As security systems analyze behavior of users: "reefs" and specifics of the solutions UBA

About what will the speech go?

Relatively recently on foreign and quite recently in the domestic market of information systems of security the new class of solutions appeared. These solutions focus on the analysis of behavior that follows from their names.

To the uniform name of solutions on the analysis of behavior suppliers and market analysts did not come yet. The Gartner company uses an abbreviation of UEBA – User and Entity Behavior Analytics. In this way call the solutions vendors of Securonix, Gurucul, Fortscale, Forcepoint. Consultants from IDC and software makers from DNIF, Splunk, IBM, HP ArcSight (HPE/MicroFocus) use reduction of UBA – User Behavior Analytics.

Trends in the field of security come down to the fact that the attention is focused on the person and his behavior

Other players of the market try to focus attention not only on subjects of the analysis, respectively, on users (User) or entities (Entity), but also on the purposes. So consultants from Forrester call a class of solutions on the behavioural analysis of SUBA (Security User Behavior Analytics), being focused on security. Exabeam and Microsoft use such terms as Advanced Analytics or Advanced Threat Analytics. Some vendors go further away and think out own, occasionally, very figurative names for the solutions. For example, Enterprise Immune System from Darktrace or Risk Fabric from Bay Dynamics.

Domestic manufacturers of solutions of the class UEBA/UBA/SUBA or not especially philosophize, or use the mixed approach. At Zecurion it is called the UBA system as a part of DLP, at InfoWatch – the class UEBA module Prediction, at SearchInform – the center of profiling or ProfileCenter.

Now trends in the field of security come down to the fact that the attention is focused on the person and his behavior as after all the person is the main source of risks, threats, violations and incidents. The concept of Human Centric Security, i.e. security in which center of attention there are people is actively applied and has the mass of followers. For this reason it would be more logical to use an abbreviation of UBA (as it will be made in this article).

However and in a solution name of the behavioural analysis you should not forget about the word Entity. Not less dangerous sources of threats, than users occasionally are behind letter E. These are servers, switches, workstations, applications, storage systems, hosts, network traffic. Attacks on IT infrastructure, and active actions of malefactors also can be behind certain strangenesses and deviations in their work.

What is a class of the solutions UBA?

In the publications Gartner advances the commonly accepted understanding of basic functions of UBA solutions. Treat them: monitoring and the analysis of behavior, detecting of behavioural deviations and arrangement for them of priorities which, in turn, should provide rapid response to the most serious and mass behavioural changes. Over time basic understanding of functionality of the solutions UBA was expanded.

The first that should do the solution UBA, is, accumulating in the course of work or using earlier saved up data, using the put methods to define characteristic stable behavior of objects. And it is not important, users it, program or hardware.

For the analysis the solution needs sources of various data for a considerable historical period that on their basis it was possible to define normal for the user or an entity behavior and its borders for which exit will be considered as an aberration. Depending on the used analysis methods approaches in the solutions UBA can differ – we will talk about it a bit later.

It is considered that the more sources data in UBA, the better deliver. This ambiguous conclusion as connection of a large number of sources leads to expansion of works on integration and to difficulties of interpretation of separate information for the uniform purpose of the behavioural analysis. Here it is necessary to speak about sufficiency of data for processing rather. The redundancy of information not only increases volumes and duration of calculations, but also can cause such heap of results with which the employee of security just will have no time and an opportunity to understand.

It is assumed that the solutions UBA can issue analysis results with a certain frequency, but the more quickly they do it, the more profitable look.

The second that is expected from the solutions UBA, is just capability to detect atypical or as it is called still, aberrant behavior. In open sources the opinion is often expressed that severe violations which badly come to light traditional means of security systems can be behind results of detecting of UBA.

The third that analysts turn on in must have of functionality of the solutions UBA, – prioritization of the received results. Many systems of security very sensitively react to various changes that, as a result, leads to generation of a large number of warnings. Such warnings happens so much that employees of security just do not have time for their analysis and careful investigation. The solutions UBA are capable to consolidate warnings, to estimate their risks, to place priorities and to draw the attention of the user only to the most serious deviations. As a result the efficiency of security services due to decrease in number of false operations increases.

And, of course, any technological solution should issue the end result. In a case with UBA – to provide to the security expert all context of the revealed anomalies. The context will vary depending on opportunities of the specific solution and specific installation.

