User Behavior Analysis 101: What You Need to Know

Published March 21, 2017 by 6 min read

Words like “hacker” and “breach” strike terror into the hearts of employers, but with user behavior analytics (“UBA”), organizations can more easily track the types of activities that may indicate intrusions. Understanding behavior analytics requires understanding security analytics. More recently, UBA has also been called user and entity behavior analytics (“UEBA”) to better encompass how the algorithms work. The two terms are often used interchangeably. These kinds of programs analyze log and event data from applications, endpoint controls, and network defenses. With user behavior analytics, vendors can use big data techniques to determine employee patterns of behavior so that anomalies can be more easily detected. This can help locate or trace breaches.

Difference Between SIEM and UBA

Security identity event management (“SIEM”) monitors user and network activity to mitigate threats. SIEM programs have six main attributes. These attributes are retention, dashboard, correlation, alerting, data aggregations, and compliance. By sorting stored long term data into meaningful groupings, companies can find common activity traits so they can recognize those that fall outside normal patterns which leads to alerts. The data aggregation comes from servers, networks, databases, software, and email systems. All of this allows for compliance protocols to be established. SIEM aggregates across an entire organization’s systems.

UBA, however, is more focused on the individuals. It allows the organization to look at a wide variety of sources such as individual files and emails that are accessed and created daily. UBA software allows the aggregation of information so that anomalies among all the users in an organization can be analyzed in real time. The UBA engine creates a baseline of individual user’s normal activity in order to recognize differences in use.  These differences in use may be anything from many deleted files in a short time to unusual launching of rarely used apps.

Despite having different approaches, when working together, UBA can be piped into your SIEM where they can work in tandem for the best possible analysis.

Why Does User Behavior Analysis Help

Because SIEM and UBA approach security from different directions, they give different insight into an organization’s security environment. UBA is not a necessary tool; however, many professionals find that its added benefit allows for a full picture of the inner workings of the company’s IT security.

This distinction in the approaches is important. As Johna Till Johnson notes,

An event may be benign in one context and prove nefarious in another. For example, an accountant accessing a tax system at midnight on April 14 may be behaving in a perfectly reasonable manner but not when he accesses that system on, say, August 14.

SIEM notices that the behavior is out of context. UBA notices that the user is behaving out of context. This can signal one of two things, either the individual has a malicious intent or an unauthorized user accessed the individual’s credentials. This means that UBA creates a trail allowing the organization to determine the cause of the breach and limit the effect of the breach.

How to Research a UBA Software

As more organizations seek out UBA software, understanding how to evaluate those services becomes more important. According to Toby Bussa, Avivah Litan, and Tricia Phillips at Gartner, security and risk management leaders should focus their reviews in these five ways:

  • Choose UEBA vendors aligned to the threats you want to detect, such as malicious insiders and external hackers, and those with solutions that align with your use cases. Fill gaps in existing security tools (for example, security event monitoring).
  • Clearly define use cases and be prepared to confirm those use cases through extensive proofs of concept (POCs) before choosing a vendor.
  • Identify required data sources and know how that data can be provided to UEBA solutions, which is critical for successful implementation and use in production.
  • Favor UEBA vendors that profile multiple entities, including users and their peer groups and devices, and those who use machine learning to detect anomalies. These features enable more detection of malicious or abusive users who might otherwise go unnoticed.
  • Don’t expect UEBA to replace the need for people with domain and organizational knowledge. Resources are still required to configure and tune the UEBA tools, and to validate potential incidents detected by the tools.

Purchasing a product to be able to say that the company uses UBA does no good if the software purchased is the wrong one. Although that may seem obvious, the problem is that UBA software can be offered in two distinctly different ways.

The first way is as a standalone product. A standalone product focuses solely on UBA. It looks at the user’s data, hosting, app, and network behaviors. After setting its baseline, it continues to analyze, detect, prioritize, and respond to those behaviors that are outside of the norm. UBA as an added product feature to SIEM looks at security information and event management within the normal process of network traffic. It then analyzes employee behavior within the identity and access governance and privileged access management realm to detect and respond to anomalies. In other words, this is not true UBA but a functionality within another metric that has a UBA analysis capability.

