The “E” in UEBA stands for “Entity” – User and Entity Behavior Analytics. What do we mean by Entity? Traditional device entities in a typical enterprise include servers, desktops, laptops, tablets, printers, routers and mobile phones. Devices like these have IP addresses and machine IDs. However, with the onslaught of Internet of Things (IoT) devices, there are a whole lot of new entities to be monitored with UEBA. What do we mean by Entity Behavior Analytics? Read on…
It is well known that one of the widely used tactics to execute cyberattacks is to compromise trusted hosts connected to an organization’s network infrastructure. In addition to monitoring anomalous user behavior with UEBA, it is critical for organizations to closely monitor all the endpoints (devices and hosts) connected to the network.
UEBA builds an anomaly timeline for an entity based on the high-risk anomalous events and activities performed from the respective devices and hosts. UEBA correlates a wide range of parameters associated with an entity including: endpoint security alerts, vulnerability scan results, risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more. This correlation facilitates detection of any anomalous activities and events to determine predictive risk scores.
Developers tend to download open source files, free scripts and utilities. You now have privileged users installing programs with virtually no oversight. You don’t want to restrict developers from being productive, but you need to ensure they do not inadvertently install malware or unauthorized software. Gurucul UEBA will detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection. We provide a risk-based dashboard for closely monitoring high-risk entities and investigation using detailed anomaly timeline based on users, accounts, alerts and activities associated with the entity.
What is the deal with IoT entities? They are everywhere, and in some cases, not even on the threat vector radar. The truth is, if you can connect to an IoT entity, then it can be hacked just like traditional devices. Consider the below list of IoT devices. These would seem to be unlikely threat targets:
Let’s just look at a vending machine. You know what it’s like. At about 4pm you get a hankering for something sweet or savory. You head on over to the vending machine. As usual, you’re either out of cash or the machine won’t accept your cash no matter how many times you try. So, you whip out your credit card and purchase Cheetos for $1.00. Your credit card number is now compromised because the vending machine has malware on it.
How would UEBA been able to catch the compromise? UEBA would baseline the behavior of the vending machine to understand its normal behavior. When anything changes – like the volume of transactions or destination of network packets or transaction amounts – UEBA is going to risk score these anomalies so you can be alerted with something is not right. Because most IoT devices are not able to run agents or locally-installed security tools, behavior monitoring is the only way to detect security incidents.
Healthcare companies are utilizing UEBA technology as a form of early warning system to provide important indicators that a medical device is not behaving normally. Medical device manufacturers are building cheaper and more scalable medical devices, with more systems running Windows as their operating system. While there are clear benefits to using common OSs for medical devices, there are drawbacks as well. With the proliferation of standard OSs, the healthcare industry has begun to observe well-known types of ransomware/malware incidents in their environments that were originally only seen on servers and desktops. These attacks now penetrate the medical device space as well. In 2017, one of the first cases of ransomware on medical devices was reported. This medical device had the WannaCry ransomware screen pop up on their LCD readouts, demanding a ransom to unlock the apparatus.
This intrusion trend into the medical device space exacerbates the issue of managing and patching medical devices. It underscores a serious problem with ensuring the integrity and reliability of medical devices that are connected to patients, as human lives may be at stake.
From a behavior analytics perspective, the benefits come from applying UEBA’s capability to profile the behavior of medical devices and to understand their standard behavior patterns. Through UEBA-specific use cases, healthcare companies can leverage the technology to establish and understand the standard behavior profiles of a device. Their use patterns are fairly linear and don’t change a great deal. Many are set up in one room and service a number of patients per day and may be out of service for a period of time, or they may not be used in the evening.
When the device starts to act irregularly, there are basically only one or two causes. Either it’s malfunctioning, and it needs to go in for service, or it has been compromised in some way. From a threat perspective, this anomalous behavior triggers UEBA’s risk-based alerts that could mean, for example, someone has accessed the device and changed the configuration. It’s been hacked. Identifying malfunctioning devices and threat detection, or subsets of these two fundamental cause scenarios, are critical and what security teams see as one of UEBA’s benefits in healthcare. A device could be compromised and in turn might represent a risk to a patient. Clearly, if a device is malfunctioning, it cannot be allowed to be connected to a patient. Being aware of this critical issue and being able to take action in as near to real time, is essential.
In addition, it is also beneficial to understand when a device might be out of rotation. One of the major issues in this space is determining when healthcare companies can safely patch medical devices. There’s always a small risk that the patching process might take the device down, or might even disable it. As well, it might cause some form of operational or functional issue for the device. There is a need to be extremely careful with medical device patching procedures in healthcare. UEBA technology helps organizations understand when a device is out of rotation, and when is a safe time to perform maintenance.
Gurucul offers a unique value proposition with something we call our “Flexible Entity Model”. This capability enables you to take any attribute in your data feed and create that attribute as an entity to be monitored by our UEBA platform. Examples of attributes modeled by our clients include file shares, folders, and documents.
Let’s say you have a sensitive document containing classified Intellectual Property or financial data. You absolutely need to protect this particular document from getting into the wrong hands. You can take the document name and create it as an entity in Gurucul UEBA. Then, you can create behavior models for this entity, to do anomaly detection on the document. With this capability, you can quickly detect when unauthorized users are trying to access the document. You can also provide an audit trail with exactly who access the document, when and from what device. Why would an admin be accessing this document from home? This is a very rich and flexible model that offers virtually endless possibilities to predict and stop entity-centric malicious behaviors.
The true benefit of UEBA is its use over time. With analytics driven by mature machine learning, you can analyze normalized data compiled from big data over longer time periods. This enables you to more accurately identify what type of anomalous behavior is consistent with a certain type of malicious entity activity. Then you have options. You can define what is erroneous as a behavior pattern. When you see a particular behavior pattern, then you can define what type of action should take place. It’s all about consuming rich context so you can quickly and accurately spot the bad entities.
Prev: ABCs of UEBA: D is for Data Next: ABCs of UEBA: F is for Fraud