At least, expectations come down to that UBA solutions provided information on all users and entities connected with the detected behavioural deviation for investigation. Data on actions of a personnel and on results of these actions considerably enrich a context. It is considered that the developed solutions UBA should inform specialists of security on all "environment" of the revealed anomaly including all the groups lying nearby in time and connected on certain signs and chains of behavioural deviations.

In addition Gartner points that the solutions UBA should not be narrow in application and should have several directions ^[1].

Figure 1. Basic functions of solutions of the class User Behavior Analytics

On the specialized websites (reviews on habr.com ^[2], Anti-Malware.ruobzor ^[3], the comparative decision table UBA on the website of the Roi4ciosravneniye draft ^[4]) can also find references of the following functions which existence in modern UBA solutions is welcomed in comparative reviews and tables:

• Use of the built-in behavior models.
• Notification/notification of the user on detection of behavioural deviations.
• Existence of flexible search for conducting investigations.
• Reporting on analysis results.
• Use of a time line (timeline) for the analysis of the received results in time.
• The retrospective analysis of earlier saved up data for detection of behavioural deviations in the past.

The flexibility of the solutions UBA which is expressed in adaptivity to gradual change of subjects of the analysis and available a possibility of expansion and refining of behavior models is additional benefit.

In addition to the above-mentioned the leading analysts of IT market (Gartner, the ROI4CIO project) emphasize that from UBA solutions support of cloud services is expected. Existence of functionality of CASB – the systems of ensuring secure access to clouds selected in a separate class of solutions means.

Besides, the vendor of Exabeam ^[5] advances the concept of use of UBA solutions for actively developing Internet of Things (IoT). This, certainly, demanded direction on tracking of behavior of different devices, but it has very poorly something in common with the concept of HumanCentric Security. It already, it is rather an Entity Behavior Analytics or EBA.

What methods of analytics of UBA are based on?

Traditional methods of analytics come down to determination by security experts of rule sets on the basis of whom systems define whether this or that event is security violation. This approach is not adaptive to new types of threats or change of behavior.

Distinctive feature of the solutions UBA is the expanded analytics intended mainly for privileged information loss prevention. Sign of the good analytical device UBA capability is considered not only to reveal anomalies in behavior, but also ability to calculate the probability of as far as the anomaly demonstrates the valid security risk. Now in fundamentals of expanded analytics of UBA solutions machine learning technologies and statistical ^[6]are put ^[7][8][9]Ошибка цитирования Неверный вызов: нет входных данныхОшибка цитирования Неверный вызов: нет входных данных

Unsupervised algorithms. The algorithms which are not requiring existence of in advance marked examples for the subsequent classification of users and detecting of anomalies of behavior. It allows to use the solutions UBA without preliminary adaptation and setup that undoubtedly is great advantage. But also has also negative effect – a set of results of classification of users, little significant in terms of security, and a big share of false operations.

Supervised algorithms. The algorithms having higher quality of assessment of behavior and classification of users. In practice stability of such high quality needs regular retraining and a reinforcement examples. Every time requires involvement of specialists in data analysis and close communications between them and employees of security.

The mixed models. Combine both "autonomous" algorithms, and supervised-algorithms.

In a set of algorithms it is possible to select models with "greedy" algorithms. Such algorithms constantly arrange the model making the decision under each new activity of the user. It allows to specify instantly model and to adjust its quality. However these algorithms are more exacting to resources and are not deprived of the problems. For example, shift problems with which specialists of Yandex in well-known ^[10] deal^[11]

According to the researches Gartner, in the near future the solutions UBA will be replenished with tools of deep learning and neural networks.

Main directions of use of the solutions UBA

Within the developed understanding of award enforcement of UBA select the following directions of use of this rather new technology:

• Collecting and providing information on behavior. The research of features of behavior of both users, and other entities in itself is of interest to security experts. Usually the nature of behavior corresponds to the executed entity business functions. Sharp discrepancy of the expected and actual behavior can be sign of threat.
• Monitoring of behavior. Control of typical and atypical behavior of both users, and other entities in dynamics allows to monitor different trends, including negative and dangerous.
• Identification of malicious insiders. Identification of various violations of security which source are the personnel of the company disappears in a general view behind it. GOST P ISO/IEC 27005-2010 calls insiders of "badly trained, dissatisfied, malicious, careless, dishonest or dismissed employees".
• Data loss prevention. The serious deviations in behavior of users connected with use, storage and information transfer can signal about attempts or the facts of illegitimate movement of information, significant for the company.
• Identification of the compromised accounts of users. Identification of sharp changes in behavior can demonstrate that the account of the employee is used by the unknown person in the malicious purposes.
• Identification of unauthorized access to data. In this case focus of attention focuses on aberrant behavior of persons concerning information systems and data, significant for the company.
• Identification of target cyber attacks and threats against which protection gears are not developed yet. The analysis of behavior not only users in the company, but also all user contacts in and out of the company can yield valuable results. The developed attacks on IT infrastructure of the company or deliberate actions of external persons can be the reasons of essential anomalies in behavior of the contacting objects. The most unexpected and strange anomalies in behavior of the most different analyzed objects can open earlier unknown threats.

