Have you heard of user and entity behavior analytics (UEBA)? If not, then it is time you got on board with it! Basically, it is a technology that helps you to identify attempted security breaches before they actually make it through. It does this by developing a baseline of activity, something that it classes as “normal”, and that instantly identifies anything that moves away from this norm. It is used alongside other forms of technology and works particularly well in organizations that produce and store a lot of big data.
Why Does UEBA Matter?
We live in a world where attackers have almost made a game of trying to breach through various defenses. Web gateways, intrusion prevention systems, and firewalls are all important, but they simply aren’t enough anymore. Today, organizations, and particularly large ones, have such a vast, jagged, and porous IT perimeter that it has become almost unmanageable. Security experts, managers, and executives, therefore, are having to look at it from a different perspective. No longer can they focus only on prevention, they must focus on detection.
The tools and technology that are available today are important and powerful, creating logs and alerts, but they are also significantly lacking. This is because they focus on strict and simple rules of correlation, and experienced hackers can easily evade these. This is because existing systems focus on real time actions, when today’s attacks often take several months to complete. A good UEBA, by contrast, doesn’t rely on rules or signatures. Instead, it uses a variety of risk scoring methodologies and algorithms to figure out what is really happening.
Understanding the Behavior Graph
UEBA is a completely unique approach to security as it uses what is known as a “behavioral graph”. This creates a visual picture that enables people to track and detect threats. This ensures security analysts can always see their entire IT environment and what it should look like, so that they can easily spot any anomalies. This makes it more accurate than any other solution has been able to achieve to date. This is interesting, since UEBAs were originally developed to gain a greater understanding of consumer behavior, not to provide a security feature.
One of the key things that UEBAs do, is to generate a risk score and to create these for a range of different types of entities. These findings are then instantly communicated to the relevant analyst. They look at individual entities, but also collections of entities and, in so doing, they can determine how big a risk actually is, so that a security expert isn’t contacted every time someone accidentally allows a popup on their computer, for instance. Rather, it will highlight potential lateral movements, malicious beaconing, data exfiltration, and data staging instead. Those are key signals that something is actually going wrong and, by providing security experts with those signals as and when they appear, there is a far greater chance of plugging a potential hole in the security before someone actually manages to get through.