UEBA: Protecting Infrastructure with the Help of Behavioral Analytics
User and entity behavior analytics (UEBA) detects suspicious activity on networks that is a prelude to an enterprisewide attack on data.
- By David Balaban
- July 26, 2021
Until recently, behavioral analytics -- user behavior analytics (UBA) and user and entity behavior analytics (UEBA) -- was mainly actively used in business applications to identify fraudulent transactions and malicious insiders. Today, cybercriminals have become more sophisticated. They conduct stealthy, targeted attacks and can sit inside the system for months without attracting any attention.
The transfer of employees to remote work due to the COVID-19 epidemic has led to an increase in such risks. As hackers become more inventive and users massively enter corporate information systems through public networks, security becomes more difficult due to the synergy of these two trends. Most of the existing solutions do a poor job of identifying legitimate actions of intruders, and therefore behavioral analytics is now widely used to protect IT infrastructure.
Disadvantages of Existing Security Solutions
The introduction of new tools does not replace the need to use traditional solutions such as firewalls, antivirus products, or attack detection systems. They do their jobs in their respective areas very well. Behavioral analysis tools come into play when the attacker is already inside the network; the hacker's actions look no different from the actions of a legitimate user.
It is important to be sure that the person working on the remote computer under a specific account is, in fact, your employee who is authorized to access that account.
The IT department does not always control personal devices, which can be infected with malware and cause damage against the will of the owner. By controlling someone else's machine, an attacker can easily penetrate the corporate system, logging in as a legitimate user, and other information security systems will not notice anything unusual.
How Does Behavioral Analysis Work?
Mathematical models used in business applications to identify malicious insiders are also suitable for recognizing the targeted attacks on the IT infrastructure already mentioned. The idea is to analyze the data associated with various entities (accounts, network nodes, various services), identify their associated behavioral patterns, and determine the moment when they begin to deviate from the norm. For example, a user is actively viewing documents that he has not previously worked with, and then contacts unknown external servers and tries to send information there. Individually, these are just suspicious events, but put together, in this particular sequence, they look more like an attack.
Network scans, strange domain name system (DNS) queries, attempts to build a DNS tunnel, abnormal email sending activity are but a few of the many signs of hidden intelligence gathering. It is necessary to analyze a large amount of metadata from different systems to bring all risk factors together. This mainly involves Active Directory (AD), which is the heart of the IT infrastructure of many organizations. Having taken over an AD account, an attacker becomes almost invisible to other security systems.
Where other methods fail, the behavioral analysis studies information about almost everything: workstations or IPs of the user entering the domain, whether (and how many times) the user made a mistake entering the password, the corporate resources the user works with, etc. Metadata is also collected from target systems: mail servers, file storage devices, proxy servers, firewalls, VPNs, and DNS servers. Other information security tools examine data in more detail, each in its own narrow area. They analyze network traffic and files on disk, but they can never see the big picture.
Profiling is mainly carried out across Active Directory credentials because the directory contains data for almost all IT infrastructure entities, including workstations and servers, printers, ordinary user accounts, as well as administrative and service accounts. Thanks to the interaction with the firewall and other network equipment, data can also be collected about nodes not included in the domain. The behavioral analysis system makes a digital snapshot of the organization and detects dangerous anomalies in real-time.
Behavioral analytics solutions include three key components:
- Data analytics: Collecting data to determine the normal behavior of users and objects and creating a profile of their normal behavior. Statistical models are then connected to detect unusual behavior.
- Data integration: Comparing data from various sources, such as logs and network packet data.
- Presentation of data: Alerting security personnel to investigate any unusual behavior detected.
To Detect Is to Prevent
Identifying an incident is not enough. Ideally, malicious activity should be nipped in the bud, preventing a massive attack, and minimizing potential damage. Once a set of triggers fires or an anomaly or specific threat model is detected, the UEBA system can transmit the event to the security information and event management (SIEM) system , as well as independently send commands to a domain controller or firewall.
Ransomware is the most striking example. Antivirus suites usually do not flag these viruses at the stage of system penetration. Once the damage is done and files are encrypted, it is too late to do anything. UEBA reveals a massive change in data and immediately sends a command to prevent harmful actions, including disconnecting the account and blocking the node from which the encryption is being carried out. This can prevent critical damage even though there is no information about the exact virus strain behind it.
Measuring the cost-effectiveness of implementing a behavioral analytics system is similar to evaluating a firewall or an antivirus. This cannot be done directly. Solutions aimed at increasing the security of IT infrastructure reduce the risk of data breaches. They do not generate additional income. The economic effect of their implementation is achieved by reducing the cost of eliminating the consequences of security incidents. The problem is that the threats are potential. Until a serious incident with great economic and reputational damage happens, top managers are extremely reluctant to spend money on "fashionable toys for security guards."
This is the wrong approach. Even during the pilot phase, most organizations identify unsafe processes that cannot be detected without UEBA. These include, for example, unprotected workstations brought by employees from home and laptops included in the Active Directory domain, excessive user permissions, access to the email of other users, software solutions implemented without notifying IT staff (including cloud solutions), and other shadow entities.
Manual tracking of these events is hardly possible because the complexity of the corporate infrastructure is too high, and the number of personnel involved in its maintenance, including those with administrator privileges, is too large. In addition to various abuses, UEBA systems can help to discover botnets and malicious insiders operating quietly on the network.
The popularity of behavioral analytics systems for protecting infrastructure is growing rapidly. Employees shifting to remote work is not the main reason for their growing popularity. However, the coronavirus epidemic has significantly accelerated their adoption.
When deciding whether such a system is needed in your organization, remember that preventing a large-scale attack is usually cheaper than handling its consequences.
The UEBA system cannot completely replace all security solutions. It is an important additional tool to improve the overall security posture of the company. Today, many manufacturers of systems such as data loss prevention (DLP) and SIEM incorporate UEBA into their solutions.