By understanding how users behave and tracking legitimate processes, organisations can enlist user and entity behaviour analytics (UEBA) to spot security breaches. A remote machine took over an employee account at a large national grocery chain by circumventing the VPN two-factor authentication protocol.

A travel booking company was attacked when hackers entered through an affiliate network, so that the company could not block the IP address.

An “enterprise user” accessing a cloud service was actually a malware process originating from an underground network.

In each of these cases, companies enlisted user and entity behaviour analytics (UEBA) to thwart theft and disruption.

“Most enterprise security is based on yesterday’s security concepts that use rules and signatures to prevent bad occurrences,” says Avivah Litan, vice-president and distinguished research analyst at Gartner. “What’s needed is rapid detection and response, enabled in part through behavioral analytics.”

Criminal hackers have devised many ways around traditional perimeter-focused security measures like device fingerprinting, “secure” VPNs and velocity checks. Where they once attacked a system head on, they now stay under the radar of their victims with automated attacks that decentralise incursions across many IP addresses and accounts, and throttle down the speed of their attack to mimic normal transactions.

Hackers have also turned to the creation and takeover of user and consumer accounts to sneak into systems; to launching assaults from the cloud to elude detection; to going after soft targets like frequent-flyer miles and gift cards, and to matching IP addresses to a stolen credit card billing addresses to mimic legitimate customers.

UEBA essentially maps how legitimate processes take place in an enterprise (the forest) and learns how to distinguish and stop illegal breaches (the trees). UEBA has three main components:

* Data Analytics: First, UEBA applications identify user and entity behaviors, and build peer groups and other profiles. By establishing baseline behaviours and patterns (often starting with historical data), anomalies can be detected by using statistical models and rules to compare incoming transactions with existing profiles.

* Data Integration: Flexible UEBA applications are able to integrate structured and non-structured information in to an existing security monitoring system. The information base will include datasets like logs from security information and event management, network flow data and packet capture data.

* Data Presentation and Visualization: UEBA applications present analytic results quickly, in a manner that allows enterprise security and business teams to readily recognize patterns of unauthorized access and users, and act upon the infractions.

There are many vendors for UEBA applications. They are differentiated by whether they are designed to monitor on-premises or cloud-based software as a service (SaaS) applications; the methods in which they obtain the source data; the type of analytics they use (i.e., packaged analytics, user-driven or vendor-written), and the service delivery method (i.e., on-premises or a cloud-based).

Enterprise security teams are often inundated with alerts, in some cases millions a day. Even worse, they are not prioritized and the crucial breaches are buried with the rest of the alerts. Once a UEBA application is in place, and it has learned to recognize “normal” behaviours, it will:
* Find bad actors via rapid detection of attacks and other infractions without disrupting the business;
* Improve alert management by reducing the number of alerts and prioritizing the ones that remain; and
* Improve alert investigations by reducing the time and number of staff required to investigate those alerts (since the underlying data for the correlated alerts is typically readily available).

In one case study, a large national cable network provider was getting half a million alerts a day from its security systems, and they were not properly prioritized. Their vendor couldn’t consistently identify alerts that were high priority, which cost the security officers valuable time. The team began using UEBA software, which let them examine several siloed systems at once (such as DLP, Web proxy data and advanced threat protection) and correlate the thousands of daily alerts to flag those that were truly high priorities.

By refining their profiles and peer baselines – and thus their ability to identify anomalies – over a six-month period, the cable provider ended up with less than 800 alerts a day, of which the top five or ten were clearly marked and prioritised.

Replicating this type of success story is crucial as more enterprises turn to SaaS applications for office productivity, sales and marketing, and open their business to more points of attack. Enterprise and IT leadership should choose a UEBA vendor tailored to their operational systems, and harness the power of metadata, statistical analysis and visualization to defeat the efforts of criminal hackers.