User and entity behavior analytics (UEBA), also known as user behavior analytics (UBA), is the process of gathering insight into the network events that users generate every day. Once collected and analyzed, it can be used to detect the use of compromised credentials, lateral movement, and other malicious behavior.
The Gartner Market Guide added ‘Entity’ to User Behavior Analytics due to increasing threats from external forces, rather than just individual users. These external forces include, but are not limited to, routers, servers, applications, and other network devices that could possibly be compromising.
In summary, these other types of behavior analytics deviate from traditional consumer behavioral analytics to focus on the behavior of systems and the user accounts on them.
Today’s networks gather endless amounts of information, especially with users moving seamlessly between IPs, assets, cloud services, and mobile devices. UBA focuses on user activity as opposed to static threat indicators, meaning it can detect attacks that haven’t been mapped to threat intelligence and alert on malicious behavior earlier in an attack.
As networks have become more complex, it’s become easier than ever to successfully infiltrate a corporate network and masquerade as an internal employee, circumventing external defenses. If an attacker is able to penetrate a network and remain there undetected, they can repeatedly steal sensitive data and cause monetary damage. User Behavior Analytics exposes stealthy, attacker activities by uncovering patterns in user behavior to identify what’s “normal” behavior, and what may be evidence of intruder compromise, insider threats, or risky behavior on a network.
User and Entity Behavior Analytics enables you to more easily determine whether a potential threat is an outside party pretending to be an employee or an actual employee who presents some kind of risk, whether through negligence or malice. UEBA connects activity on the network to a specific user as opposed to an IP address or an asset. This means that if a user starts to behave in a way that’s unusual or unlikely, even if it isn’t flagged by traditional perimeter monitoring tools, you’ll be able to spot the behavior quickly, determine whether it’s anomalous, and start an investigation if needed.
For example, stolen credentials are a common attack vector used by penetration testers and real-world criminals alike. Whether the criminal obtains credentials via phishing attacks, malware, key logging, or even a third-party data breach, all they need is one correct username and password combination to work; once they’re able to login they can silently move within a network undetected. However, once an attacker is in, they usually start to act in ways unlike a normal user, such as by moving laterally between assets. The intruder moves from step to step in what’s often called the “attack” or “kill chain,” looking for increasingly interesting targets to raid and data to exfiltrate.
The ability to baseline what kind of user behavior is normal on a network and what isn’t is critical. User behavior analytics provides you with the data to identify trends and easily spot outliers, so you can more easily and quickly identify and investigate potential threats and break the attack chain.
To spot trends and make connections, first you must have a way to gather key behavioral data in one centralized location, so it can be parsed by analytical tools later. Traditionally, user behavior analytics are added on as a layer to existing security information and event management (SIEM) deployments.
User and Entity Behavior Analytics are one part of a multilayered, integrated IT and information security strategy to prevent attacks and investigate threats. It can be an incredibly powerful tool to detect compromise early, mitigate risk, and stop an attacker from exfiltrating an organization’s data.