrative accounts are used. This data can be analyzed with the built-in UEBA functionality for abnormal administrator behavior or malicious intent.

NTA (Network Traffic Analysis) vendors such as Aruba (HP) use a combination of machine learning, advanced analytics, and rule-based detection to detect suspicious activity in enterprise networks.

NTA tools analyze entity behavior, constantly monitor source traffic or record flows (e.g., NetFlow) to build models that reflect normal network behavior.

SIEM. Many SIEM vendors now have advanced data analytics functionality built into SIEM or implemented in a standalone UEBA module. In 2019, the boundaries between SIEM and UEBA functionality were gradually erasing. SIEM systems now work better with analytics and offer more complex use cases.

The present and the future in the Gartner report

In May 2019, Gartner published a market report for user and entity behavioral analysis systems (UEBA).

The analysts have made the following key findings:

• The market of behavioral analytics of users and entities has entered the maturity stage, which is confirmed by the extensive use of UEBA technologies by medium and large enterprises.
• UEBA functions are now integrated into a wide range of related information security technologies, such as cloud access security brokers (CASB), identity governance and administration (IGA), and SIEM systems. During the study, analysts predicted that by 2021, the market for UEBA systems would move towards complex solutions with UEBA functionality, and by 2020, 95% of all UEBA products will be part of the functionality of a larger security platform.

UEBA solutions appeared not so long ago but very quickly gained popularity, which proves their undoubted effectiveness and demand in the corporate segment. According to Gartner, the sales of specialized UEBA solutions double each year, and many large vendors add UEBA functionality to their solutions for security information and event management, network traffic analysis, identity and access management, endpoint protection, or data leakage prevention.

Source: Gartner report (May 2019)