The Reveal Platform
As cyberattacks continue to grow in both number and sophistication, and the stakes grow higher as threat surfaces expand, organizations are under intense pressure to protect themselves from compromise. Security leaders face a perpetual challenge to keep up with ever-evolving hacker tactics that easily elude signatures, rules, and patterns in traditional cyber defense systems. Further complicating the challenge is the need to protect hybrid environments of on-premises and cloud.
Companies have responded by increasing their security budgets and adopting more advanced defenses. One component of these defensive maneuvers is the establishment of a big data repository containing aggregated data from numerous sources across the enterprise and external to it. Among the sources are device logs, user activity data, device configuration data, identity management systems, threat intelligence feeds, and much more. Often hidden within this massive data repository are critical indicators of a prospective attacker’s access and activity.
The burgeoning scale of this all-encompassing data lake with full enterprise visibility has far eclipsed the ability for humans to hunt through it in any realistic manner. However, it is the perfect source for machine learning (ML) models that relentlessly analyze the data and look for correlations and anomalies that may be indicative of malicious activity.
It is within this domain of advanced security analytics that User and Entity Behavior Analytics (UEBA) as part of your threat detection, investigation and response program has emerged as the most effective approach to comprehensively manage and monitor identity-based risks and unknown threats across all of an organization’s environments. UEBA draws from the context of big data and is driven by machine learning models rather than signatures or rules to deliver invaluable visibility and risk scoring of suspicious activity.
User and Entity Behavior Analytics quickly identifies anomalous activity, thereby maximizing timely incident or automated risk response. The range of use cases is what makes a UEBA solution extensible and valuable.
For organizations to effectively face their cybersecurity challenges, they must assure the use cases align with their specific needs and varied requirements today and into the future.
Gurucul provides a comprehensive set of use cases for User and Entity Behavior Analytics including:
User and Entity Behavior Analytics is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of users and nonhuman entities such as the routers, servers, endpoints, and other devices in a network. UEBA looks for unusual or suspicious behavior that deviates from a baseline of normal everyday patterns or usage. For example, if a particular user typically logs into the network from an IP address in Atlanta, and on a given day that same user credential logs in from both the address in Atlanta and an IP address in Los Angeles within a two-hour window, the UEBA system would consider this an anomaly. An alert can be sent to a security administrator, or if automations are in place, that user can be automatically disconnected from the network pending further investigation of the situation.
The “entity” part of the solution means it also monitors devices that are part of the network. Machines, like people, can exhibit unusual behaviors that may indicate an attack is underway. For example, a desktop device might be observed to be communicating with an unusual IP address that external threat intelligence says is a malicious site. Prompt detection and alerting of this behavior can lead to quick mitigation such as blocking the traffic at a firewall to prevent outreach to that IP address.
The heart of Gurucul UEBA is the security analytics engine. User and entity activity data is aggregated from numerous sources is drawn into the engine from a big data repository, where it has been normalized and combined into a single data set. Machine learning using customized algorithms (i.e., learning models) processes the data to search for patterns, correlations, and anomalies. Rapid searches of the results identify early indicators of an attack. The analytics engine calculates a risk score based on those indicators and generates an alert to trigger further action based on the calculated risk. Additional types of responses can be implemented such as generating a case ticket or activating a response using automation tools like security orchestration and automated response (SOAR).
Using proven machine learning techniques, Gurucul UEBA profiles past and current behavior by evaluating all user and non-person entity activity against a set of normal baselines. Using outlier analysis, the behavior is further evaluated against dynamically defined peer groups with the goal of providing additional contextual intelligence. These techniques assist in detecting and eliminating false positives. When the activity of every user and every entity is put through the analytics engine, a risk score (or confidence score) for each individual user is calculated. Every additional action a user or entity takes is incorporated into the individual’s risk score, which is continuously recalculated with the new activity.
Gurucul’s solution framework includes data ingestion available via flat file, database, application programming interface (API), message or streaming inputs with readyto-use data connectors for common enterprise systems and platforms (i.e., human resources, identity and access management, privileged access management, security information and event management (SIEM), directory services, databases, networks, vulnerabilities, data loss prevention, threat intelligence, cloud applications/SaaS, authentication, physical ID badge systems, file storage and endpoints). It also supports an open customer choice for big data with Hadoop, Cloudera, Hortonworks, ELK Elastic and MapR. Models run on top of a customer choice for big data to compute and store, to avoid reading and storing data multiple times. In simple terms, use your existing data lake with advanced security analytics on top.
