What is UEBA?

User and entity behavior analytics (UEBA) is a cybersecurity technique that uses machine algorithms to detect anomalous activities of users, hosts, and other entities in a network. It has become an integral part of security information and events management (SIEM) solutions today. Traditionally, security analysts had to write rules, so that their SIEM could detect threats whenever these rules were breached. With UEBA, no rules need to be written; threats are detected after analyzing the past behavior of users and entities. Both rules-based detection and UEBA are necessary to deal with today's sophisticated threats.

To detect anomalies, UEBA first learns about the expected behavior of all users and entities in a network and creates a baseline of regular activities for each of them. Any activity that deviates from this baseline gets flagged as an anomaly. The security analyst can then investigate the issue and take the necessary steps to mitigate the risk. UEBA solutions grow more effective the more experience they gain.

Get whitepaper: Understanding UEBA

UEBA benefits: Defend against insider threats, account compromise and data exfiltration.

A risk score is calculated for each user and entity in the organization after comparing their actions to their baseline of regular activities. The risk score can range from anywhere between 0 to 100, indicating no risk to maximum risk, respectively. The risk score is dependent on factors such as the allotted weight of the action, the extent of the deviation from the baseline, the frequency of deviation, and the time elapsed since the deviation.

Here are some activities that might increase the risk score of users and entities, indicating possible insider threats, account compromise, and data exfiltration. 

Signs of an insider threat

  • New or unusual system accesses.
  • Unusual access times.
  • Unusual file accesses or modifications.
  • Excessive authenticalion failures.

Signs of account compromise

  • Unusual software running for a user.
  • Multiple instances of software installed on a host.
  • Numerous logon failures on a host.

Signs of data exfiltration

  • Unusual file downloads.
  • Multiple removable disk creations by users.
  • Unusual commands executed by users.
  • Abnormal host logons.

What Log360 UEBA can do for you

Log360 UEBA analyzes logs from different sources including firewalls, routers, workstations, databases, and file servers. Any deviation from normal behavior is classified as a time, count, or pattern anomaly.

log360 ueba
1 Firewalls
 
Firewalls

CISCONet ScreenSophosPalo AltoWatch GuardWindows

2 Routers
 
Routers

CiscoHewlett Pakard

3 Workstations
 
Work Stations
Client PC

Windows 10Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Prof. X64 ed. Windows XP

Server

Window Server 2019 Window Server 2016 Window Server 2012 Window Server 2012 R2 Window Server 2008 Window Server 2008 R2 Window Server 2003 Window Server 2003 R2

4 Databases
 
Databases

OracleSQL ServerMy SQL

5 File servers
 
File Servers

Windows Servers

6 Reports
and charts
 
Reports and charts

Access to reports such as:
Logon reports File activities reports Logon failure reports Firewall changes reports Configuration changes reports

All the data used to generate the reports can be viewed in graphical form.

7 User and entity
risk score
 
User and entity risk score

UEBA maintains a risk score for each and every user and entity profile. Whenever an activity log for a user/entity differs from its baseline, the risk score of that particular profile increases. An increased risk score of a profile helps the IT admin to look into the matter immediately to prevent any security breach.

8 Anomaly trends
 
Anomaly trends

Graphically represents the variations in the number of anomalies for a given time period.

With Log360 UEBA, you can:

  • Map different user accounts to build a baseline of expected behavior for each individual user and entity.
  • Get more meaningful security context by associating a user's different actions with each other.
  • Identify anomalous user behavior based on activity time, count, and pattern.
  • Spot abnormal entity behaviors in Windows devices, SQL servers, FTP servers, and network devices such as routers, firewalls, and switches.
  • Expose threats emanating from insider attacks, account compromise, and data exfiltration.

© 2020 Zoho Corporation Pvt. Ltd. All rights reserved.