To detect anomalies, UEBA first learns about the expected behavior of all users and entities in a network and creates a baseline of regular activities for each of them. Any activity that deviates from this baseline gets flagged as an anomaly. UEBA solutions grow more effective as they gain more experience.
Insider threats refer to any malicious activity faced by organizations due to the actions of users with legitimate access to the network, databases, and applications.
More than 34% of businesses around the globe are affected by insider threats yearly.
Over the last two years, the number of insider incidents has increased by 44%
Close to 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks.
The cost per insider threat in 2022 is $15.38 million
It's just as important to protect your organization from internal threats as external threats.
A UEBA solution leverages the predictability of human behavior to detect and identify the anomalous behavior of users in machines and other entities in the network, which can indicate an insider attack. UEBA solutions also address routers, servers, and endpoints in the network. In addition to a wide rage of insider attacks, a UEBA solution can also help you detect DDoS attacks, brute-force attacks, and data exfiltration.
Closely monitoring the behavior of a person can reveal a lot about their true intentions. This is the concept that UEBA works on. UEBA closely monitors the activities of every user and entity inside the network and learns their characteristics. UEBA often works along with a SIEM solution by using activity logs to study the usual behavior of users and entities.
A risk score is calculated for each user and entity in the organization after comparing their actions to their baseline of regular activities. The risk score usually ranges from anywhere between zero to 100, indicating no risk to maximum risk, respectively. The risk score is dependent on factors such as the allotted weight of the action, the extent of the deviation from the baseline, the frequency of deviation, and the time elapsed since the deviation.
Here are some activities that might increase the risk score of users or entities, indicating possible insider threats, account compromise, data exfiltration, or logon anomalies.
There are two methods to set up a UEBA system:
Whereas in the supervised ML method, the UEBA system is fed the list of known good and bad behaviors. This list is limited and therefore might lack proper knowledge for it to detect anomalous behavior. The system builds up these inputs further and detectsanomalous behaviors in the network.
In the unsupervised ML method, the UEBA system undergoes a "training" to learn the normal behavior of every user and entity. This method is unarguably the best because the system studies the everyday behavior of users and entities on its own.
RPCA, a variation of the widely used principal component analysis technique, is a statistical model that uses orthogonal transformation to convert a set of observations of possibly correlated variables (data points) into linearly uncorrelated variables called principal components. The line of best fit is established for the set of principal components, and the data points that deviate from this line of best fit are termed to be anomalous.
A Markov chain is a sequence of stochastic events where the probability of the next event in a chain depends only on the state of the current event. A workflow of events is created by determining the successive state of occurrences of events. As each event occurs, it’s compared with the predicted sequence of events. If any event deviates from the predicted workflow of events, it’s considered an anomaly, and the risk score of the corresponding entity is increased.
An effective UEBA solution should have the following features:
Peer grouping is the process by which you group users and hosts into distinct peer groups based on their past behavior. If your security analytics platform adopts peer group analysis, it will be able to determine whether a user or host behaves as expected based on the groups it is in. If it doesn’t, the system triggers an anomaly alert. By doing this in addition to comparing a user’s or host’s behavior to its own baseline, peer group analysis helps reduce the number of false positives.
Gathered data should be consolidated efficiently into easy-to-view reports, and generating actionable reports is another critical function of a UEBA solution. Regularly reviewing reports helps spot false flagging within the network and provides insights on how to customize a UEBA solution to comply with an organization's security norms.
All anomaly detection systems offer built-in anomaly models. These are built-in machine learning algorithms that learn the baseline of expected activity for every user and host in the network. If the UEBA solution allows you to train your own anomaly model, it's called a customizable anomaly model. This enables you to cater to the specific security situation of your company in a better way.
With alerts, you can receive notifications about anomalies that happen in the network in real time. For example, you might receive a notification email as soon as an anomaly is identified. With real-time alerts, you won't have to log on to your UEBA solution to check for alerts if there was a new risk your network is exposed to.
A UEBA solution should properly collect and analyze the data of users, machines, and other entities in a network, like event logs and packet capture data. Continuous monitoring and analysis of data from different sources will help to detect anomalies easily and instantly.
The UEBA solution must be able to assign a risk to every user and host in the network to represent the degree of risk posed by an entity. The risk score depends on the extent and type of anomalies that the user or host triggers.