What is UEBA?

UEBA stands for “User and Entity Behavior Analytics” and can also be referred to as UBA, or “User Behavior Analytics.” Essentially, UEBA solutions look at patterns of human and machine behavior and then apply algorithms and statistical analysis to derive meaningful anomalies. Through these anomalies, the end goal is to provide an easy output to identify threats in your environment.

3 ways UEBA can solve security challenges

1. Self-learning platform

Once UEBA is set up in your environment, it will learn and identify normal patterns. When dealing with a typical environment, you are depending on the analyst team to know what’s normal. This is commonly referenced in a ticketing system (e.g., “This is an administrator that typically adds accounts after hours”). UEBA does the legwork for you and will baseline normal behavior, reducing the extra time it may take to tune or create custom detections.

2. Insider threat detection

Identifying normal activity for users provides a unique way to flag a user if they’re doing something abnormal (e.g., accessing a system they have never logged into). Insider threats are not easy to detect, which is often why people lean toward UEBA to solve that problem for them. Most analyst teams spend a large chunk of their time analyzing false positives with typical insider threat rules to identify if it’s normal or warranted behavior by the user. UEBA simplifies this by profiling users and keeping track of normal behavior, helping your team prioritize their investigations. prioritize and review for insider threats.

3. Mean time to respond

UEBA tools provide a timeline of notable events by piecing together the relevant events automatically. Since the data has already been pulled together, analysts can respond to a threat more quickly and efficiently. This provides a strong starting point for investigations as well as threat hunting campaigns. Most of the standard searches an analyst would perform in a SIEM aren’t required when leveraging a UEBA. It provides you context into the users’ recent activity and ensures anything notable stands out based on the threat rating system.

How to Maximize Your UBA/UEBA Tool

Start with proper implementation.

Like other security platforms, it’s important to properly implement a UEBA tool to maximize its ROI. Most teams will implement the platform but will miss the efficiency gains by not tuning it enough or enhancing the detection capabilities. A value-add with most UEBA platforms is that they will automatically baseline your environment, removing much of the manual work; however, teams can mistakenly place too much confidence in initial baselines and the default detection rules and threat rating that goes along with it. As your enterprise environment evolves with new infrastructure, cloud migrations, expanding teams, and new security technologies, you will need to tune the detection rules to ensure they meet your needs.

After the initial implementation and baselining phase, you need to continue to evolve the detections as the sources that build your detections/notables will continually change. In addition to the sources changing, your attack surface, baseline, and general risk will change. It’s important to keep these in mind and ensure that your models align accordingly. An example would be transitioning from a Cisco ASA to a Palo Alto firewall. Even though they perform similar actions, the fields and ability to gain additional context can improve as long as you are aware of the additional context you can pull out of the data.

By properly implementing and tuning your UEBA tool from the beginning, you’ll be able to move faster through evolution phases and achieve greater security confidence. However, many security teams become impressed with the out-of-the-box capability of UEBA tools and miss out on opportunities to take full advantage of these solutions.  

Apply security automation.

Automated searches

You can increase the power behind your UEBA tool by automating additional searches against other technologies such as data lake, SIEM, or EDR to a separate platform to validate the findings (we do this through GreyMatter). UBA does an excellent job telling the story of what happened and classifying the risk. However, you will still need to validate the story, and having immediate access through automation will eliminate pivoting and guesswork when performing your analysis, accelerating investigations.

Automated response

UEBA provides insightful notables that can minimize effort for the security team. You can start automating internal actions based on behavior. If someone adds an account for the first time after they VPN in from another country, you could quickly disable their account. When dealing with a standard SIEM alert, it isn’t as trivial to create this type of play.

Automated workflows

More security teams are delegating security ownership. There are some limitations to this, but UEBA allows you to delegate. A good example would be if someone was logging in from an unexpected geolocation. Instead of taking time from the security team, you can send a message to the manager directly from the UEBA tool to get further insight, and then automatically apply that to the workflow. If the manager flags the activity as suspicious, then the security team can get involved.

Threat intelligence enrichment

Most UEBA platforms can leverage threat intelligence. When leveraging threat intel properly for UEBA, you can boil up threats much more easily than you could with a typical SIEM. Due to the additional context you already have on the user and host, threat intel will be icing on the cake when reviewing a detection.

Improve detection and increase efficiencies with UEBA.

UEBA is a game-changer for organizations using this technology—and that’s just the beginning. If you properly implement UEBA and focus on evolving it through security automation, you will increase efficiency and gain strong insights into activity in your environment that standard alerting may not catch. Coupling UEBA with automated workflows will empower a range of business units to be accountable for their own security practices.