How UEBA Helps Detect Advanced Threats

Jason Coggins by   04.03.2019   Data Security

Most of the time, employees use their credentials to perform legitimate, predictable, day-to-day operations. There are times, however, when employees are required to perform actions which do not correlate with what is considered “normal” activity. After all, IT administrators are often required to carry out maintenance operations, which are typically conducted out of office hours, and these operations may include performing queries against a database which stores large amounts of sensitive data.

In such a scenario, how would we differentiate between legitimate and non-legitimate behaviour? How would we know if the administrator’s credentials have been compromised?

Why Traditional Security Technologies Aren’t Enough

These are not easy questions to answer when using conventional security technologies. Traditionally, companies focused much of their attention on perimeter security, believing that the bad guys were outside trying to break in.

While this certainly happens, the majority of data breaches are caused by either negligent or malicious insiders, or external actors who have managed to obtain a legitimate set of credentials, through some means or another.

Not only that, but with the growing popularity of BYOD (Bring Your Own Device), trying to monitor and control which devices should have access to the network, is making a perimeter-focused security approach increasingly less practical.

How UEBA Solutions Address the Problem

User and Entity Behavior Analytics (UEBA) solutions can be used to both detect and assess the risks associated with user activity in real-time. They can use machine learning algorithms to determine typical usage patterns, and thus detect patterns of behavior that shift beyond these patterns.

They are able to correlate data from a large number of sources, specifiers and variables. They can monitor access to files, folders and accounts, and monitor any changes made to user permissions. They can also monitor, and correlate events based on transaction types, user roles, job titles, geographic location, session duration, and anything else that can be used to establish a baseline from which to test against.

Some of the more advanced UEBA solutions can also collect and correlate third-party threat information. Abnormal usage patterns that are associated with multiple users will also be taken into account, as it is far less likely that employees will co-ordinate themselves in a way that might compromise the security of the network. After all, it is typically either negligent or malicious individuals who present the greatest security threat.

It’s All About Risk

UEBA solutions will evaluate all anomalous behavior according to its potential risk, which is typically determined based on the likelihood that the behavior is anomalous, multiplied by the potential impact the behavior might have. The impact will be assessed based on the type of data that is being accessed, and the controls that have been assigned to it. Naturally, sensitive data that has relatively limited controls assigned to it will carry a greater risk.

The use of advanced machine learning algorithms and the correlation of threat intelligence from third-party sources is overkill for most organizations. Not only that, but such UEBA solutions can be expensive, and require specialized personnel to install, configure and maintain. However, at a minimum, companies will need to implement a UEBA solution that can monitor and alert on suspicious events in real-time.

There are a number of User and Entity Behavior Analytics (UEBA) solutions on the market which can detect and respond to a wide range of events. They also provide additional features such as inactive user account management, password expiration reminders, threshold alerting, advanced reporting, and a lot more. Some UBA solutions provide built-in tools which enable you to automatically discover and classify a wide-range or data types, which will help to streamline the process of assigning the correct access controls to your sensitive data.

If you want to have a look at how LepideAuditor can help you with your UEBA strategy, come and talk to us today.

If you liked this, you might also like...

Auditing, Logging and Alerting

Data Security Whitepaper