The acronym UEBA (User and Entity Behavior Analytics) is becoming more popular every day. The term was coined by Gartner for the cybersecurity industry a few years back and is now commonly used within the security community. However, with the shift-left movement in software development security and the rise of DevSecOps culture and practices within organizations, UEBA has piqued the interest of other communities (not just security) across multiple industries. Also, in a more connected and global society, the UEBA process has been gaining traction outside of security due to its benefits in regards to helping organizations become more data-driven and customer-oriented.
UEBA is the process of detecting anomalous behavior of users and machines against a baseline of “normal” behavioral events. With this baseline in place, analysis is focused on finding anomalies and deviations from what has been established as normal and safe.
The number of websites and API endpoints is growing every day. And in a world that is more connected than ever before, the demand for web security is at an all-time high. It should be noted that the security of HTTP traffic is not a new topic, and there have been several protection methods around for many years: signature-based, heuristics, ACLs, etc. While these methods still provide good protection against common attacks, today’s threat landscape has shifted, with attacks becoming more and more sophisticated.
One could say that “What got us here will not get us there.” New strategies are needed for a new landscape. Behavior profiling, machine learning, and other techniques, all part of the UEBA process, can successfully fill the missing gaps and enhance your organization’s protection and detection capabilities for websites, web applications, and native/mobile API servers.
As mentioned above, behavior is at the core of modern security protection techniques. In order to really understand what UEBA is, we need to go deeper into what we mean by user and entity behavior.
Entity behavior usually refers to the behavior of machines or automated systems. Therefore, in the context of web security, entities would be any kind of non-human components that interact with the web service being provided: desktops, laptops, servers, mobile phones, tablets, and so on. In turn, User behavior is about how humans interact with that same service.
Profiling the behavior of entities and users is no easy task. There are several challenges involved in defining what a normal behavior baseline is and making sure that it is updated frequently. As an example, a machine such as a Linux server accessing a website (e.g., online shop) via a command-line web browser is a clear deviation from what would be considered an expected normal behavior. While not necessarily malicious, it would be at the very least suspicious since we assume that the machines interacting with our online shop will be laptops, desktops, mobile phones, and tablets with web browsers such as Chrome, Firefox, Edge, or Safari.
However, this information combined with the associated user behavior could shed some light on understanding its relevance. User behavior data in this case could be, say, if a valid user is authenticated in the online shop, what pages the person is looking at, and how much time the person spends in the shop.
Importance of Context
One important aspect of understanding machine and human behavior is that it is highly influenced by its surrounding context and business case.
Let’s take malicious Powershell scripts. These are quite common nowadays. Yet, there are also plenty of good examples of non-malicious Powershell scripts. So the simple fact that a machine is running a Powershell script is not enough to reach a decision about a potential threat. Other factors about the behavior need to be considered as well, such as: What is the script trying to do to the system? Is it downloading files and writing them to a privileged location in the local hard disk? Is it attempting to make changes to the Windows Registry?
Going one step further and taking the user behavior and profile into account, one could simply ask: Does it make sense that the person using this machine is running a PowerShell script? If the person is working in Human Resources, it is highly unlikely that his or her machine would be executing a PowerShell script in the first place. On the other hand, this would be expected if the person works in Software Engineering.
There are several challenges associated with establishing a UEBA process. As you might have realized, tracing behavior is one of those challenges. What information (metric, events, etc.) should be collected for a meaningful analysis? Equally important, in light of regulation and compliance programs such as GDPR, is what information can legally be collected.
Another key challenge is the behavioral analysis. The rapid digital transformation that companies face today, combined with a fast-moving threat landscape, make the analysis of machine and human behavior a continuous and never-ending task. Analysis is also very dependent on context, such as user profile, geolocation, and use case. So it requires a good understanding of the technology at hand, specific business case, and the customer in order to establish a proper baseline of what normal behavior looks like.
Having a well-established UEBA process has several advantages over other methods of threat detection and protection. UEBA enables a more adaptive and agile approach to security, one that can evolve along with a system and its users.
While a method such as a firewall usually brings a rather black or white approach based on a singular event, a UEBA process tries to continuously update the bigger picture of what is happening before reaching a definitive decision. Because of this, it is better focused on detecting and responding to anomalies rather than the traditional approach of blocking attacks based on certain pre-set conditions. UEBA should thus not be considered as a substitute to other methods of threat protection; rather, it’s a complementary service to enhance security, provide visibility, and gain insights.
For example, consider an eCommerce store that sells expensive designer clothing. UEBA might reveal that before customers purchase specific items, most of them will first scroll down the page, apparently to check the returns policy (“If it doesn’t fit, send it back with free shipping, and get your choice of a different size or a full refund”). Therefore, a visitor to those product pages who does not scroll is less likely to be a legitimate customer; this data point, when combined with other metrics, might indicate that this “visitor” is actually a price-scraper bot instead.
It is important to note that while the process of collecting and analyzing behavior from entities and users can look daunting, it also provides an incredible opportunity. In addition to improving security, the need to continuously research users’ behavior enables an organization to become more data-driven and customer-oriented, leading to added business value and increased customer engagement and satisfaction.
For example, in the eCommerce situation mentioned above, UEBA revealed the scrolling behavior of customers. This indicates that there’s some friction in the sales process for these products. Perhaps conversion rates would increase on those product pages if a prominent summary of the return policy was added below the “Add to Cart” buttons.
This article gave an overview of User and Entity Behavior Analytics and explored its main concepts, benefits, and associated challenges.
Understanding machine and human behavior is therefore an important aspect of the UEBA process, and having good analytics and intelligence on this data is the key to success. The current technology landscape as well as new capabilities being released every day on AI and machine learning are making the challenges in establishing an UEBA process smaller and smaller.
It is important to keep in mind that while the UEBA process was initially associated with the cyber security industry, it has been expanding into more and more industries due to its popularity and versatility. So, it is a term that is fast becoming part of the normal vocabulary in many organizations, across all divisions. As you move forward in learning–or perhaps adopting–a UEBA process in your company, don’t miss out on the benefits that are in fact not directly related to security, such as better customer understanding and added value creation.
Either by establishing your own UEBA process or by working with a partner that has one, leveraging its benefits can help enable data-driven decision making and fuel innovation in your organization.
This guest article is by Bruno Amaro Almeida.