User and Entity Behavioral Analytics (UEBA) Overview

The human factor is one of the key issues of information security. On the one hand, humans are common sources of various threats to information security, and on the other hand, monitoring the behavior of legitimate users in the information system allows us to identify possible malicious activities. For example, in the case of a big change in the user’s behavior, we can conclude that his credentials can be compromised and somebody else uses the network on his behalf. Sudden changes in behavior may also indicate violations related to the deliberate actions of the employee.

It is the ability to profile and analyze the activity of users and IT infrastructure objects that are implemented in a relatively new segment of the IT security market, which is called UEBA – User and Entity Behavioral Analytics.

A place for analytics

From an architectural point of view, UEBA systems are like solutions designed to monitor information security alerts and events – SIEM, and some vendors call them NGSIEM – Next Generation SIEM.

UEBA systems consist of:

  • Agents that collect information about users’ activities
  • Central storage where all information is collected from all sources
  • An analysis module that performs event analysis (often in real time) and responds to the most dangerous actions using predefined rules

Sometimes, third-party systems such as DLP, IDM, SIEM can act as agents or a repository of information about users’ activities. Very often an analysis module uses the infrastructure of another application to receive data and provides signals about identified suspicious activity.

The methods for detecting suspicious behavior are actively developing thanks to the emergence of accessible machine learning and artificial intelligence technologies. They can detect anomalous behavior of users and a drastic change in the style of their work without preliminary training.

Nevertheless, in some cases, the results of (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by David Balaban. Read the original post at: