Defining UEBA – and How You Can Overcome Its Limitations
Gartner defines User and Entity Behavior Analytics (UEBA) as solutions that “use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons.” UEBA solutions are considered important tools in any enterprise’s cybersecurity defenses.
But what do those standard profiles and behaviors do for you? It’s all about intent.
In criminal law, intent can mean the difference between serious jail time and a suspended sentence. In cybersecurity, it’s often the difference between investigating a successful insider attack and preventing one.
As any prosecutor will tell you, it can be hard to prove intent, because intent exists solely within the mind of the perpetrator. The challenge is to find compelling clues that add up to incontrovertible proof of intent. UEBA is intended to find those clues.
UEBA, UBA and the Cons of Indicators of Compromise
UEBA is actually an update of an earlier cybersecurity concept, User Behavior Analytics (UBA), which focused exclusively on user behavior to identify threats. By expanding the concept to include analysis of device behavior, UEBA works from a deeper pool of data to mine clues to combat insider threats.
Most User-Entity Behavioral Analysis (UEBA) solutions work by examining log files and applying models to find “Indicators of Compromise” – and then trigger alerts. For example, if an employee tries to copy a large amount of files to Dropbox, that could be an Indicator of Compromise.
That approach made sense in theory – but not so much in practice. Log files are not the most reliable data source for capturing user behavior, because most organizations allow for the use of network-attached devices and Bluetooth peripherals to which UEBA log files lack visibility.
As a result, UEBA can miss a lot while delivering far too many false positives, seeing intent where none existed. For security analysts, that also means a lot of wasted time doing forensic investigation.
The missing ingredient to traditional UEBA is the human element. What’s needed is not an Indicator of Compromise, which is derived by classifying every piece of data and role-based rules for legitimate use, but an “Indicator of Intent” derived from human behavioral data.
Beyond UEBA: Spotting Indicators of Intent
An Indicator of Intent is generated after collecting, enriching, and correlating hundreds of unique activities across thousands of users, and then applying statistical analysis and machine learning. Did the user zip and encrypt those files before attempting to save them to Dropbox? Did the user rename the files? Did the user later log on to a private Wi-Fi network? Those are Indicators of Intent to which traditional UEBA is blind.
When you can continuously monitor and analyze all user activities by all users – while protecting their privacy – you can quickly spot and alert on suspicious, anomalous and known-bad activities before data exfiltration is attempted. It’s the best way to counter insider threats – and ensure perpetrators get what’s coming to them.
DTEX Plugs the Gaps in UEBA With InTERCEPT
DTEX InTERCEPT can replace your legacy UEBA tool – or integrate seamlessly with UEBA products so that you can take advantage of all the benefits of user visibility within your existing UEBA install. InTERCEPT is the data source you need to fill the gaps in your security posture to catch malicious and negligent users, as well as credential thieves. Learn more here.