Ask most people, and the perception around ransomware is that it is known for encrypting users’ files, whether those files are meaningful or not. More importantly, ransomware is an adversary’s tool of the trade, a weapon to unleash on any alluring resource. Ransomware advanced attacks are mainly targeted at encrypting high-stake documents and resources like MySQL dB, and it’s not unusual for attackers to gain access via tactics like phishing or drive-by attacks. NGAV manufacturers have produced software that uses canary files, whether system-wide actual data files or dedicated decoys. More intelligent anti-ransomware software check for changes, identify any file header alterations made with AES symmetric encryption, and kill the malicious process in time. However, this is just a race against time, and who will win that ransomware race?
When questioned, most CISOs still have major issues with detecting and protecting against ransomware. This is due to the nature of the attack itself. For example, if the attacker decides to pull the AES encryption key via the same access he or she originally entered, and copy them to the victim host, or whether they intend to pull the keys once they have reached a particular resource.
Both these actions would prove to be a pivotal point of detection, and in the areas of behavior analytics, both will be identified as unnatural behavior patterns. Many other factors would also come into play, the user from which the host originated, the irregular use of protocols, unusual network, and file activity are all indications of abnormal behavior. This also doesn’t include the traditional actions that the security tools would identify, ones that Gurucul would enrich and correlate together with the abnormal behavior to increase accuracy and awareness and remediate any actions before the adversary can even reach the desired resources in which to encrypt.
Phishing is a leading social engineering technique that attackers or cyber criminals use to gain access to a legitimate user’s account credentials. Once an attacker has an employee’s username and password, they can login to the network directly and assume the same privileges as that user. To prevent an account takeover, it’s important to stop phishing at the source—in the legitimate users’ inboxes or sooner.
UEBA analyzes the activity behind the incoming messages of the phishing campaign to identify unusual behavior indicative of malicious email. UEBA looks for attributes like unusual sender email domains, inbound email from similar senders to large numbers of internal users, unusual character sequence based on text mining, and pretrained detection on trusted subject lines. Alerts on these activities, along with automated responses that isolate suspicious messages, can help curtail phishing in an organization.
This use case identifies high privileged access (HPA) abuse by leveraging the combination of accounts, access, and activity data. Typically, accounts and access data are ingested from Identity Access Management (IAM), Privileged Access Management (PAM), and/or directory services platforms to identify HPA accounts and discover any non-HPA accounts granted high privileged entitlements. Additionally, the activity data is ingested from enterprise level audit or log sources or obtained directly from the target data sources.
Once HPA accounts are identified, UEBA can detect suspicious behavior and misuse such as using HPA to assign special or elevated privileges to the user’s own account followed by an activity, or transactions outside the window of password value checkout and check in timeframe. This also includes access to resources and transactions outside normal behavior profiles, abnormal access to classified or sensitive documents, and multiple concurrent sessions from the same account using different IPs, devices, locations, etc.
Through understanding of 3rd party access controls, privileged access policies, and network traffic analysis UEBA can detect suspicious behavior and misuse. This includes using 3rd party access to assign special or elevated privileges to the user’s own account followed by an activity, or transactions outside the window of password value checkout and check in timeframe. It can also find unusual connections and traffic from dormant and rarely used or even 3rd parties that are no longer even active partners. UEBA is the most effective way to detect the initial compromise by a 3rd party or supply chain partner. In addition, our full complement of identity, network, cloud, and endpoint analytics can go further to determine active threats and even misconfigurations such as cloud access.
UEBA identifies data exfiltration attempts and protects intellectual property by ingesting data sources such as data loss prevention (DLP) and data classification to learn important data locations, access, and application activity.
A primary benefit of UEBA machine learning is the generation of risk-scored DLP alerts that help to reduce alert fatigue and prioritize “find-fix” resources. Analysis by UEBA includes on-premises and cloud applications for a 360-degree view of data access and activity. This approach helps customers prioritize DLP alert investigations as well as identify and monitor even the low severity DLP alerts associated with departing users or high-risk users.
Unsupervised machine learning models develop baselines pertaining to typical data access patterns, making it possible to identify activity for anomalous events. Moreover, UEBA solutions traditionally provide out-of-the box machine learning models which can identify known patterns such as sensitive documents downloaded and copied to USB, large amounts of source code checked out from source code repositories, file uploads to cloud storage, emails to personal accounts, access to competitor and/or job websites, etc.