Gartner theorizes that stand alone UBA firms will ultimately overtake those UBA softwares that incorporate UBA as a functionality. Because standalone UBA seeks to pinpoint threats and raise the signal-to-noise ratio across multiple monitoring systems, they will more likely be willing to advance the technology and algorithms that do this best.

How to Choose a System

With so many different UBA products on the market, deciding on one may be difficult. Besides looking at how the algorithms work, security professionals need to understand the way that the program will integrate with the other security systems in the IT infrastructure. Rapid7 offers a handy list with a series of questions to ask a UBA vendor prior to making a final decision. These questions can be categorized as those looking at data collection, incident detection, and investigation and prioritization. When it comes to the data collection, it’s important to consider whether the solution is standalone or needs another service to supplement, can detect cloud service attacks, includes an option to deploy endpoint agents, or needs additional hardware. When looking at the incident detection, understanding whether the analytics run in real-time or not; what statistical models for baselining and machine learning are used; how it detects attacker tools; and whether it’s possible to customizes the alerts matters. Finally, when reviewing how the UBA investigates and prioritizes information asking how additional context is presented; whether it is possible to build customized dashboards and analytics; how to search the data; and whether it allows integration with a Security Incident Response Platform can also help make the best decision for the organization.

What Are the Drawbacks

Unfortunately, machine learning has limitations when it comes to privileged users, developers, and knowledgeable insiders. This means that while statistical analyses can be useful for most employees, they may not be effective for some of the users whose access needs to be monitored most carefully. Privileged users represent a unique situation because their job functions often require irregular behaviors. This means it’s difficult for the algorithms to create a baseline. Another drawback might be that UBA can’t track the long term sophisticated “low and slow” attacks. Moreover, UBA brings with it all the same drawbacks that any machine learning brings. Users do not understand why the neural net determines a feature to be important. To the extent that there is a built in human bias or corrupted data, then the machine learning and profiles will reflect this. Finally, depending on the software purchased and the way it is used in a given environment, UBA may be more appropriate as a response to track a breach to its origin than as a prophylactic security measure.

The reality is that these drawbacks have no day to day impact and with machine learning constantly becoming more sophisticated, are likely to become non-existent. Matt Hathaway, who was instrumental in Rapid7’s UBA product InsightIDR, explains,

UBA is more mature than a lot of people probably think, because the core aspect of baselining behavior to understand normal and identify the anomalous takes a lot of learnings from fraud detection technology long-used by banks for stolen credit card and bank account detection.

The next steps are likely to be advancements in the depth of anomaly detection within specific use cases, such as looking at DNS traffic to identify when a user’s account is being used to hide exfiltration in domain name resolution requests, because a lot of UBA today looks too broadly with its detection. This is where the machine learning comes in, but as you indicated, it’s still in development. 

The primary purpose of UBA today is to detect anomalous behavior and determine what learnings or actions may be indicated by it. By definition, that makes UBA reactive – it is reacting to behavior. That does not mean that user behavior data cannot be analyzed to identify opportunities to proactively strengthen defenses. For example, UBA can be used to determine whether access and authentication policies are working or if they need to be updated. It can identify potential areas of risk around the emergence of shadow IT so the security/IT team can proactively take action. It can help make user awareness education more targeted and impactful.

Investing in UBA can help bolster an organization’s security environment.  However, with this new technology, finding a company might feel overwhelming. To help out, Predictive Analytics Today suggests the following 21 companies as the best in the business: Bay Dynamics, Bottomline Technologies, Cynet, Dtex Systems, E8 Security, Exabeam, Fortscale, Gurucul Risk Analytics, HPE Security ArcSight, INTERLOCK which is now part of CA Technologies, Interset, LightCyber, LM WISDOM, Microsoft Advanced Threat Analytics, Niara, ObserveIT, Preempt, Rapid7, Securonix, StealthDEFEND, and TRITON APX Suite.  As organizations look to remain on the cutting edge of information technology and security, the continued sophistication of machine learning can limit the losses from a breach and begin to help protect against one.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo