ABCs of UEBA: Y is for Yield

What can you expect to get from deploying a User and Entity Behavior Analytics (UEBA) product?  Let’s talk about the results.  Let’s focus on the Yield.  Y is for Yield because Yield is an important part of just about any business conversation today, on just about any topic.  We can discuss yield in terms of return on investment (ROI), whether it be in money, time, or effort.  Individuals and organizations are constantly looking for the best possible yield for a given investment.

Yield also has significance in enterprise security systems.  Enterprises invest all three in attempting to identify and mitigate attacks on their network and systems.  Here are some methods often used to optimize threat detection and response.

First, There Are Firewalls

Enterprises try hard to protect their networks against random attacks from the outside.  Firewalls examine incoming traffic to block obvious attempts at penetration from attackers.  They typically flag signals from unknown sources that attempt to gain access to data or systems, and note the type of external signal and – if possible – the source of the signal.

Then There Is Anti-Malware Software

Enterprises also use anti-malware software, especially for incoming email to individuals.  Anti-malware software searches incoming emails and attached files for executable files that can gain control of an individual computer or entire network.  There are several possible ways of doing this, including adopting the user identity and using those privileges to gain further control, or to take over the system and become part of a trust network.  In either case, if the malware isn’t caught and the user opens the file, it is possible for an attacker to gain control of both the system and the larger network.

Anti-malware also typically sits on web browsers to ensure that users don’t visit sites that automatically download malware upon visiting one or more specific pages.  This type of malware can be executed by the page itself based on a simple visit.

But Firewalls and Anti-Malware Software Have Limitations

The problem with anti-malware software, and of most security software in general, is that it searches downloads for specific signatures of known attacks.  That is, it looks inside any executable software (including Excel and Word macros) to match up code with algorithms that are already known to be associated with attacks.

Of course, if an attack algorithm is not yet known, or has been changed in some manner, the anti-malware software is unlikely to recognize it.  Anti-malware software vendors periodically update their malware signatures, but it may take days or even weeks before a newly-discovered malware algorithm makes it onto enterprise computer systems.  That gives attackers plenty of time to steal company IP and data using these undetected algorithms.

There are still more limitations to both of these preventative approaches to security.  Being able to recognize the malware algorithms is an important one.  And it has to be one that the anti-malware software vendor deems important enough to expend the resources to develop a solution for.  Firewalls, on the other hand, are fairly effective against direct attacks, but don’t protect against attacks on individual systems or users.  Overall, enterprises need more than these traditional security approaches.  The yield from both approaches, even together, is simply not enough.

Monitoring Supplements Traditional Techniques

Enterprises need an early warning system that enables them to identify attack attempts in real-time, or as close to real-time as possible, so that they can be investigated.  The tool for doing this is User and Entity Behavior Analytics (UEBA), which captures interactions across the network.  The interactions might be between users and servers, between two or more systems, or between applications, among others.  It analyzes the traffic and makes determinations about each individual transaction.

UEBA seeks to identify traffic or transactions that are out of the ordinary.  While that concept seems simple enough, identifying those anomalous transactions is the tricky part.  “Out of the ordinary” can mean many different things within the context of normal traffic.  This can result in the flagging of many possible transactions for further review.

In the case of many UEBA tools, you may still have too many false positive transactions to investigate in order to ensure that you aren’t being attacked.  Your yield on your investment of money and effort isn’t nearly as high as you would like it.

Increase Yield With Machine Learning

Fortunately, you can increase your yield by using a UEBA solution that incorporates machine learning (ML) to model normal behaviors.  Once we have a good ML predictor of what is normal for all aspects of network transactions, it becomes easier and more accurate to identify out of the ordinary behaviors.  Your yield goes up, because your false positives go down, saving you time and effort in hunting down real attacks.

UEBA with ML is all about increasing your efficiency in identifying attacks.  The ML models enable you to analyze the data with intelligent approaches that give you a better fit, making it possible to limit false positives to a manageable level.  The ML models enable a UEBA tool to focus on actual attack attempts rather than waste time with anything that doesn’t reflect a potential real world problem.

In short, UEBA using ML models yields high quality results. It significantly reduces false positive alerts.  By focusing on true positive behavior-based threats, ML model-based UEBA provides the best yield of effort to result. This is why we say Y is for Yield!

Try Gurucul’s UEBA

Don’t believe what we say, believe what you experience. Try Gurucul’s UEBA in your environment on your data to see why Y is for Yield. In 5 days we will show you just how much yield you can get with our 2000+ machine learning models. Contact Us today to get started!

Prev: ABCs of UEBA: X is for eXfiltration Next: ABCs of UEBA: Z is for Zero Trust