What are User and Entity Behavior Analytics?
User and Entity Behavior Analytics (UEBA) is a cybersecurity solution that uses algorithms and machine learning to detect irregularities in the behavior of users on a network, as well as the routers, servers, and endpoints on a network. UEBA aims to recognize when user behavior on the network is different from what is expected, so that it may alert IT administration and/or automatically disconnect that user from the network. Irregular behavior is identified through comparisons with the baselines of users’ normal behaviors and patterns. There are three main attributes of a UEBA solution:
Analytics. Data is collected and organized based on what it determines to be the normal behavior of users and entities. The UEBA system then builds behavior profiles of users which inform statistical models that are applied to detect behavior which strays from the profile norms.
Integration. UEBA integrates with existing products and services on a network, using the existing data collected to make the new system more robust.
Presentation. Based on the preferences of the organization, UEBA systems can be designed to communicate findings through alerts, or to take immediate actions, such as disconnecting a user from the network.
Baselines in UEBA solutions are established using the following processes:
Defining use cases. UEBA solutions are developed with certain threats in mind, such as identifying compromised users, malicious insiders, or known security threats.
Defining data sources. UEBA solutions can be developed using many types of data including emails, events, logs, human resources data, network flows and packets, and social media activity. The more data sources that are available, the more precise baselines will become.
Defining behaviors. UEBA solutions collect data on many different types of behaviors for baselining. Some of these behaviors include work location, work routines, applications accessed, websites accessed, organizational data accessed, psycholinguistic indicators, contextual factors, keystroke dynamics, mouse dynamics, and eye movement biometrics.
Establishing baseline period. The period for monitoring activities to establish baselines should be long enough to capture sufficient data so that false positives will be minimized; this could be anywhere from a week to 90 days.
Employee engagement. Employees should be informed about the UEBA solutions and how they will be used.
Acceptance testing. Test the use cases by running the system and analyzing the output. A high rate of false positives indicates that additional monitoring data may be needed to improve the baselines.
Reevaluate. As job responsibilities and business objectives change over time, baselines may need to be reestablished to reflect the new changes in behavior.
An advantage of UEBA solutions is that they combine user behavior with behavior of machines in order to detect anomalies. UEBA solutions can recognize when something is unusual, even when that activity is not understood. Machine learning continues to learn as it is presented with new data and new behaviors.