To UEBA or not to UEBA? That is the question

GigaOm Security Analyst Chris Ray looks at how UEBA is more than a security monitoring tool

GigaOm Security Analyst Chris Ray looks at how UEBA is more than a security monitoring tool

Over recent years, user and entity behavior analysis (UEBA) has evolved as a new set of tools in the chief information security officer (CISO)’s armory. So, where has it come from and how can today’s solutions help? 

To answer this, we first need to consider the overall shape of the cybersecurity landscape. The core areas that we are looking to protect are the applications we develop, deploy and use; the infrastructure (on-premises or cloud) on which we run these applications; and the identity domain—users, services, and other entities that interact with both applications and infrastructure.

The first two areas have challenges of their own: security concerns today range from protecting against compromised servers, to the relatively new area of development security operations (DevSecOps) which is aimed at securing new code and infrastructure, both of which are deploying at rapid speeds.

However the third, identity domain has the most impact on security, because of its unpredictable nature. User behavior is dynamic by nature; internet of things (IoT) devices, service accounts, and other entities are perhaps less susceptible to change, but are complex and can interact in unplanned ways. 

A catalyst was undoubtedly the COVID-19 pandemic, which has driven a substantial shift in work environments and technology, and while this shift enabled effective remote work, it has created increased complexity which is ripe for exploitation. Given how bad actors are constantly looking for areas of weakness, it is unsurprising that this space has gained so much attention.

We have seen a two-pronged effect on attacker behaviors, illustrated in cybersecurity analysis such as the Verizon Data Breach Investigations Report and the 2022 CrowdStrike Overwatch Threat Hunting Report. First a reduction in attacks on endpoints, likely the result of more effective endpoint security solutions coming to bear on the landscape combined with the dispersion of endpoints increasing the perceived cost for an attacker to target them.

The second has been an intensified focus on identities as a means to execute attacks. Unlike endpoints, with robust and mature security measures that can be deployed quickly, identities across users, systems and other entities have been left relatively neglected—until recently, that is.

New battles in the cybersecurity war are now fought over the identities that belong to staff and technologies inside organizations. Attackers know that identities have trust built into them, and if they can compromise an identity, they will be able to abuse that trust to achieve their goals.

UEBA’s direct ancestor, user behavior analysis (UBA) was designed to analyze the actions of users in an organization and classify normal versus abnormal behaviors. From this analysis, UBA solutions look for deviations from baseline activity, and can detect malicious or risky behaviors. 

So far so good. But as the full scope of what’s connected to the network has expanded in both entity type and distribution, the need to analyze entities other than users has moved front and center. In response, security vendors have added entity analysis to UBA, creating UEBA. 

While the overall strategy and technique – hunting for abnormal behaviors – remains the same, the scope of analysis has expanded to include things like daemons, processes, infrastructure, and cloud roles. Combining the data and insights from multiple entity types provides a more comprehensive view of an environment, adds much-needed context to security events, and drives the incident response process.

A common use case is detecting a compromised administrator account attempting lateral movements. While security information and event management (SIEM) solutions and other security monitoring tools can detect this behavior with enough telemetry, UEBA solutions can detect it with far less data gathering and analytics. 

Whereas SIEM relies on a set of rules that can be matched to a specific behavior to identify malicious intent, UEBA actively looks for anomalies (essentially defining the rules in real time). This is important, because a single unusual event can be significant but very difficult to detect without the right tools – think of it like spotting the needle in the haystack. 

As such, UEBA offers far more than just monitoring users and other entities for malicious actions. Instead, it collects and processes data to highlight anomalous behavior through application of artificial intelligence (AI), statistical analysis, and other methods. While anomalous behavior isn’t by itself an indication of malicious intent, it can inform security staff to review the circumstances that led to the creation of the UEBA alert. 

Organizations today are investing more heavily in UEBA solutions. Every organization, regardless of size or industry vertical, has identities, which is why UEBA solutions have universal appeal. However, the nature of different solutions needs to be considered relative to both the scale of the problem being addressed (the identity threat surface, as it were) and the practices enacted by security teams. 

For example, while most solutions offer the ability to identify anomalous behavior, some are taking this a step further, to include automated investigation actions prior to the alert generation. These automated steps gather additional telemetry to enrich the primary events and provide critical context. We fully explain areas such as these in our Key Criteria report on the subject, available to subscribers.

As we have reviewed vendors delivering solutions in this area (for the accompanying Radar report), we have also seen how quickly the solutions market is evolving, much like other solutions in the security space. Vendors know that identity is the new battleground and have been building better ways to detect identity abuse and other anomalous behaviors. 

If there was a unified approach to solving this challenge, there would likely be only a few solutions in the marketplace. But there isn’t a single, best approach, and for that reason, several leading solutions may be applicable, depending on what you already have in place in your organization.

To identify which UEBA offerings are worth considering, a great starting point is for organizations to review their existing security solutions and determine whether they serve their purpose. If organizations determine a new SIEM solution is needed to achieve its security objectives, then the best approach may be to consider a consolidated SIEM-plus-UEBA platform. 

Several vendors offer UEBA solutions built on top of their SIEM solutions: once the SIEM solution is deployed and data is being ingested, UEBA becomes almost as straightforward as flicking a switch. However, if an existing SIEM is already operating effectively but doesn’t have an associated UEBA, strong consideration should be given to a subset of vendors which offer powerful analytics solutions that can be easily layered on top of existing security solutions.

Finally, surveying the technology infrastructure in its entirety can help to narrow down the scope of solution selection as well. Consideration of your incumbent security technologies should always occur when looking at additional capabilities, so you can take into account data integration capabilities, or the ability to manage multiple data feeds on the same dashboard. 

Overall, UEBA is rapidly becoming a key element of the cybersecurity environment. By adopting an integrated approach rather than seeing it as a stand-alone tool, you will be setting yourself up best for the future. 

Subscribers can get further information on UEBA and the vendor offerings in the market in our GigaOm Radar Report on UEBA.