ABCs of UEBA: B is for Behavior

by Jane Grafton on February 4, 2019

We like to say, “You can steal an identity, but you can’t steal behavior.” You might compromise my credentials, but you don’t know what time I normally login, the applications I typically use, the people I regularly email, etc.

Behavior is the Leading Threat Indicator
The key to predicting threats, especially unknown threats, is to monitor user and entity behavior – to recognize when that behavior starts being anomalous. Let’s take a serious example: workplace violence. You hear it over an over again after a violent incident – people close to the perpetrator say things like, “he was acting strange” or “he was keeping to himself” or “he was obsessed with social media” before he committed the violent act. There are always signs, and they are always behavior based. If you can get ahead of the threat, if you can predict it may occur, you can likely prevent it from happening. This is the premise of User and Entity Behavior Analytics (UEBA).

Think about your own behavior, specifically in terms of patterns. Do you get to work at around the same time every day? Probably. If not, you likely have reasons. Maybe you have a doctor’s appointment. Maybe on Thursdays you have a standing appointment. When do you go to lunch? When do you leave for the day? People around you will notice if your behavior changes. If you start coming in late, if your lunches drag on, if you leave work early – any change in your behavior is noticeable. So, how does this same notion translate into UEBA and threat prediction?
If your office parking garage or building requires badge access, you’re creating an audit trail every time you swipe your badge. The machine learning models that power UEBA are able to detect changes in arrival and departure times, duration spent at the office or at lunch, even bathroom breaks if your office is secured by a keycard entry system. Further, if you use a keycard to enter your office, then login from a remote location with an unrecognized IP address, UEBA links those activities and flags that as an anomaly. You can’t possibly be in the office and working remotely at the same time. Linking user behavior data from the physical badging system and the Windows security log is the only way to ascertain this particular abnormality which is why the best UEBA products ingest the broadest variety of data feeds. Multiply this example by 1000s of employees and millions of transactions over time and you start to get a sense of the power of UEBA.

To predict unknown threats, UEBA examines everything users and entities are doing in real-time, then aggregates, correlates, and links that data to identify anomalies. Keep in mind an entire library of machine learning algorithms and analytics are applied against this combined and normalized data because it’s not possible for humans to detect changes in behavior patterns at this scale.