User and Entity Behavior Analytics
What is UEBA?
User and Entity Behavior Analytics (UEBA) is defined as the use of advanced algorithms (powered by machine learning) to baseline the activity of entities (e.g., users, devices, servers, applications, etc.) and calculate risk based on deviations from those baselines in order to identify security anomalies. These anomalies can be aligned to adversary behaviors such as lateral movement and malware command and control. UEBA is designed to complement rule or signature-based approaches (such as SIEMs) and identify security anomalies that they miss. UEBA is most effective when it leverages Big Data storage and processing to bring together a wide variety of datasets and to look for anomalies across them and at their intersection.
Why is UEBA Important?
Today’s advanced attackers are able to bypass many traditional perimeter defenses, such as firewalls, intrusion prevention systems, and web gateways. The IT perimeter of large organizations is too porous and jagged to effectively prevent against everything. The mindset of security executives and managers has appropriately shifted from solely focusing on preventative security measures to more detection .
SIEMs are powerful detection tools that aggregate logs and alerts, but they typically rely on simple and strict correlation rules that can be evaded by advanced attackers. These correlation rules are meant to detect threats in real time, but advanced attacks can occur over months or even years. UEBA does not rely on signatures or rules and utilizes advanced algorithms and risk scoring methodologies to correlate such events over a much longer timeline. More and more organizations are now using UEBA techniques in combination with a SIEM to provide higher levels of security and improved detection of advanced threats.
What Differentiates Sqrrl’s UEBA: The Behavior Graph
Sqrrl’s approach to UEBA is unique because it leverages the Behavior Graph, a powerful and contextual visualization for detecting and tracking threats. The Behavior Graph streamlines the work of security analysts by laying out any network or IT environment in an intuitive linked data model. Sqrrl can fuse together petabytes of diverse datasets into these common models. The linked data model, laid out as a graph allows Sqrrl to use proprietary graph algorithms to detect anomalies associated with specific Kill Chain behaviors. These graph algorithms provide Sqrrl with a greater level of accuracy in detection than other solutions.
In addition to graph algorithms, Sqrrl’s UEBA leverages:
- Supervised and Unsupervised Machine Learning
- Bayesian statistics
- Peer group analysis
- Behavioral Baselining
- Signal Processing
- Time Series Analysis
Generating risk scores for various entity types is a critical way in which Sqrrl communicates what it finds to an analyst. Sqrrl’s TTP detectors look across collections of entities and can aggregate and prioritize risk for both entities and suspected instances of TTPs. Analysts can use these risk scores as starting points for threat hunting investigations. The detectors focus on finding several kinds of TTPs, including:
- Malicious Beaconing
- Lateral Movement
- Data Staging
- Data Exfiltration
Tracking Your Prey: UEBA and Hunting
UEBA and Threat Hunting go hand-in-hand, but they are not one in the same. Threat hunting leverages UEBA techniques to detect potential anomalies associated with advanced attackers. However, a full Threat Hunting Platform (such as Sqrrl’s) goes beyond just UEBA to include:
- Hypothesis development and characterization (e.g., via risk scoring mechanisms)
- Deep investigations tools (e.g., linked data analysis)
- TTP characterization
- Collaboration tools with other hunters
From its applications to how it connects to threat hunting, Sqrrl’s eBook profiles the rise of User and Entity Behavior Analytics and its importance for advanced threat detection.