5 Key Use Cases for User & Entity Behaviour Analytics

Last year, Gartner suggested the average time taken to detect a cyber attack, was an astonishing 205 days. The potential damage that could be done in the that time frame is alarming to say the least. This kind of research has drawn a great deal of attention to the need for enterprises to put in place more effective ways of detecting potential attacks. Specifically, there has been a huge rise in the level of interest around User & Entity Behaviour Analytics (UEBA) tools. Detecting threats is incredibly important for 2 main reasons. 1 – How can you respond to something you don’t know exists? 2 – The longer a threat persists, the more damage will be done. Let’s compare this to physical security for a moment. On a house you could put the most secure windows, doors and locks, significantly reducing the chance of being burgled. However, does this completely eliminate the chance? Absolutely not! So, in addition, you install an intruder alarm. That way if anybody does try to break in, you can be notified immediately, allowing you to respond accordingly and stop them causing any damage. It’s exactly the same in data security; despite everything you can/should do to protect your data and infrastructure there is always a risk of attack. This post will highlight the 5 Key Use cases for UEBA tools.

1. Compromised Account Detection

This has been at the core of several of the more high profile breaches over the last few years. I don’t like naming and shaming in these kind of forums but think of some of the more well known breaches and you can be pretty sure that stolen user credentials were involved. Studying account authentication and usage information is the ‘bread and butter’ use case for this kind of tool. By using logic based algorithms, he tools can identify a users normal behaviour. When things outside of the norm start to happen, the tool will raise the risk profile of that user. this enables security to fully investigate.

2. Compromised System/Machine Detection

Similarly to the use case above, sometimes during an attack it’s actually a particular system that is under malicious control. UEBA of tools can detect lateral movements and network anomalies to identify potential threats in systems, as well as individual users. With the incoming GDPR, there is a very clear focus on organisations being prepared for attacks by identifying them sooner and in more detail as well as having the appropriate process in place to remediate the threat. It’s pretty clear that this kind of information will significantly enhance an organisations ability to adhere to both these points.

3. Insider Threat

Despite having always been a problem, something that has been spotlighted recently is the threat of internal users. That’s not necessarily to say they are malicious, however wherever there is a human element, mistakes are inevitable. However, we must also consider the disgruntled user, the opportunistic user looking to make a financial gain and the user who has left the company but still has access. This use case therefor involves detecting risky behaviour by trusted insiders. Typically, this will involve user profiling, outlier detection and identifying the misuse of privileged access.

4. Detect Data Theft

Historically, companies have used several methods of DLP to deal with the risk of data exfiltration. However, it’s pretty well recognised and understood that DLP tools have far from ‘solved’ this problem. Aside from detecting compromised credentials and machine’s, this point is particularly important as it involves the theft of potentially sensitive data. UEBA tools can also use and enhance the information from DLP tools, to identify/detect when and how data is being stolen by trusted insiders and outsiders.

5. Environmental Awareness

This is the most generic of the use case but is nonetheless being used strategically to the advantage of a number of enterprise organisations. UEBA tools can be used here to gain better situational awareness. Think of it almost as the ‘next-generation SIEM’. This can allow organisations to improve alert prioritisation, reduce false positives and far better support the investigation and remediation of activities.