User and entity behavior analytics (UEBA), the anomaly detection capability of a SIEM solution, is used to identify both insider threats and external attacks. UEBA uses historical data to establish a baseline of normal behavior for every user and entity. It then monitors the users and entities in real time to determine if they follow the same pattern of behavior or if they deviate from it. Any deviation from the baseline of normalcy will be considered an anomaly, and depending upon the degree of deviation, a risk score will be determined. Powered by machine learning algorithms, UEBA looks for anomalies with respect to time, count, and pattern deviations. However, you can improve risk scoring accuracy and anomaly detection capabilities of your UEBA solution if you factor in peer group analysis.
Before we dive into peer group analysis, let's remind ourselves of what a risk score is and why it's important. A risk score is a value assigned by your UEBA-integrated SIEM solution. Different SIEM solutions score risks in different ways, but one popular way is to assign a risk score from zero to 100 depending on activities performed by the users and entities and how abnormal they are. The more abnormal the behavior or activity, the greater the risk score will be. This aspect of UEBA makes it easier for security analysts to prioritize which threat needs to be mitigated first. This means that the more accurate your risk scoring, the less chance of false positives, and even lesser the chance of a successful attack.
Your risk scoring accuracy can be improved by considering seasonality factors and peer grouping while calculating a user's risk score. An activity is considered to be seasonal if it occurs with a specific degree of regularity, such as hourly, daily, weekly, or monthly. If this seasonal activity occurs out of routine, then it should be considered an anomaly, and your UEBA solution should be able to detect it. For instance, a database that is typically only accessed at the end of the month being accessed mid-month would be considered an anomaly. You can learn more about the importance of seasonality in anomaly detection here.
What is peer group analysis?
Peer group analysis is a technique powered by machine learning algorithms, where statistical models are employed to identify users and hosts that share similar characteristics and categorize them as one group. The idea behind peer grouping is that, by identifying the context behind a user's behavior and comparing it with the behavior of a relevant peer group, the risk scoring efficiency and accuracy will increase. Essentially, if the pattern of your deviation is similar to that of your peer group's, then your risk score will not be negatively affected. However, if your actions don't fit the expected behavior of any relevant peer groups, it'll be considered anomalous and your risk score will increase significantly (depending on the severity of the deviation).
If there is no historical data for a peer group showing anomalous data, then a new group is created and you will be the first member in it. The risk score of the first member in a new group is going to have a much higher score initially when compared to the rest. If this action is performed by other members, then it becomes a trendsetter rather than an outlier, and your risk score normalizes accordingly. To learn more, read: Digging deeper into peer group analysis.
Types of peer groups
There are two different types of peer groups: static and dynamic.
Static peer grouping
Using the static method, data about users is obtained from databases such as Active Directory to create a peer group. Essentially, the grouping is based on attributes such as a user's department, designation, location, or their reporting manager. For example, all the employees who work in the finance department or all the employees who report to the same manager could constitute one peer group.
You can create multiple peer groups for a user this way. This is essential because if a user is a part of only one group, then the risk assessment and scoring might not be accurate. Each user may fall into more than one group: For instance, a designer in a marketing team will fall under the "Marketing" group as a whole, and also under a smaller, specific group called "Visual designers." They might also be grouped based on location, say "California." So, in this case, to accurately calculate the employee's risk, you'd have to look into the context (pattern of behavior) of all three groups. Also, if changes such as an employee changing roles or teams are not updated in Active Directory, the risk scoring accuracy decreases.
To ease risk assessment and enhance scoring accuracy, UEBA should also be capable of performing dynamic peer grouping.
Dynamic peer grouping
Using the dynamic method, UEBA builds peer groups based on behavioral data collected over time. With the dynamic mode of analysis, it's easier to compare the behavior of a user with that of their peers. It does this by checking if the behavior exhibited by a user for the first time is the expected behavior of that of their peers or if it's an aberration. If it's found to be anomalous, the risk score increases accordingly. Unlike the static method, dynamic peer groups are created and analyzed based on patterns of similar behavior rather than grouping based on broad categories such as location.
However, for risk calculation based on dynamic grouping, care should be given in considering the size of the peer group as well as the frequency of the activity or behavior, which can be observed from historical data. This is because the smaller the peer group, the more alerts you can expect. With a larger group, it becomes easier to understand the context; accordingly, there are fewer alerts, so the results are more accurate. Similarly, if an action performed by a user is akin to that performed by their peers, then the risk scoring will not be negatively impacted and vice versa.
While it may seem like the dynamic method of peer grouping is better than the static method, a UEBA-integrated SIEM solution that is capable of building peer groups based on both methods is the most effective option for precise risk assessment and scoring. ManageEngine Log360 is a unified SIEM solution with integrated UEBA capabilities that allows users to enable both static and dynamic peer group analysis for better and accurate anomaly detection as shown in Figure 1.
Figure 1: Configuring peer grouping in Log360
Benefits of peer grouping
Peer grouping helps make risk assessment and scoring more accurate. To better understand how, let's take a look at a few examples of peer grouping.
- Robert is a newly joined associate who works in the Finance Department of an organization doing payroll. He usually works from 10am to 5pm most days. However, a couple of days before the month end, he logs in at 6am and logs off at 9:30pm. This is a deviation from his expected behavior and a UEBA solution would normally flag it as an anomaly and increase his risk score. However, if the UEBA solution was capable of performing peer group analysis, it would compare this behavioral pattern with that of his peers and understand that this behavior is normal for people working in the Finance Department towards the end of the month to prepare for payday. Thus, Robert's behavior wouldn't be considered anomalous, and his risk score wouldn't increase.
- Jane, an HR executive who's serving her notice, attempts to remotely access the marketing database to download the client list at 9pm on a Sunday. This is a red flag that a UEBA solution can identify if it has the capability to perform peer group analysis because the solution would check Jane's behavior against that of her fellow peers and identify that HR executives don't normally access the marketing database, and certainly not at 9pm on a Sunday. So, the UEBA solution increases Jane's risk score drastically and alerts the security analyst. However, if the organization didn't have a SIEM solution with UEBA capabilities, then this abnormal behavior might not have been identified as risky immediately, and Jane might have successfully exfiltrated confidential information.
To further learn how to increase risk scoring efficiency in your UEBA-integrated SIEM solution, download this free e-book: How to improve risk scoring and threat detection with UEBA. To learn how a comprehensive SIEM solution like Log360 can help improve your risk scoring and threat detection accuracy, schedule a personalized demo and talk to product experts.