The risk appetite of every organization is different, because they all differ in what they consider to be risky and how much risk they're willing to accept—or consider acceptable—to achieve their goals. Determining the acceptable level of risk also depends on factors such as:
Apart from this, organizations also have to consider the risk posed by users and entities to arrive at their risk score. But how do they do it?
User and entity behavior analytics (UEBA), the anomaly detection capability of a SIEM solution, can help organizations determine the risk score of users and entities. Powered by machine learning algorithms, UEBA uses historical data to establish a baseline of normal behavior for every user and entity. It then monitors the users and entities in real time to determine if they follow the same pattern of behavior or if they deviate from it. Any deviation from the baseline of normalcy will be considered an anomaly, and depending on the degree of deviation, a risk score will be determined. But what is a risk score and how exactly does UEBA arrive at this risk score?
A risk score is a value between zero and 100 that is assigned to each user and entity depending on the frequency and severity of deviations from the established baseline. The greater the deviation, the greater the risk. The deviations or anomalies can be a time anomaly, count anomaly, or pattern anomaly.
Apart from looking at the level of deviation (from the established baseline of expected activity) to assign the risk score, the machine learning algorithm is usually also programmed to look for criteria such as:
In addition to these, UEBA also looks at the type of risk to determine the right risk score. So, what are the different types of risks?
The anomaly detection algorithm looks at four different types of risks to assign a risk score. These are:
Insider threats: Any threat to the organization's data posed by an individual inside the organization is known as an insider threat. It can be malicious, where the employee is deliberately trying to steal, modify, or corrupt the data; or it could be unintentional, where the user's account was used to steal sensitive information from the company. Some common indicators of insider threats include a new or unusual system or file accessed at an unusual time, or multiple authentication failures.
Account compromise: When a particular user's account is accessed by an unauthorized user, it is termed account compromise. This can occur when a user's password is weak or when an attacker uses sophisticated tools to decipher the user's password. Continuous login failures followed by unknown software downloads and installation are a sign of account compromise.
Suspicious logons: Any attack, irrespective of its origin as internal or external, will need to have a successful logon at some stage. In the case of an external threat, a successful logon will probably be preceded by multiple logon failures. So, you could say that an anomalous logon is the first sign of an attack. You need to note that your UEBA solution should be capable of alerting on anomalous logon successes as well as failures to make sense of the bigger picture. For instance, a successful logon after multiple failed logon attempts could be indicative of a brute-force attack. An abnormal logon on a server or database could signify an impending threat or attack.
Data exfiltration: If an individual is making an unauthorized transfer of data to any user or entity outside the organization, it is called data exfiltration. It is a clear sign of an attack, so the risk score of the user rises exponentially. Your UEBA solution will assign a high risk score and alert the analysts to take immediate action to prevent a data leak. Some signs of data exfiltration are an unusual number of file downloads or data transfers via removable USB devices.
In all the above cases, irrespective of whether the user or employee attacks the system or network, or whether the attacker uses that employee's credentials to attack, that user's risk score will increase. The increase in the risk score is how your UEBA solution will alert the analyst of an anomaly.
After the algorithm has computed risks based on the different sub-risks mentioned above, it will calculate the overall risk score of the user (see Figure 1), taking into account the weight (or weightage) and decay factor assigned to each of the risk types. Here, weightage refers to the importance assigned to that specific sub-risk, and decay factor refers to how soon the risk score will return to normal over time in the event of no further anomalies detected.
The overall risk score for users and entities can be calculated using the below formula:
Where:
w1 = Weightage assigned to insider threats
w2 = Weightage assigned to account compromise
w3 = Weightage assigned to suspicious logons
w4 = Weightage assigned to data exfiltration
DF1 = Time decay factor assigned to insider threats
DF2 = Time decay factor assigned to account compromise
DF3 = Time decay factor assigned to suspicious logons
DF4 = Time decay factor assigned to data exfiltration
Figure 1: Factors influencing risk score computation
Now you know how UEBA calculates the risk score of users and entities. But is it possible to further increase its risk scoring accuracy? If so, how?
The risk scoring accuracy of UEBA can be improved by factoring in peer group analysis and seasonality. This will help in reducing false positive alerts.
ManageEngine Log360 is a unified SIEM solution with integrated UEBA, DLP, and CASB capabilities that can help organizations thwart various cyberattacks. To learn more about how the Log360 UEBA feature works, schedule a personalized demo and talk to our product experts. Thanks for reading, folks!
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.