Click to learn more about author Derek Lin.

User and entity behavior analytics (UEBA) is one of the fastest-growing areas within enterprise security, growing at a compound annual growth rate of 48 percent per year, according to Gartner. Modern enterprise IT security solutions use this technology to detect and remediate advanced threats that are unable to be addressed by legacy solutions.

UEBA solutions use a different approach with variations of artificial intelligence and machine learning, advanced analytics, data enrichment, and data science to effectively combat advanced threats. The UEBA solution combines all the data sources together for analysis and automatically synthesizes results. Analysts get a lower volume but higher fidelity feed instead of drowning in alerts.

One of the key benefits of a security information and event management (SIEM) platform with user and entity behavior analytics (UEBA) is the ability to solve security use cases without having to be a data scientist.

But this doesn’t mean that the rise of UEBA will bring the decline of data scientists.

The platform masks the underlying complexity of “doing data science” so that security operations center (SOC) staff can focus on keeping the enterprise safe from attacks. Understanding UEBA from a data science perspective allows for an even more thorough utilization of a SIEM platform. 

Data Science and UEBA

Conventional security tools using legacy correlation rules offer little detection power to distinguish when someone’s apparently authorized actions have malicious intent.

The inherent limitations of static correlation rules have shifted IT security and management solutions toward machine learning. This UEBA approach identifies malicious activity by leveraging the enormous amount of available operational and security log data in conjunction with data enrichment, allowing for extensive use case threat detection. This is all made possible through the extensive work and advancements made by data scientists. Understanding how UEBA analyzes data to provide risk alerts enables companies to verify or disqualify threats. 

Use of Statistical Analysis for Anomaly Detection

UEBA can employ an unsupervised learning method to profile a user’s normal behavior in order to alert for deviations—a critical capability when working to combat insider threats.  In contrast to supervised learning methods, unsupervised learning techniques are used because the volume of data associated with known insider threats is low or non-existent. Unsupervised learning based on statistics and probability analysis is the primary technical means of implementing UEBA.

The use of statistical analysis helps UEBA solutions profile the normalcy of events. High probability events, determined from profiled histograms or clustering analysis, are deemed benign. Outlying events with low probability are anomalous and correlate with security events. Statistics and probability analysis are the basis for UEBA’s identification of normal behavior – and deviations that reveal abnormal and potentially malicious behavior by insiders.

Contextual Information Derivation for Network Intelligence

Context information consists of labeled attributes and properties of network users and entities. The information is vital to help calibrate risks of anomalous events, as well as for the triage and review of alerts. This can be especially beneficial in mitigating threats via service accounts.

Service accounts are used for asset and rights administration, so their higher level of privileges makes them valuable for a malicious insider; yet service accounts are infrequently tracked in large IT environments. Data science can find unknown service accounts by analyzing textual data in active directory (AD) or classify accounts based on behavioral cues. In this manner, data science helps shine visibility on this potentially risky vector used by malicious insiders.

Meta Learning for False Positive Control

False positives waste time and cause alert fatigue for security analysts who have little time to spare. Some indicators are more accurate than others, and those with weaker statistical strength are prone to false positive alerts. Meta learning with data science allows the UEBA system to automatically learn from its own behavior to improve its detection performance. For example, one way is to help adjust the initial expert assigned scores via data-driven adjustment. The scoring adjustment examines alert triggers and frequencies across the population and within a user’s history.

Data Science Driven UEBA Thwarting Top Three Security Threats

These data science derived capabilities (meta learning for false positive control, contextual information derivation for network intelligence, and use of statistical analysis for anomaly detection) provides an organization a future-proof solution for unknown attacks that look for abnormalities instead of a limited, pre-determined set of activities.  UEBA is the only way to effectively address the top three security threats: compromised user credentials, privileged-user compromise, and executive assets monitoring.

1. Compromised User Credentials – User account credentials are keys to legitimate access, and stolen credentials are the number one vector for data breaches, according to the Verizon 2018 Data Breach Investigations Report. Legacy security tools are unable to detect and identify unauthorized access allowing the attacker to access sensitive data or internal resources.
2. Privileged-user Compromise – A privileged user has authorized access to high-value resources, such as a sensitive database, a user-rights management system, or an authentication system. When a hacker obtains privileged-user credentials, the attack can proceed directly to those high-value assets with impunity. The UEBA solution should monitor suspicious activity by departed employees or contractors, and identify human errors dealing with or overexposure to sensitive data.
3. Executive Assets Monitoring – Hundreds of millions of dollars are stolen each year via wire transfers driven by webmail schemes that trick company executives into approving these transfers. Getting access to executive computing assets such as the CEO’s or CFO’s laptop may give hackers data about sensitive earnings, mergers and acquisitions, budget planning, product and services planning, or competitive information. An effective UEBA solution must be able to automatically build asset and behavior models that identify executive systems and monitor them for unusual access and usage.