What is UEBA? User and Entity Behavior Analytics

Insider threat is a security threat to network assets and most importantly business data coming from insiders. Insiders are company employees and contractors or partners. The data breaches caused by employees are in much larger percent unintentional. Like losing a company laptop or sending a business document to a wrong address. Sometimes data breaches are caused by intentionally malicious employees, who are for instance notified of losing a job, think they are underpaid, etc. Data breaches caused by outsiders that are authorized to access networks are more intentional than accidental. The most famous case is Edward Snowden’s, who worked for NSA as an outside contractor and took their data.

Unintentional data breaches are usually caught by DLP solutions. Intentional insider attacks are more sophisticated and harder to detect. For that we need other types of solutions besides DLP. One is direct user activity monitoring. Another one is User & Entity Behavioral Analytics or UEBA.

User monitoring tools monitor single sessions. But a sophisticated attacker might perform a malicious activity in such a way, that is not directly visible in a single session to a single system. He might do a little bit on one server, a little bit on another. Then he would lay low and do some changes on a database later or in a couple of days. And in a week he would put his findings in a file and send it via email out of the network. Such activities are impossible to catch through session monitoring tools. So UEBA tools were developed. They gather and correlate input from lots of different sources – system and application logs, security solutions, SIEM, user directories, orchestration tools, even workstations. Sophisticated algorithms and machine learning is used to define normal activities of users and entities, a kind of a very advanced baselining. Then they can detect and alert on anomalies, or security analytics can work interactively to search for something strange. What is an anomaly? Let’s say a server has 100Mb of traffic daily with internet, there is a business reason for that. Than on one day there are 5 communication sessions with 100Mb each. A UEBA tool could detect that, that is an entity anomaly. Another anomaly is a user who connects daily to his workstation and a web server, because he is a company blogger. But then one day suddenly he access a database server and on the next day he sends out a large ZIP file. That is strange and can be detected with UEBA tools.