UEBA: Finding the cyber security norm with data science & machine learning

POSTED on July 20, 2017

EB: What is UEBA?

BS: UEBA stands for User and Entity Behaviour Analytics and it’s an analytics-led threat detection technology.

UEBA uses machine learning and data science to gain an understanding of how Users (humans) and Entities (machines) within an environment typically behave.

As every IT environment is an interconnected web of humans and machines, UEBA helps to identify normal and abnormal behavior for both groups to provide complete visibility. Then, by looking for risky, anomalous activity that deviates from normal behaviour, UEBA helps identify cyber threats.

EB: What would a business need UEBA for?

BS: All of the biggest data breaches, judged either by number of records breached or the importance of the data stolen, have involved attackers leveraging stolen user credentials to gain access. Businesses need UEBA because their existing threat detection tools are unable to detect hackers that are leveraging stolen, but valid, user credentials. This is because an attacker with valid credentials looks just like a regular user; the only difference is their behaviour. UEBA is needed to help enterprises find and root out attackers that impersonate employees and it does this by comparing the attacker’s behaviour using the stolen credentials with the user’s normal behaviour.

EB: How does it work in practice?

BS: UEBA aims to understand what the ‘normal behaviour’ is for all users and entities in an environment. It does this by using data science to build out a behavioral model for each attribute of a user or machine interacting with an IT environment. Very simply, the model is built by recording a user or machine’s activities and building this up to form a profile over time. Once there is enough data, data science can be used to identify trends and form a baseline. With this in place, each time the user or entity does something that is anomalous, the model would add risk points to the profile. If the risk score reaches a certain threshold, let’s say, 90 risk points or more, the business’ security team will be notified and can investigate. This approach greatly reduces false positives because several abnormalities must occur before an analyst is alerted.

Let’s use a real world example from a large technology company to explain how UEBA helps uncover machine behavioural anomalies. This incident involved a linux box which was compromised and being controlled by hackers, who were using the machine to search the rest of the network for additional vulnerable assets. The hackers scanned the network and its assets, then attempted to log into various servers using default credentials. Without the ability to track and model entity behaviours, this attack would have gone unnoticed. The ability to baseline and identify unusual machine behaviour was what enabled us to quickly uncover the compromised machine before any real damage was inflicted.

EB: What is machine learning’s role in UEBA?

BS: Machine learning performs statistical analysis to create a baseline of normal behavior for each employee, contractor, etc. Credit card companies use something similar when they block a fraudulent transaction on your card; the transaction deviated from your normal purchase patterns, so it was flagged as unusual  and prevented from going through. UEBA applies similar analysis to user behaviour, to determine what normal looks like and then whether a particular action falls within that normal pattern or not. Machine learning enables analytics at a very high scale.

EB: Advice for companies looking to adopt/deploy UEBA?

BS: UEBA is well-suited to detecting credential-based threats, which are often the cause of modern data breaches. It’s not a cure-all, however. You can’t just dump in a load of data and hope that something useful comes out at the other end. The best approach when looking to choose a UEBA tool is to define some specific use cases (e.g. detect a stolen credential) and then evaluate the effectiveness of a UEBA solution against that use case.