Let’s begin with understanding Advanced Persistent Threat (APT)- these represent the most threatening attack to modern organizations. APTs are attacks where motivated and knowledgeable cyber attackers target an organization and spend a significant amount of time customizing the attack to be successful. The goal of an APT attack is to steal information from an organization while remaining undetected, thus allowing continuous exfiltration of data over a long period of time. Attackers often bypass the Current Intrusion Detection System (IDS) by performing surveillance and targeting users, rather than the systems the IDS focus on protecting.
With the rise in APTs, today’s cyber security tools are fast becoming obsolete, and cyber attackers can now bypass the security systems that most companies use. Web gateways, firewalls, and intrusion prevention tools provided sufficient security in the past. It is no longer the case in today’s complex and interwoven threat landscape. This is especially true for giant corporations that are proven to have very permeable IT perimeters that are also difficult to monitor and oversee.
In UEBA, you do not track devices or security events; instead, you monitor all the users and entities in your system. As such, UEBA focuses on insider threats- devious employees, compromised users, and people who already have access to your system, who then carry out targeted attacks and fraud attempts. It also tracks servers, applications, and devices working within your system.
In conclusion? Preventive measures are no longer enough. Firewalls will not be 100% foolproof- hackers and attackers will breach the system at one point. Then, detection becomes equally essential: when attackers do get into a system, their presence has to be detected quickly to minimize the damage.
“The value of UEBA, then, is not that it prevents hackers or insiders from accessing critical systems. Instead, UEBA systems can quickly spot when this has happened and alert you to the risk.”- Varonis
Many use cases could benefit from UEBA- e-commerce, finance, and banking applications and services using Personal Identifiable Information (PII) are good examples. As such, UEBA is a crucial component of IT security, allowing you to:
Identify insider access abuse or malicious insiders performing risky activities outside their normal behavior. It also helps detect lateral movement of adversaries who have gained low-level employee credentials within the environment.
Detect threat activities across multiple domains, such as servers and network devices, not just user accounts.
Prioritize incidents by reducing false positives.
Be alerted when proprietary data is being moved within the environment or transferred out through Data Loss Prevention (DLP) and Data Exfiltration Detection.
Identify unusual usage via Executive Asset and IoT Entity Monitoring which automatically set up baseline behavior models for sensitive executive systems and an unlimited number of IoT devices
Machine Learning and User Entity Behavior Analytics
UEBA relies on statistical modeling and machine learning (ML) techniques. These solutions can provide a great deal of support to cybersecurity or IT teams. While current Machine Learning needs to advance much farther before it can be used for threat detection autonomously without human intervention, there are many tasks it can handle to strengthen security.
UEBA is focused on modeling behaviors to improve confidentiality, integrity, or availability within cybersecurity contexts. It is usually addressed like a classification problem. In particular, it is tackled as an outlier detection problem (using ML terminology) or as an anomaly detection problem (using cybersecurity terminology).
History of Machine Learning research on UEBA
To date, the works can be categorized according to the analyzed subject- a user or an entity. The first group of works, proposing new ways of analyzing users’ behavior, can be categorized depending on the used device- the most common means to obtain up-to-date and accurate human behavior features. These devices are, typically, personal computers or smartphones, but any device from which behavioral metrics could be extracted (e.g., smartwatches or tablets) works. Keystroke or mouse dynamics are used to model the behavior of personal computers, while sensors information (e.g., gyroscope, accelerometer, and touchscreen) are selected when using portable devices.
Moreover, the devices considered are usually connected to a network. The characteristics of the sent or received packages and information regarding network protocols at different layers or metadata can help when modeling users’ behavior. This can be observed in works focused on identifying users while surfing the Internet, which have as their primary objectives personalized advertising or security.
Works analyzing Users vs. Works analyzing Entities
This first group analyzing users relies on some kind of behavioral fingerprint– a detailed, nearly unique, difficult to fake, and durable over time identifier or marker. These fingerprints are typically used in research focused on intrusion detection or other application domains requiring comparing users or normal/abnormal behaviors. On the other hand, additional works focusing on authentication or continuous authentication do not need to build this identifier.
The second group analyses the behavior of entities, and its popularity is growing due to the Internet of Things (IoT). Again, different groups in this category attend to the considered device. In this case, a sensor, an actuator, a hub, and a controller. Various behavior features can be analyzed, although in this case, they are always related to network traffic, protocols, load, etc. Some works rely on a fingerprint characterizing each device’s behavior, while others do not need this kind of identifier.
A significant difference with the first group of works is the resource constraints of the devices. This prevents, in many cases, UEBA techniques from executing on their device. Processing and computation need to be subsequently offloaded to a full-resource external server (which is not usual in works focused on UEBA).
However, the two groups, those who analyze users and those who study entities, have more aspects in common. Firstly, the application domains already mentioned, such as identification, authentication, or intrusion detection. Secondly, the revisited works are primarily based on specific technological stacks and significant assumption sets. In other words, they are not very portable or reproducible in contexts different from which they were initially proposed.