In this digital era of computer information technology, IT security has become a major issue of concern for many businesses. Computer security allows organizations to undertake their operations smoothly without fear of attacks. The internet can be a dangerous place to engage in considering that there are thousands of criminals who bombard organizations’ network to perpetrate their ill motives. IT professionals have come with many tools to combat cyber crime and in fact, recent there the new aspect of computer security referred to as user behavioral analytics (UBA). User behavior analytics (UBA), or user and entity behavior analytics (UEBA), are artificial intelligence and machine learning capabilities based on a number of technical components including data analytics, data integration, data visualization and source systems analyses. Primary use cases include
- Insider Threat Management
- Identity & Access Management
- Application Security
- Network Security
- Privileged Account Management
- Data Ex-filtration Intelligence
- Threat Intelligence
User behavioral analytics is a relatively new computer technology which can analyze historical data logs or big data- and identify the user behavior by following their traffic pattern. These behaviors can be used to identify whether the user activities are normal or malicious/suspicious. However, the technology does not tackle the security issues, and it only alerts the security teams of a possible user abnormalities. Afterward, the security team can decide the best approach to respond to the UBA findings. The UBA systems were used in early 2000’s by the marketing team to make their marketing plan by predicting and analyzing the consumers’ buying pattern (Barba, Cassidy, De Leon, & Williams, 2013). However, technology has granted the IT field a chance to use the same tools, but more advanced regarding their capabilities, to monitor the computer systems. In the end, UBA or UEBA systems collects, correlates, and analyzes hundreds of attributes, including situational information and third-party threat information. The result is a rich, context-aware petabyte-scale data-set.
According to a study done by Gartner Corporation, a world leading information technology research experts, the User and Entity Behavior Analytics (UEBA) detects the malicious and abusive activities that would have otherwise gone unnoticed (2016). UBA/UEBA technology also brings all the security alerts together, and it prioritizes them and notifies the security team for actions to be taken. Following that study, organizations are advised to acquire the statistical analysis machines and incorporate them into their security monitoring platforms. Otherwise, their detection technology which is rule-based cannot keep the pace at which the security threats are developing.
According to agile enterprise security expert Aditya Shukla, Sr. Eng. PM – Enterprise Security at Hewlett Packard Enterprise, the traditional measures of computer security are always easily evaded by attackers. They are not very effective at detecting known threats, but they are completely defenseless when it comes to new threats which are more sophisticated insider threats. The company realizes that the big data analytics is an extension of the security information and event management (SIEM). However, the qualitative difference regarding data between the two technologies is very wide, and therefore, the results of the analyzed data in the qualitative difference give a different scenario as compared to SIEM. In other words, the SIEM solutions give so much volume of alerts to the security analyst and some of the alerts are false positives, and most of the threats go unnoticed. SIEM, mostly rule bases engines, are concentrates more on protecting abstractions like endpoints and perimeters. These things are no longer in existence in the current ecosystem, and therefore, those using the SIEM only for protecting organizations’ most sensitive information are using tools that do not even detect the threats against the classified information.
Mr. Shukla further explained at TieCon’16 at Santa Clara – in most cases, the primary defenses used by organizations which include firewalls, and access controls are put in place to protect their network from an external attacker but not the trusted insider. Therefore, the criminals are now using the insider threats which sometimes go unnoticed. They can mask themselves and infiltrate the network and disguise as legitimate workers or clients. To protect the network from insider attacks, the organization needs to acquire capabilities that can detect negligent activities which otherwise go unnoticed under the traditional security programs. UEBA/UBA solutions are designed in such a way that it automatically and accurately detects and identifies insider attackers by providing the behavior anomaly detection in the system. UEBA/UBA tools use the purpose-designed data mining, correlation, enrichment and analytics that not only profiles users who engage in highly risky behaviors but also identifies high-risk activities which are associated with the insider threats.
UBA or UEBA enables companies to control secure access to the privileged accounts by their workers. The platform also delivers the access intelligence which gives authorization for accessing particular files. For instance, using IAM, the organization can grant permissions to different people to access different resources. Other users are allowed the read-only access for just some files and nothing else. The organization can also decide to allow users who have passwords to have a temporal access corporate network from elsewhere.
Most organizations rely on network securities and access controls as part of their defense mechanism against attacks. UBA solutions addresses that problem by monitoring all the critical systems and applications right from the transactions, the data set and then it goes ahead to identify the abnormalities which may indicate the possibility of either internal or external threat. Again, in this case, the tool profiles the users with risky behaviors to the system.
Organizations are very committed when it comes to their network security. Many of them have strict rules and policies which are based on SIEM. However, these solutions have always given false statements about the threats and in fact, they are helpless when it comes to the new and emerging sophisticated attacks.
Mr. Shukla emphasized that many attackers are also targeting on stealing the most sensitive data and afterward they can ask for money or anything else in exchange of the stolen information. To counter these eventualities, companies use data loss prevention methods and access controls. However, these traditional measures are outdated and ineffective when defending the organization from highly skilled insider or outsider criminals. UBA/UEBA offers a better measure that delivers the user’s identity, their behavior, and their peers to accurately pinpoint threats. This tool ensures that the system is safe at all times.
In concluding remarks Mr. Shukla said, UBA/ UEBA approach is one of the best tools for computer threat mitigation available today enhancing capabilities of SIEM systems. It is based on behavior prediction of users and it detects and prevents the attacker from infiltrating into the system. The UBA/UEBA tools can mine, enrich analyze and prioritize metadata/customer data into actionable intelligence. It is designed to use signature-less detection techniques which track the user, accounts, and the system behavior. These platforms can be able to detect the most sophisticated cyber-attacks and insider threats.