Learn about how User and Entity Behavior Analysis, or UEBA, works and how it leverages machine learning to help mitigate insider threats, password attacks, and more in Data Protection 101, our series on the fundamentals of information security.
User and Entity Behavior Analysis (UEBA) is a model that assists to track suspicious or malicious intent of cyber attackers. It uses an advanced machine learning technique that monitors system logs, data flow, report generation and other related information.
For example, if a thief gets hold of your credit card and starts making sudden huge purchases, the system detects this abnormal spending and blocks the suspicious transactions. Then, the credit card company calls you to verify the purchases. UEBA works in a similar way but with a more complex machine learning algorithm.
How UEBA Works
UEBA monitors the behavior of employees, vendors, contractors, and personnel who have access to applications, accounts, and servers of an organization that stores proprietary data. It then processes this information internally to judge if a particular activity or behavior could result in a cyber attack.
UEBA goes a step further than just tracking events and devices. It can also machine learn and monitor possible threats from insiders (employees who have gone rogue). This is done by creating a baseline of where an end user logs in from, which files and servers they usually access, privileges they have, frequency and time of access, devices used for access, and more.
The basic proposition on which UEBA works is very simple. It is easy to hack an employee’s credentials such as username and password with a malicious intent. But, it will not be possible for the hacker to mimic the user’s regular behavior once inside the network.
Let's say a user account normally downloads a certain file size every day from a particular device and accesses a set number of servers every week. If it is noticed that suddenly the account is downloading gigabytes of files from a foreign location or is accessing new servers, UEBA will raise a flag.
UEBA has established patterns built into the system which also self-learns based on permissions and access granted to every endpoint user. Using algorithms, UEBA can detect patterns and anomalies much faster compared to ordinary human detection as well as insider threats that may otherwise go entirely unnoticed.
Types of Threats Addressed by UEBA
It is a possibility that an employee or even a group of them could go rogue. There could be several factors behind this intent. It could be done for financial gain by selling Personal Identifiable Information(PII) or for business gain by exploiting intellectual property. There could be other reasons such as seeking revenge due to disagreements, job dissatisfaction or a potential layoff. Another motive for an insider threat could be deep-rooted political, social or religious beliefs.
Hacked Privileged Accounts
Often, executives have access to sensitive company data and are also granted exceptions due to their high company profile. In some other cases, contractors and senior employees are also granted short-term access to sensitive data for a project and these access rights could later not be reset. Hackers are highly skilled and are on the lookout for such accounts to access and exploit secured data and information.
Cyber attacks are not a one-time event and are not isolated from each other. Once an attacker has acquired a password from a security breach, the hacker can use Brute Force and try variations of the password and passphrases to penetrate into different accounts of the targeted user in future. Hackers leverage on the knowledge that users are likely to use a particular variation of the password for different sites they access.
Traditional Data Loss Prevention is Dying
How Can UEBA Defend Against These Threats?
UEBA has an inbuilt machine learning system by which it helps detect security breaches, policy violations, and privilege abuse made by the employees of the company. Thus, it is a prompt way to raise an alert on the system due to any suspicious insider activity.
Power users and privileged accounts could be compromised by both a malicious insider or due to an unintentional insider. A malicious insider is an employee who willfully breaches his duty and exploits the technology, assets and intellectual property of the organization. On the other hand, an unintentional insider is one who inadvertently exposes privileged information. UEBA can help weed out compromised accounts before a hacker can do any harm. UEBA also detects when power users were created and monitor if they still have unnecessary permissions. It regularly keeps track if a particular user still needs legitimate access to secure servers and databases.
Once hackers have access to secure logins and passwords, they are likely to target firewalls, server entries, cloud-based entities and third-party authentication systems. UEBA is also capable to detect brute-force attempts and immediately blocks access to such entities.
The bottom line is that even if you are encrypting your data, monitoring privileges, system access and following security policies, these preventative measures still have their limitations against advanced hackers. UEBA uses machine learning to quickly detect behavioral changes and anomalies and raises an alert proactively before a security breach can occur, helping to mitigate a threat. This can save companies time, money, litigation, and potential PR nightmares.