Organizations have also extended UEBA alerts beyond SOC analysts to project managers, given their depth of context and relevance regarding employees, data, and projects.
One of the Top 10 OWASP (Open Web Application Security Project) vulnerabilities is related to the ‘Broken Authentication and Session Management’ scenario. Here, attackers exploit vulnerabilities through attacks such as Pass-the-Hash (PtH), Pass-the-Token (PtT), Brute Force, and Remote Execution to gain access to user credentials (passwords or hash).
Such attacks can be detected using the underlying machine learning algorithms tuned to inspect various parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes, and network packets to identify any deviation from the normal behavior of a particular account and the corresponding transactions. This facilitates detection of any potential account compromise or hijacking scenarios based on the anomalous behavior patterns such as abnormal access to high-risk or sensitive objects, abnormal number of activities, excessive requests in a short time frame, activity from terminated or dormant user accounts, PtH attacks, and session replay attacks.
Anomalies identified via clustering machine learning models and outlier analysis inconsistent with a user or peers’ normal behaviors are given risk scores based on advanced security analytics to drive alerts, actions, and case tickets.
Advanced UEBA insider risk and threat monitoring leverages research drawn from extensive insider threat databases of real-world incidents to develop, test, and refine machine learning behavior models. Baseline profiles are created using attributes from HR records, events, access repository, log management solutions, and more. Identifying high-risk profiles with abnormal behaviors in conjunction with data risk monitoring, machine learning and statistical analysis reveals anomalies in data that humans could not otherwise recognize or detect. As a force multiplier, ML far surpasses human capabilities and software engineering for managing large volumes and varieties of data.
True machine learning also finds high-order interactions and patterns in data for complex problems such as insider threats, compromised accounts, and data exfiltration. It does this by leveraging useful and predictive cues that are too noisy and highly dimensional for human experts and traditional software to detect.
A 360-degree dashboard provides visibility of an identity’s accounts, access, and activity for on-premises and cloud hybrid environments. Both access and activity are risk scored for anomalous events with results visible to employee managers and SOC analysts.
UEBA detects and monitors anomalous activity by people or devices through the use of ML algorithms tuned to inspect various parameters like timestamp, location, IP address, device, transaction patterns, high risk event codes, and network packets. This method can identify any deviation from the normal behavior that may be indicative of a threat.
For example, a database administrator may create a script that runs several commands with security implications at 2 AM each day. This user is an innovator, working to improve the enterprise’s productivity.
However, machine learning models will see these sensitive commands during non-business hours as an anomaly and score the risk accordingly. A supervisor can provide feedback to the learning models to note that the behavior is benign and to not flag it again. Nevertheless, the database administrator could be put on a watch list for a while to ensure that their behavior is totally appropriate.
Watch lists come pre-defined within UEBA for common high-risk groups such as new hires, departing workers, terminated workers, and other high-risk users. UEBA also supports explicitly adding or removing identities within watch lists. In highly sensitive environments such as government agencies, devices of foreign origin can be put on a watch list to ensure there is no nefarious backdoor communications activity.
Watch lists and other suspicious users or entities can be monitored through dashboard drop-down menus to analyze risk scores, anomalies, access, activity, and timelines.
It is well known that one of the widely used tactics to execute cyberattacks is to compromise trusted hosts connected to an organization’s network infrastructure. In addition to monitoring anomalous user behavior with UEBA, it is critical for organizations to monitor closely all the endpoints (devices and hosts) connected to the network. UEBA builds an anomaly timeline for an entity based on the high-risk anomalous events and activities performed from the respective device or host. An organization can detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection.
UEBA correlates a wide range of parameters associated with an entity, including endpoint security alerts, vulnerability scan results (Common Vulnerability Scoring System, or CVSS), risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more. This correlation facilitates detection of any anomalous activities or events to determine predictive risk scores.
Lateral movement is a technique used by an attacker whereby, after gaining initial access to a network, they attempt to move within the network to find better vantage points to download additional malware, communicate to external servers, and eventually find the location of sensitive data. To gain initial access, the attacker often uses legitimate user credentials that have been stolen through social engineering (phishing) or other techniques. Then, lateral movement on the network usually requires that the attacker obtain increased user privileges and use various tools to determine where they are on the network and what security deterrents are in place around them. The tools are often used to conduct activities such as port scanning or learning about proxy connections—activities that an average legitimate user of a network would not be doing.
