ABCs of UEBA: R is for Risk

Risk identification and prioritization is at the heart of an advanced User and Entity Behavior Analytics (UEBA) product. It’s not enough to monitor users and entities and simply raise an alert when something anomalous happens. All anomalies are not created equal. The biggest challenge that enterprises are facing today is that analysts get too many alerts, with very little context which results in no actionable intelligence. Many security teams do random sampling of alerts. However, there is a risk of missing out on significant threats that require immediate attention. This is where unified risk scores make all the difference.

A proven and successful UEBA product must be able to continuously risk rank users and entities in real-time based on their behaviors. The objective is to identify users and entities who pose the greatest and most imminent risks to the organization. These are the highest priority users and entities for immediate investigation, triage, and remediation. So how does it work?

Get All Your Data in One Risk Score

Gurucul UEBA takes unlimited data feeds from structured and unstructured security sources – SIEMs, firewalls, Identity and access management systems, NetFlow and more. The product also gathers context from your business applications – SAP, EPIC, Salesforce or even your proprietary applications on virtually any platform. All Gurucul needs are transaction logs.

Gurucul UEBA aggregates, correlates, and links that data to provide a 360 degree view of users and entities. Who or what is on the network, what they are doing, what they have access to and what they are doing with that access. Gurucul compares that information with baselined behavior patterns, as well as peer group behavior, and look for oddities.

Gurucul generates a single unified risk score for every user and entity in your organization using behavior analytics. Do not discount the value of that unified risk score. Your disparate applications may perform analytics on their siloed data, but all that gives you is a distorted and incomplete view of risk. Gurucul aggregates all those disparate data feeds to give you a holistic view of that user (or entity) across all your applications and systems.

The actionable intelligence of a unified risk score cannot be understated. Unified risk scores shine a massive light on the highest risk areas in your organization.

Identify Risky Behaviors with Machine Learning

Gurucul UEBA uses machine learning based behavior models to identify and quantify risky behavior. Data science is superior to rules. Rules and queries cannot handle the data, volume velocity and complexities that are needed to combat today’s cyber threats. Gurucul combines user context with access, activity, traditional security defense in depth risk and threat information, and third-party threat intelligence to create identity centric risk intelligence. This intelligence provides organizations with a true 360-degree view that risk ranks all users and entities to deliver a single unified prioritized quantitative risk score per user or entity. This risk score enables organizations to detect threats quickly with no manual threat hunting or use of rules or pattern matching.

At the core, Gurucul UEBA uses self-learning, self-training, contextually aware algorithms which score every transaction as they are evaluated near real-time.  Using machine learning techniques, Gurucul profiles past and current behavior by evaluating all user and entity activity against a normal baseline. Using outlier analysis, the behavior is further evaluated against dynamically defined peer groups with the goal to provide additional contextual intelligence. These techniques assist in detecting and eliminating false positives.

Gurucul leverages a comprehensive risk engine which performs continuous risk scoring providing real-time risk prioritized alerts for incident analysis. Operational changes (title, departments, job codes, location) and information classifications are automatically incorporated into the new baselines to further influence risk scoring.

Workflow actions such as risk accepted and case closure from the end users are part of the machine learning engine feedback loop which enables supervised learning behavior. This closed loop system ensures continuous improvement, highest scoring classifiers and optimizes the efficiency of its learning algorithms. Additionally, the machine learning algorithms continue to self-learn. For example, when a user’s behavior changes to a consistent new behavior, over a period of time the algorithms will learn the new behavior as the new baseline.

Leverage the Gurucul Risk Scoring Framework

The Gurucul Risk Scoring model takes a holistic approach for computing risk. It uses a robust and flexible risk scoring framework which rolls up risk scores from multiple contributing elements and derives a normalized user and entity risk score. Contributors or factors considered include user/entity risk profile, access profile, behavior models, resource profile, and threat intelligence feeds.

The numerical risk scores depict the relative risk of a user and entity and associated activity. Normalized scores (i.e., between 1 and 100) make it easier to rank or prioritize and to develop matrices to facilitate management of user access and activities. Risk scores are rolled-up from multiple levels and normalized to a single unified risk score for every user and entity. Normalization techniques such as “weighted average” and “max value” are applied. Gurucul also supports transaction count-based normalization which results in a variable risk score for two users with the same anomaly, based on frequency and volume analysis. Cases are automatically created for highest risk users / entities enabling organizations to receive risk prioritized alerts.

Enable Risk-Based Controls

Risk scores enable organizations to automatically orchestrate downstream actions and apply automated risk based controls, thereby minimizing human approval cycles and accelerating response. For example, you can use risk scores to implement risk-based authentication. The continuous monitoring of user behavior during a session means you can dynamically assess and adapt risk scores to enable real-time responses to anomalies.

If a user with a low-risk reputation initiates an application session from a recognized location with a known device, the run-time risk score would fall into a green/safe zone. As a trusted user, pass-through access would be granted without the need for any authentication.

If the same user then begins exhibiting abnormal behaviors such as accessing unusual information, conducting anomalous transactions, etc., their real-time risk score would increase. Once a user exceeds pre-set thresholds and reaches the red/high-risk zone, automatic access responses are initiated. This could include enforcing MFA, management approval workflow, locking the account, etc.

Identify Departing Employees Before Data Exfiltration

Gurucul UEBA can identify departing employees before they leave with sensitive corporate information. Gurucul pulls in HR attributes like performance review scores and the time it takes to travel to work. You had a bad performance review? Your risk score goes up. Gurucul analyzes emails. Are you sending emails with subject lines like “I’m so frustrated” or “I hate my job.” Your risk score goes up. Gurucul looks at what you are doing. Are you working on documents named “resume” or visiting job websites like Indeed more frequently than normal? Your risk score goes up.

Now your risk score is at an all-time high. Keep in mind this is happening in real-time at machine speed across hundreds of thousands of users. With unified risk scores, Gurucul enables organizations to act before they lose data or Intellectual Property to departing users.

Put high risk users on watchlists and monitor their behavior in real-time. Apply security controls based on risk score. For example, enforce strict DLP policies for users with high risk scores so they cannot send email attachments. Disable their accounts. Gurucul provides customizable playbooks for automated remediation actions based on behavior models triggered and risk scores. This is the value of having all your data in one risk score.

Answer the Question: How Risky Are Your Users and Entities?

If you can’t risk rank your users and entities, how do you know how risky they are? You could be sitting on a minefield of risk with no idea where to begin to look for insider threats or compromised accounts/hosts. Get clarity and visibility with Gurucul UEBA. Get a full accounting of risk in real-time, continuously. That’s the only way you’re going to stay ahead of cyber threats in this day and age. Contact us for a demo today!

Prev: ABCs of UEBA: Q is for Qualitative Analysis Next: ABCs of UEBA: S is for Sabotage