User Behavior Analytics (UBA) is new buzzword in information Security space, which is considered to have capability to uncover “Unknown” by detecting attacks which are often missed by the existing security technologies in place like SIEM, DLP, ATP, Access management solutions and so on. The new technologies are always promoted excessively by the vendors but in fact UBA presents the actual opportunity to raise the Security level of the organization.
User leave their traces all around the organization eco system as they use organization infrastructure and their actions are captured in form of Logs , Audit trails , and in number of other places . UBA uses machine learning algorithm’s to create the profile of the users and set a baseline for their normal behavior. A compromised user account will behave differently than the normal user. By comparing the activities to the base line, UBA tools can detect such activities and raise an alert for SOC to investigate.
Following are the few behavior patterns of employees:
Working Behavior -Take a typical case of an employee. Every working day is the same for this employee. he reach office at the same time as other working days , Have lunch at the same time and leave office around the same time . So he behave similarly in at least 95% of his workdays. Logging in with his account in the middle of the night would be highly unusual.
Used Applications - A user who use word, excel or MS project as part of his daily routine suddenly start using SAP or any HR / Finance applications would be highly suspicious .
Files and Servers -A Marketing Executive who usually access only the marketing server at work, where he can find all of the files he need. Out of the blue, he start accessing excel files stored on the HR server. Wouldn’t this be suspicious?
Asset Usage A user always uses the company laptop and rarely travel on business trips. It would definitely be unusual if user is detected logging in from china and from a different asset.
Security professionals often argue about User Behavior Analytics, like:
“I Use SIEM for User Behavior Monitoring” -It is true that custom rules could be created on SIEM to monitor user behavior, but those need to be created, maintained, and you need to know what you are looking for. UBA Algorithm’s does a lot further to in detecting and responding to malicious user behavior that flies way beyond SIEM Sight.
“I use Cloud Access Security Brokers (CASB) for User Behavior Monitoring” -Some CASB gateways can track and report on user activities, but they only as work for cloud access. UBA tools looks at the whole organization Infrastructure including Cloud access.
“UBA will give rise to the false positives and will Impact Incident Response” -In fact, UBA is designed to reduce false positives with their machine learning algorithms. An anomaly in itself may not be interesting, but an aggregation of multiple anomalies rolling up to one user probably indicates a threat.
“UBA can’t detect ‘low-and-slow’ attacks.” - ‘low-and-slow’ attacks from a sophisticated adversary will always be difficult to detect, but by consolidating all data through the scan of an individual user, UBA may help accelerate investigations.
As a closing note, I am of the opinion that UBA can compliment and accelerate the detection of APTs that emanate from a compromised user’s system. Furthermore, UBA will become essential to weed out insider attacks within the organization.
Authored by Deepak Ghai
TCS Enterprise Security and Risk Management