Unraveling the behavioral blueprint of users and entities with UEBA

Cyberattacks are a growing menace, with yet another hacking attempt every 39 seconds. The Identity Theft Resource Center (ITRC) reported a 17% increase in data breaches as of September 30, 2021 when compared to the total number of breaches in 2020. And these were only the reported cases! There is a major lack of transparency with respect to breach notices both at the governmental as well as the organizational level, according to the ITRC.

Moreover, the sophistication of the attacks is also increasing. Cybercriminals are developing new techniques of attack and evolving older ones. In fact, according to a report by Verizon, phishing attacks have increased by 11%, and incidents of ransomware have doubled since 2020.

However, the more troubling aspect is that it is not just external attacks that organizations have to worry about; cyberattacks from internal threats are increasing day by day. Various sources suggest that:

• Globally, more than 34% of businesses face insider threats yearly.
• Insider incidents increased by 47% between 2018 and 2020, of which malicious insider threats accounted for 14%.
• More than 50% of businesses find it difficult to detect insider threats and the damage caused by them.

As if facing these threats is not hard enough, organizations that do not have a suitable cybersecurity solution in place find it onerous to detect and investigate these threats, and the hybrid working conditions owing to the pandemic don't make things any easier. As a matter of fact, IBM's 2021 data breach report states that in 2021, the average time taken to identify an attack was 212 days, and the average time to contain the attack was 75 days.

So, now the question arises, "If insider threats are so rampant, and damaging, what can an organization do to identify and protect itself against them?" Well, the answer is simple: Organizations have to equip themselves with a security information and event management (SIEM) solution integrated with user and entity behavior analytics (UEBA) capabilities.

A SIEM tool is a cybersecurity solution that collects and aggregates log data from various sources in your organization's network and analyzes the log data to detect vulnerabilities and threats. It also provides the added advantage of alerting you to those threats in real time. SIEM does this by making use of predefined and custom correlation rules, alerts, response workflows, and threat intelligence feeds. So, if a SIEM solution is able to do all that, why would you need UEBA? Because, simply put, SIEM without UEBA is like a surgeon without scalpels and sutures, or SWAT personnel without a Kevlar jacket. A SIEM tool without UEBA is not a comprehensive solution for data security or threat detection. In other words, a SIEM solution with UEBA capabilities helps detect, investigate, and respond to threats to your organization promptly. So, without any further ado, let me explain what UEBA is and how it can benefit your organization.

UEBA

UEBA, a.k.a. anomaly detection, is a cybersecurity process that monitors and analyzes the behavior of every user and entity, such as the routers, servers, and endpoints in an organization's network, to detect anomalies. Based on its analysis, UEBA determines the normal pattern of work and creates a baseline of expected activity for every user and entity. However, for establishing this behavioral baseline, you need to provide UEBA with at least two weeks of historical data.

To establish the baseline, your UEBA solution will use the log data aggregated in your SIEM tool and employ machine learning (ML) algorithms, which use probability and statistical models, to continuously learn and identify the normal behavior for every user and entity. So, you can say that the ML capability of UEBA is responsible for anomaly detection.

Every current action is compared against the behavioral baseline generated from historical data, to identify whether the action is normal or an anomaly. Depending on the extent of the deviation, UEBA assigns a suitable risk score to indicate the criticality of the event, and alerts your security analysts to prevent the attack or stop it in its tracks.

Anomaly detection

To understand how UEBA creates a behavioral profile for every user, let's go over an example and understand how humans do it first. John is a newly hired marketing intern. On his first day of work, the security guard recognizes him as someone new and pays close attention to ensure that all his credentials check out. The guard also keeps track of the time John enters and exits the organization. He monitors John’s activity for a few days and gets to know his expected time pattern—arrival at 10am and exit at 6pm. Any deviation from this, such as John's arrival at 5am, will raise the guard's suspicion. This is how humans detect an anomaly.

Similarly, the ML algorithm in a UEBA solution will monitor the log data to establish patterns in your network. For instance, a user's logon and logoff times and the actions the user performs on particular devices will tell the UEBA solution of the activities that are expected from that user. Once it monitors for a few days, the UEBA solution will know the user's expected behavior; any deviation from that, and the user's risk score will increase to indicate the severity of the threat, and the UEBA solution will flag an alert to the security analysts. “But if a human can already do that, why do you need UEBA?” Because it is not humanly possible for your security team to constantly observe and analyze the behavior of the thousands of employees who work at your organization; generate reports on anomalous activities at different parts of the network; and take appropriate action immediately.

Types of risks

Now the question arises—what are the different types of threats that UEBA can identify? Let's take a look at them.

