User and Entity Behavioral Analytics (UEBA) has evolved quite a bit over the past several years. It started as just User Behavioral Analytics, which focused on catching malicious insider threats and then practitioners and vendors realized that user activity is only part of the picture and that the behavior of servers and endpoints are also important to get a more complete perspective. This is especially true when analyzing the Internet of Things and Industrial Control System environments. Today, UEBA is no longer being used as just a single point solution, it is being touted as a feature or a major element of everything from insider threat tools to SIEM tools to cyber risk analytics to endpoint protection.
Organizations are increasingly combining UEBA technology with other data sources and analytics methods to overcome cyber risk challenges on a broader scale. For example, they are using UEBA to analyze the intersection of unusual user and machine behavior with indicators of attack/compromise to identify compromised accounts. They are using UEBA to identify vendor-based insider threats and combining that information with other risk intelligence to obtain a 360-degree view of third party risk that can be used by both security and vendor risk management stakeholders to reduce risk posed by outsiders with access to corporate networks and information. With the General Data Protection Regulation (GDPR), taking effect in May 2018, there has been a renewed focus on protecting the private data of employees, customers and shareholders. UEBA is being used to detect the mishandling of sensitive data, which could result in enterprises being out of compliance with the GDPR. This includes understanding the behavioral patterns of what people are accessing, unusual access, unusual handling of data classification levels, unusual unencryption actives and unusual email and cloud upload patterns.
One of the most powerful but overlooked applications of UEBA is in identifying and remediating careless users and broken business processes. The vast majority of event data coming from a typical enterprise’s security tools come from non-malicious users that are either acting carelessly or have not been provided with an easy path to doing their jobs while complying with security policies. Although these users and business processes are posing significant risk and creating a lot of noise in the Security Operations Center, they often get put on the back burner when it comes to remediation in lieu of more urgent malicious threats. In today’s hectic security environment, “back burner” is usually a code word for “not in this decade.” Using UEBA to identify and analyze normal non-malicious patterns of repeated behavior by users and groups of employees is the first step towards remediating their behavior, reducing the risk they pose and minimizing the noise they add to the hunt for malicious actors.
Through its fundamental ability to identify behavioral patterns, both unusual and normal, UEBA becomes a key piece of the overall cyber risk analytics puzzle. Obviously, UEBA is not a magic bullet. Managing and reducing cyber risk requires a holistic understanding of assets, loss impact, machine- based threats like malware and ransomware, vulnerabilities and of course, the risk posed by people and abuse of privilege. Applying UEBA together with these other sources makes it an indispensable tool in the CISO’s tool box.
