User and Entity Behavior Analytics (UEBA)

What is UEBA?

Nowadays it is common for hackers to break into networks and cause damage. Malicious emails with infected attachments – so-called Phishing and Social Engineering are part of today's everyday life.

Systems and tools quickly become outdated and security gaps are discovered every day that can endanger a company's information security.

User and Entity Behavior Analytics (UEBA) helps

The problem with user monitoring tools is that they only monitor individual sessions. Modern hackers, however, are aware of this danger. Because of this, attacks are carried out in ways that are not directly detectable by these tools in a single session and on a single system. Attackers distribute their “work” across multiple servers and repeatedly take long breaks. It is impossible to capture such activity through session monitoring. The UEBA was developed to counteract this approach.

UEBA (User and Entity Behavior Analytics) is a cybersecurity process that…

...who analyzes and studies user behavior. Using this data, UEBA can learn normal user behavior. In return, it then detects anomalous behaviors or deviations from “normal” patterns. For example, if a certain user regularly downloads files with a total size of 10 MB every day, but suddenly downloads gigabytes of files, the system will detect this anomaly and report it immediately. User and Entity Behavior Analytics, or UEBA for short, uses machine learning, algorithms and statistical analyzes to determine when there is a deviation from established patterns and when these anomalies lead to a potential real threat. In addition, file, flow and packet information can be analyzed. To achieve user and entity analysis, UEBA does not rely on direct monitoring of devices and users or rules, but rather on analyzing information coming from many different sources, system and application logs, security solutions, SIEM, user directories, Orchestration tools, even workstations can be collected.

Using the most advanced analysis methods,...

…then a reference line of user behavior is created. All information that a UEBA then recognizes as “normal” user behavior can be found within the framework of these reference lines. If an event exceeds these limits, an alarm is triggered. In particular, insider threats, such as employees who are dissatisfied with the company and want to harm it, can be thwarted. But attackers who have compromised a system can also be identified in this way, as it is not difficult for them to circumvent the rules of a SIEM, but to imitate the “normal” behavior of a system or user.

Would you like to have your IT system regularly professionally checked for vulnerabilities?

Then find out more about our Pentest as a Service now!

For Pentest as a Service

How UEBA works: A little insight

The principle of UEBA is simply explained here using a short example:
Hackers can use a variety of methods (especially due to a lack of password policies or careless handling of their own data).Brute force attack, Man-in-the-Middle, phishing or social engineering) it is now easy to find out the credentials (user name and password) of an internal employee.

Let's assume we found out the correct credentials of a certain person with administrative rights and thus gained access to a network. We would not be able to behave the way the victim would without prior research and insider knowledge. So if a user behaves differently than “normal”, UEBA warnings sound.

Therefore, UEBA is a very important component of IT security that allows you to:

1. Detect insider threats

Internal employees steal data and information using their own access. UEBA can help detect data breaches, sabotage, privilege abuse, and employee policy violations.

2. Be able to detect brute force attacks

Hackers sometimes target cloud-based entities as well as third-party authentication systems. Using UEBA, brute force attacks can be detected and access to these entities can be prevented.

3. Detect permission changes

Some attacks involve the use of so-called super users with admin privileges. UEBA can be used to detect when a super user has been created or if there are accounts that have been granted unnecessary permissions.

4. Detect breaches of protected data

It is not enough to store protected data securely. There should be transparency into when a user accesses these files, even if there are legitimate business reasons.

UEBA and SIEM

The SIEM (Security Information Event Management) is used to ensure a comprehensive overview of the security of an IT system. It uses data and event information that, along with rules, detects “normal patterns and trends.”

UEBA works in the same way, except that user and entity behavior information is collected from a variety of sources and evaluated using advanced analytics and machine learning to detect anomalies.
And that's the big difference: SIEM works with rules. And these have to be created and maintained manually. Advanced hackers can easily bypass these rules. Additionally, SIEM rules are designed to detect threats in real time, whereas advanced attacks typically occur over a period of months or years.

For good IT security, it is therefore recommended to use both a SIEM and a UEBA. Only through the interaction of both systems can a comprehensive security and detection function be guaranteed.

Would you like to find out more about possible security measures for your IT?

Just give us a call or use our contact form!

DIVIDE

OTHER CONTRIBUTIONS

Leadership vs. Management – successful change management

March 14, 2024