• Insider threats: Any threat to the organization's data posed by an individual inside the organization is known as an insider threat. It can be malicious, where the employee is deliberately trying to steal, modify, or corrupt the data; or it could be unintentional, where the user's account was used to steal sensitive information from the company. Some common indicators of insider threats include a new or unusual system or file accessed at an unusual time, or multiple authentication failures.
• Account compromise: When a particular user's account is accessed by an unauthorized user, it is termed account compromise. This can occur when a user's password is weak or when an attacker uses sophisticated tools to decipher the user's password. Continuous login failures followed by unknown software downloads and installation are a sign of account compromise.
• Suspicious logons: Any attack, irrespective of if its origin is internal or external, will need to have a successful logon at some stage. In the case of an external threat, a successful logon will probably be preceded by multiple logon failures. So, you could say that an anomalous logon is the first sign of an attack. You need to note that your UEBA solution should be capable of alerting on anomalous logon successes as well as failures, to make sense of the bigger picture. For instance, a successful logon after multiple failed logon attempts could be indicative of a brute-force attack. An abnormal logon success on a server or database is also an anomaly, which could signify an impending threat or attack.
• Data exfiltration: If an individual is making an unauthorized transfer of data to any user or entity outside the organization, it is called data exfiltration. It is a clear sign of an attack, and hence the risk score of the user rises exponentially. So, your UEBA solution will assign a high risk score and alert the analysts to take immediate action to prevent a data leak. Some signs of data exfiltration are an unusual number of file downloads or data transfer via removable USB devices.

In all the above cases, irrespective of whether the user or employee attacks the system or network, or whether the attacker uses that employee's credentials to attack, that user's risk score will increase. The increase in the risk score is how your UEBA solution will alert the analyst of an anomaly. The analyst will then investigate the genuineness of the event and take action accordingly.

Risk score

Now, you must be wondering, "What is a risk score, and on what basis does UEBA assign it anyway?" A risk score is a value between 0 to 100 that is assigned to each user and entity depending on the frequency and severity of deviations from the established baseline. The greater the deviation, the greater the risk. The deviations or anomalies can be a time anomaly, count anomaly, or pattern anomaly. Let's take a look at what each of these means.

• Time anomaly: If a user or entity deviates from the expected baseline, it is termed a time anomaly. You can take John's login at 5am instead of his usual 10am as an example of a time anomaly.
• Count anomaly: If a user or entity performs an abnormal number of activities within a short span of time, we call it a count anomaly. An example would be a user accessing a database with customer data 50 times in an hour.
• Pattern anomaly: If an unexpected sequence of events results in a user account or entity being accessed in an atypical or unauthorized manner, it is termed a pattern anomaly. For example, a user account having a successful logon after eight consecutive login failures, followed by multiple file deletions, modifications, and data transfers made from that account, is an example of a pattern anomaly.

Use cases

Now that you know how UEBA works, let's take a look at some scenarios where a UEBA solution can make a world of difference to an organization.

• Dylan is a college graduate who has recently been hired by the Drug Enforcement Administration (DEA). He is eager to prove himself to his supervisors. So, when he receives an email with an attached document, claiming to contain a tip regarding a possible drug deal, he opens it immediately, not knowing that it is a spear phishing attack. While he sets out to investigate the address mentioned in the document, the malware embedded in the document downloads and, unbeknownst to him, starts executing commands to access the database containing the names of undercover DEA agents; details of confidential informants; the location of safe houses as well as the drugs and money confiscated during raids; and so much more.

  Scenario 1: The DEA does not have a UEBA solution

  Dylan isn’t the only one in trouble. The information regarding the undercover agents and the confidential informants falls into the hands of a drug cartel, threatening the lives of the agents and the informants.

  Scenario 2: The DEA has a UEBA solution

  The UEBA solution identifies the series of unusual activities as a pattern anomaly, increases Dylan's risk score, and alerts the security analysts immediately so they can mitigate the threat.

• Ron is a nurse at Grace Hospital. While trying to check the hospital's blood bank records, he gets an alert saying that his system is infected with a virus and that he must click on a link to resolve it. In his urgency, Ron clicks the link without contacting the system administrator to verify it. He is directed to a different URL from which a ransomware payload is downloaded.

  Scenario 1: Grace Hospital does not have a UEBA solution

  The attackers gain access to the network, target systems with weak passwords, move laterally, encrypt files, and demand a huge ransom, effectively bringing the entire hospital to a standstill. Unless the ransom is paid, the diagnostic equipment and surgical devices won't work, and the doctors won't be able to access their patients' medical history or make appropriate treatment plans.

  Scenario 2: Grace Hospital has a UEBA solution

  The ransomware attack is prevented because the UEBA solution identifies the file renames, file accesses, and the execution of unusual processes, and alerts the analysts to the breach in the hospital’s systems so they can quarantine the affected systems and effectively mitigate the attack.

ManageEngine Log360

Now that you know you need a SIEM solution with UEBA, you must be wondering which one to choose. Well, I will be glad to help you with that. ManageEngine Log360 is a comprehensive solution for protecting your organization against cyberattacks. Log360 is a SIEM solution that has a correlation engine, threat intelligence, and UEBA functionality for analyzing data and detecting threats and vulnerabilities to your organization. It also has the added benefit of security orchestration, automation, and response (SOAR), which allows for faster threat detection and automated incident response. The other benefits are:

• Identification and prevention of insider threats.
• Identification of user account compromise.
• Identification and mitigation of data exfiltration, and data loss prevention.
• Entity analytics.
• Use of unsupervised ML—functions independent of human intervention.
• Accurate risk scoring.
• Real-time monitoring and alerts.
• Custom risk alerts.
• Reduction in false positives.
• Holistic security management.

So, before things get tricky, secure your organization with Log360, and safeguard against cyberattacks swiftly. Thanks for reading, folks!