Nowadays it is common for hackers to break into networks and cause damage. Malicious emails with infected attachments – so-called Phishing and Social Engineering are part of today's everyday life.
Systems and tools quickly become outdated and security gaps are discovered every day that can endanger a company's information security.
…then a reference line of user behavior is created. All information that a UEBA then recognizes as “normal” user behavior can be found within the framework of these reference lines. If an event exceeds these limits, an alarm is triggered. In particular, insider threats, such as employees who are dissatisfied with the company and want to harm it, can be thwarted. But attackers who have compromised a system can also be identified in this way, as it is not difficult for them to circumvent the rules of a SIEM, but to imitate the “normal” behavior of a system or user.
The principle of UEBA is simply explained here using a short example:
Hackers can use a variety of methods (especially due to a lack of password policies or careless handling of their own data).Brute force attack, Man-in-the-Middle, phishing or social engineering) it is now easy to find out the credentials (user name and password) of an internal employee.
Let's assume we found out the correct credentials of a certain person with administrative rights and thus gained access to a network. We would not be able to behave the way the victim would without prior research and insider knowledge. So if a user behaves differently than “normal”, UEBA warnings sound.
Internal employees steal data and information using their own access. UEBA can help detect data breaches, sabotage, privilege abuse, and employee policy violations.
Hackers sometimes target cloud-based entities as well as third-party authentication systems. Using UEBA, brute force attacks can be detected and access to these entities can be prevented.
The SIEM (Security Information Event Management) is used to ensure a comprehensive overview of the security of an IT system. It uses data and event information that, along with rules, detects “normal patterns and trends.”
UEBA works in the same way, except that user and entity behavior information is collected from a variety of sources and evaluated using advanced analytics and machine learning to detect anomalies.
And that's the big difference: SIEM works with rules. And these have to be created and maintained manually. Advanced hackers can easily bypass these rules. Additionally, SIEM rules are designed to detect threats in real time, whereas advanced attacks typically occur over a period of months or years.
For good IT security, it is therefore recommended to use both a SIEM and a UEBA. Only through the interaction of both systems can a comprehensive security and detection function be guaranteed.