User And Entity Behaviour Analytics

Photo by Ennio Dybeli on Unsplash

UEBA or User and Entity Behaviour Analytics is the analysis of the history of a user or an entity in order to predict risky behaviours based on the analysed pattern. Different analytics technologies are used for the analysis, including machine learning and deep learning.

In this blog, I will share a basic understanding of UEBA, followed by one of its major use case.

What is UEBA?

Let’s understand each word of U.E.B.A for a better understanding -

1. User — One of the major aspects of UEBA is to evaluate the behaviour of the user with respect to the assets located in the network. This aspect is most important for identifying security issues.
2. Entity — Not only the users but UEBA also helps in monitoring many other entities such as routers and servers. IoT devices are one of the important entities whose behaviour can be analysed using UEBA.
3. Behaviour — Creating a behaviour baseline for every user or entity based on the analysis of the historical data to predict the anomaly behaviour.
4. Analytics — A huge amount of sample data is considered by UEBA to match it against historical behaviour.

With the above understanding of four keywords, we can say that UEBA is the behaviour baseline that can be used to categorise the normal and anomaly activity of a user or an entity.

UEBA vs SIEM

SIEM, or Security Information and Event Management is using many different complex set of tools and technologies in order to provide security to our IT System. SIEM is one of the most commonly mentioned security product over the years. Now the question arises how is it different from UEBA.

SIEM follows some pre-defined rules that can be easily attacked by the hackers, on the other hand, UEBA operates in real-time, using rank scoring technologies and advanced machine learning algorithms to determine the anomalies and many other unknown threats.

SIEM has a prerecorded structured log, adding any new entry in those logs requires manual upgrading of data stores whereas UEBA is built on a huge amount of structured and unstructured datasets, providing long-term analysis.

Using SIEM and UEBA together can be considered as better security with good detection capabilities.

Use Case Of UEBA

As discussed UEBA, we can consider many use cases of UEBA in cybersecurity but in this blog, I will discuss about compromised user credentials.

Stolen credentials are one of the biggest problems. Unauthorized users get access to the system using the credentials of an authorized user. We can easily detect such attacks using UEBA. The UEBA will create a behaviour baseline for all the authorised user based on their historical data. All the users who do not follow this baseline will be defined as an anomaly user, thus helping in detecting and identifying unauthorised access.

Compromise of privileged user’s credentials is a bigger problem as they have access to many important assets in the server. Analysing such attacks are more difficult as these users do not work in an established pattern as they give response according to the requirements, majorly in case of emergencies. The UEBA solution can be used to identify such attacks immediately that are made on privileged user’s.

Conclusion

In this blog, you have understood what UEBA is and how UEBA and SIEM can be used together for a more secure system.

If any question or feedback please feel free to mention in the comment section.