A sophisticated attacker may use “dwell time” to their advantage, meaning their activities are slow and hidden to avoid detection before malicious activity occurs, sometimes weeks or months after the initial breach of the network.
Even though the attacker impersonates a legitimate user on the network, their activities and behavior are anomalous compared to the real user’s activity. UEBA detects these anomalies, sends an alert, and adjusts the risk score for that identity accordingly, which helps detect residual activity by that compromised account.
Reconnaissance is the preliminary step of a cyberattack in which the attacker attempts to learn as much as possible about an organization’s computing environment and its defenses. To gain information without actively engaging with the network, an attacker uses reconnaissance measures to interact with the network’s open ports, running services, etc. For example, an attacker may use port scanning to determine what services are visible and where an attack can be conducted. As part of port scanning, data is retrieved from opened ports and analyzed.
By analyzing entity behavior, UEBA can recognize and alert on a variety of reconnaissance activities, including port scans, ping sweeps and fingerprinting; DB table and structure discovery through web server logs; discovery of directories and pages exposed to the Internet; discovery of exposed cloud assets including storage buckets, instances, and databases; and much more.
By showing unusual or abnormal activity, including unexpected access to networks, endpoints and servers, and applications, UEBA can expose where expected security controls are not working or have not been configured correctly. This can include improperly set up access privileges, restricted access to specific networks or network segments, and even unexpected or unauthorized application usage, to name a few examples. UEBA can also identify unexpected communication channels and activity to external parties, such as VPN tunnels left open for a previous supply chain partner that can be exploited for nefarious purposes. Security controls that are inaccurately configured or left insecure put a company’s systems and data at risk. This is such a common problem that it is listed on the OWASP Top Ten list of Web Application Security Risks.
Gurucul also offers several industry-specific prepackaged analytics. These sets of models are focused on addressing the challenges and threats unique to each industry vertical. This helps reduce
any customization or implementation effort to build industry-specific models from scratch. These models are developed in partnership with the Gurucul Labs team, technology and channel partners, and customers, taking into consideration telemetry from specialized systems, fraud / threat scenarios, and standards.
Some of the key industry solutions include:
Having a broad selection of UEBA use cases provides customers with the assurance that their advanced security analytics requirements will be addressed. The overall benefits include:
Empowered Security Capabilities and Quality – The mature capabilities of Gurucul UEBA provide robust and optimal advanced security analytics across a range of on-premises and hybrid environments, risk scoring the gray areas of unknown threats and minimizing false positives. The result is improving the focus of “find-fix” resources, optimizing the time of security analysts, creating efficiency in the SOC, and making operations and people more productive.
Extended and Optimized, Discovery, Monitoring, and Visibility – This includes the baseline ability to view the full context of a user’s access and activities, both legitimate and anomalous. Gurucul UEBA also includes analytics for hybrid environments, providing a combined 360-degree view for identity and risk scored behavior anomalies. It’s all driven by machine learning as part of a newly recognized state-of the-art UEBA standard along with its empowered ability in interface with Identity & Access Analytics for increased efficiencies.
Improved Productivity and Cost Savings – By having holistic visibility across all an organization’s environments, users, and devices, the SOC team’s efficiencies are maximized, delivering cost savings. In addition, as enterprises continue to migrate to cloud applications, the ability to expand platforms without adoption of additional solutions helps to minimize costs.
The depth and range of use cases fundamentally defines the areas of expertise and functionality for UEBA vendors. This factor represents an important qualification when choosing a solution partner. Having a broad selection of use cases provides organizations with the assurance that their advanced security analytics requirements will be addressed comprehensively today and into the future. Assuring a vendor can support these use cases across on-premises, cloud and in hybrid environments, as well as being vendor agnostic, provides the strongest assurance that objectives are achieved. Big data provides rich context that drives machine learning models. A key to its success is the democracy of data from solution silos and open APIs for data collection and leveraging risk scores for automated response. Behavior analytics centers on identity with a 360-degree view of accounts, access, and activity for users, entities, and peers to detect anomalous behavior and outliers. Both big data and identity are horizontal planes that slice through solution silos and organization charts. This perspective with defined uses cases makes for a successful journey.
