October 12, 2021

min read

Finding Patterns: User & Entity Behavior Analytics (UEBA)

There’s a great scene in the 1997 film “Contact” where the protagonist Dr. Eleanor Arroway, played by Jodie Foster, is informed that her lab’s funding has just been revoked. Arroway’s lab partner explained that the government lost faith in the project due to concerns of her engaging in questionable activities, such as watching static on TV for hours. To this, she responds angrily: “I was looking for patterns in the chaos, come on!”

This is a great analogy to what User and Entity Behavior Analytics (UEBA) does automatically for you, so you don’t have to. While Arroway may have been looking for signs of life on different planets, spotting abnormal or malicious patterns in user and entity behavior can be just as difficult with the bare eye.  

On any given day, your employees will log into cloud or on-premises applications, download and upload files and respond to authentication requests. Tracking these behaviors can be data-intensive, especially when considering all the different devices and apps your employees use to stay productive, what their location is and what times they typically interact with apps.

This is where UEBA comes in. Instead of relying on static security checks or staring continuously at the static, you can use automated security to look at user behaviors to detect both insider and external threats, and prevent data leakage or ransomware attacks.

How UEBA works

To put it simply, UEBA is a cybersecurity process that monitors normal user behavior and flags deviations from established patterns. While a perpetrator can easily steal an employee’s username and password, it's much harder to imitate that person’s normal behavior on the network connecting to apps and data. UEBA also helps detect unintentional or intentional insider threats, where an authorized user does something that is harmful to your organization.

In many ways, it works like a credit card fraud detection software. A few years back, I remember buying a treadmill and needing a large rental car to transport it home. With my credit card, I  paid for the rental, fueled it up at a gas station, before driving to the store to pick up the treadmill. When I tried to buy the exercise machine, my credit card was hotlisted and I got a phone call right away from the Visa fraud department to confirm it was actually me that was making the purchase! Visa's fraud detection software rightfully determined that these purchases are very different from my normal activities.

In many ways, UEBA is like a credit card fraud detection engine. UEBA uses machine learning and data analytics to determine when there is anomalous behavior that could result in a potential security threat. For example, if I normally only download megabytes of files every day but suddenly download gigabytes of files, a UEBA system would detect this anomaly and alert the enterprise security team to respond.

Geo-anomalies are also tell-tale signs for anomalous or malicious behavior: if someone signs into a work account from San Francisco, but minutes later an account login is observed across the world in the Czech Republic, the UEBA system would automatically detect this anomaly and enable an automated response to protect data available to the account.

I remember an incident with one of our customers where UEBA ended up detecting and halting a ransomware attack. This customer gave their partners access to their Box cloud content management system. Having UEBA in place, their security team received an automated detection of a large volume of files that were deleted and replaced by encrypted files. Which were quickly uploaded and renamed. Due to early detection, the security team was able to quarantine the account and restore the files.

UEBA vs. Security Information and Event Management (SIEM)

SIEMs enable security teams to aggregate large volumes of disparate data sets, security alerts and events from multiple sources into a single console for processing and analysis. They have workflows and rule engines that make sense from the processed datasets that further enable administrators to prioritize and manage incidents and alerts better.

With powerful searches, queries, dashboards and rule-based engines, most SIEMs give a full 360 view of the enterprise systems and enable admins to manage incidents in a timely manner. In some cases, they also do spot trends and create correlation rules to trigger appropriate mitigation steps.

Although at first glance, UEBA and SIEM may appear to do the same thing, there are a few key differences.

Unlike a SIEM, UEBA does not track security events or monitor devices. Instead, UEBA tracks the behaviors of users and entities within your environment — such as devices, applications and data — for anomalies that may indicate a threat. While UEBA also analyzes a lot of data, it uses machine intelligence to automate and scale its analysis of patterns instead of just relying on human intelligence.

Why do you need UEBA?

At its core, UEBA is uniquely built for finding the needle in the haystack. It can be used to analyze, model and prevent threats in real-time. For example, if a user is downloading a large amount of sensitive content from Office 365 causing multiple data loss prevention (DLP) violations, based on that intelligence, we can automatically cut off access to further downloads and also cut off access to other applications, like Salesforce, for that specific user. This level of awareness can prevent any kind of data theft in real time. Another great example is, when a compromised device is downloading large volumes of data and starts exceeding normal user behavioral thresholds we can cut off further downloads. Unlike static thresholds, these ones are dynamic and adapt with the user's current activities.

UEBA is capable of tracking both insider and external threats. Data and IP theft by disgruntled employees, or soon-to-be ex-employees, is a great example of an insider threat. UEBA is very capable of detecting the external threats by tracking the behaviors of hijacked accounts, compromised credentials and credentials used in credential stuffing. These are all very good examples of techniques used by external threat actors to infiltrate enterprise systems.

UEBA works best when paired with a holistic platform

While I used this blog to describe UEBA and why it’s important, I want to stress that this is just one piece of a modern cybersecurity architecture. There are two other major elements to consider: continuously monitoring the risk posture of endpoint devices and the sensitivity of the apps and data accessed by users and endpoints.

Whether you realize it or not, every one of your employees is using some form of personal devices to work from anywhere. This means you need to track the fluctuating risk posture of both the managed and unmanaged devices to protect your data at all times. By enforcing policies based on user behavior, endpoint risk posture as well as data sensitivity, you can protect your data without hindering productivity.

To learn more about Lookout UEBA, reach out to our team to request a demo.

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.