ABCs of UEBA: B is for Behavior
By Jane Grafton
We like to say, “You can steal an identity, but you can’t steal behavior.” You might compromise my credentials, but you don’t know what time I normally login, the applications I typically use, the people I regularly email, etc. That’s because behavior is the leading unknown threat indicator.
How to predict unknown threats
The key to predicting threats, especially unknown threats, is to monitor user and entity behavior – to recognize when that behavior starts being anomalous. Let’s take a serious example: workplace violence. You hear it over an over again after a violent incident – people close to the perpetrator say things like, “he was acting strange” or “he was keeping to himself” or “he was obsessed with social media” before he committed the violent act. There are always signs, and they are always behavior based. If you can get ahead of the unknown threat, if you can predict it may occur, you can likely prevent it from happening. This is the premise of User and Entity Behavior Analytics (UEBA).
Think about your own behavior, specifically in terms of patterns. Do you get to work at around the same time every day? Probably. If not, you likely have reasons. Maybe you have a doctor’s appointment. Maybe on Thursdays you have a standing appointment. When do you go to lunch? When do you leave for the day? People around you will notice if your behavior changes. If you start coming in late, if your lunches drag on, if you leave work early – any change in your behavior is noticeable.
So, How Does This Notion Translate Into UEBA and Threat Prediction?
If your office parking garage or building requires badge access, you’re creating an audit trail every time you swipe your badge. The machine learning models that power UEBA are able to detect changes in arrival and departure times. Similarly, the duration spent at the office or at lunch, even bathroom breaks if your office is secured by a keycard entry system. Further, if you use a keycard to enter your office, then login from a remote location with an unrecognized IP address, UEBA links those activities and flags that as an anomaly. You can’t possibly be in the office and working remotely at the same time.
Linking user behavior data from the physical badging system and the Windows security log is the only way to ascertain this particular abnormality which is why the best UEBA products ingest the broadest variety of data feeds. Multiply this example by 1000s of employees and millions of transactions over time and you start to get a sense of the power of UEBA.
To predict unknown threats, UEBA examines everything users and entities are doing in real-time, then aggregates, correlates, and links that data to identify anomalies. Keep in mind an entire library of machine learning algorithms and analytics are applied against this combined and normalized data because it’s not possible for humans to detect changes in behavior patterns at this scale.
Gurucul UEBA creates a behavioral baseline using profiling attributes from various data sources, such as HR records, events, access repositories, log management solutions, NetFlow and more. Gurucul UEBA detects when there is a deviation from established patterns. As a result, it can quickly alert on insider threats, compromised accounts, brute-force attacks, changes in permissions, data breaches and the like.
Is Anomalous Behavior Always Risky?
Here’s the question you need to be able to answer: Is anomalous behavior always risky? Consider a couple of examples. You’re at the airport and see a man running up the down escalator. Is he trying to catch a flight or is he fleeing from authorities? You log in from a new IP address. Are you working remotely or has your account been compromised? Context is critical.
This is the real secret sauce in a good UEBA product: distinguishing anomalous behavior from risky behavior. Sifting through alerts of anomalous activities that aren’t dangerous is a huge waste of time. You don’t have to investigate every alert if you are able to distinguish and prioritize the riskiest users and entities. Respond to the alerts that deserve your attention.
Let’s take another example. How do we predict insider threats? We examine user behavior using specific machine learning models customized for insider threat detection such as Predictive Flight Risk. This model will detect if a user is working on a document titled “my resume” or visiting job websites like Indeed or CareerBuilder. As the model identifies behaviors associated with a user planning to depart the organization, the UEBA risk score of that user rises. This enables the organization to take action well in advance of the user actually quitting. For example, adding him to a watch list to review his access and activities in real-time. And preventing him from downloading sensitive corporate data, stopping him from sending email attachments, etc. Knowledge is power.
Risky Behavior Detection Needs Data
What type of data is used to detect risky, anomalous behavior? Gurucul’s advanced analytics engine uses a range of data types from various enterprise and cloud applications/platforms. For instance, including identity, access, activity logs, transactions, communication logs (voice, chat, SMS), flow data (NetFlow / PCap), external Threat Intelligence feeds, social media, device allocations, etc.
Gurucul UEBA can pull logs from centralized log aggregators, EDR systems, syslog streaming, WMI, loads from files from NAS mounts, or platform agents that collect and forward logs to Gurucul UEBA. It uses various data elements and events such as commands executed, processes created or executed, file system access, IDS/IPS/AV/DLP alerts, etc. to detect suspicious/malicious behavior that is not normal activity for a user or entity (machine) based on the past behavior. Gurucul UEBA assigns a risk score for every user and entity for which anomalies are triggered. The risk scores, along with anomaly metadata, like resource and event data, can be used to trigger appropriate remediation action. Gurucul UEBA supports API-based integration with preventative security solutions. Therefore being able to block, disable or isolate risky users and entities to minimize the risk presented by them.
Gurucul UEBA provides more than 200 out-of-the-box connectors for a majority of standard COTS platforms. It also provides a native Flex-Connector Framework which allows customers to quickly build and configure a generic connector. Gurucul supports stream, flat file (CSV, XML, JSON), database, LDAP and API connections. Therefore, allowing customers to connect to virtually any data source. Gurucul UEBA also can be configured to receive activity data as a stream in real-time. This involves configuring appropriate ports and a listener to receive the streamed data. Then, further process the unstructured data stream in a similar method as that used for processing unstructured data files.
Behavior Doesn’t Lie
People lie, behavior doesn’t. You can say you’re working from home, but your system activity logs will tell the real story. For example, if you’re actually playing hooky or ‘working’ from an exotic vacation spot. The best UEBA products have the most mature machine learning models tailored to specific security and threat use cases.
One last point, and it’s critical: rules don’t catch changes in behavior patterns. Rules-based security products cannot detect unknown threats. If you have a rule that prevents logins from midnight to 6am, what happens when someone logs in at 11:59pm? That’s close to midnight, but a rule wouldn’t catch that, and the user would be able to login. It’s is a simple example, but it makes the point that you absolutely need machine learning powered by data science to rigorously root out bad behavior at scale. You just do.