In addition to all above-mentioned solution UBA have high potential in the field of identification of risk areas in the company, risk groups of number of personnel, the employees, the most vulnerable in terms of security. So in a general view – for risks assessment and management of them.

Features of solutions of the class UBA

UBA systems become more popular among large business. According to forecasts of Gartner, the sales volume of solutions of this class from 2015 to 2020 will increase by 7 times.

Who is interested in acquisition of UBA?

Different researches of the market demonstrate that representatives of security services to which the UBA tools help to solve a broad spectrum of tasks are interested in acquisition of solutions of this class in the companies. Problems of information and economic safety belong to their number (here analysts include also risk management). It should be noted that the solutions UBA allow to make the difficult investigations directed to disclosure of fraudulent schemes and anti-corruption. Final effect of their use is prevention and decrease in damage to the enterprises.

Gartner even specifies the industries which are most actively interested in UBA. Now abroad finance and health care feel the need for monitoring of behavior of employees, contractors and the third parties for the purpose of identification of illegitimate or unauthorized actions.

"Reefs" and specifics of UBA

Solutions of this class have specific features and restrictions about which it is useful for users to know them.

First, if security experts want to perform monitoring with a high accuracy and to carry out the analysis of behavior of staff of the company, they should provide to the used solution UBA sufficient amount of data. It is necessary to have data for quite long time frame and, at least, from several sources.

Duration of the period of the analysis of behavior directly affects quality of determination of stable nature of behavior. Vendors point that the minimum duration of this period should be 90 days, and sufficient – 180 days. But in general – the longer, the better.

Use of historical data which can be provided to the solution UBA for processing helps to accelerate process. This option is possible if the company stores the retrospective data on activity of the employees sufficient for the analysis of UBA.

Certainly, also the range of the processed information is important. Are called the easiest for connection to UBA channels suppliers of data in open sources: data of network access (for example, from web, data of the AD directories (or data on employees from a HR system), data of magazines of access and registration of events.

But not less significant the information on mail correspondence and its contents and also information on the nature of communication and content in messengers and social networks are considered as more difficult for use supplied from modules of control of workstations.

On the one hand, than there are more sources, subjects, apparently, we will be able to obtain more exact information on people. On the other hand, at once there are questions of difficulties of receiving, consolidation and cumulative interpretation of all these data.

When choosing optimal approach it is necessary to understand that on one bowl of scales lie time and costs for large-scale embedding in IT infrastructure (deployment of adjacent software, integration, consolidation of data), and on another – the fastest obtaining effective results of work of the solution UBA. Therefore the balanced approach seems in that being limited to the minimum set of sources of information for UBA, given from which will describe sufficiently behavior of employees. For example, it can be data on activity on the Internet, about mail correspondence and about work at the computer.

Secondly, the solutions UBA have some specific features connected with the approach put in them. The behavior of some users has unstable character during some periods and on a number of indicators. It is characteristic of employees on high executive positions. For such users determination of stable nature of behavior means UBA is difficult. In this case the security expert for exact detecting of violations needs to use additional resources of the analysis of content of that information with which the employee works.

If in the company during an accumulation period of data of UBA the business reorganization connected with serious staff changes is conducted, then determination of stable nature of behavior of employees can be complicated, and for any users – at all it is impossible. In this case it is necessary to wait until internal processes of the company are equilibrated, and after it to resort to use of UBA.

In completion to everything the behavior of certain users violators can be abnormal from the very beginning of application of UBA. If any unreliable employee regularly makes violations, then such negative behavior from the very beginning of the analysis will be apprehended by UBA as "normal". In this case, as well as in a case with unstable behavior of employees, studying of specific parts will help to reveal violations.

Thirdly, It should be noted that not all solutions UBA are allocated with an opportunity dynamically to adapt to the changing behavior of users. But people change. The most obvious reasons of change of behavior of employees – reorganization of business processes, change of job responsibilities or the taken position in the organizations, personal problems.

The solutions UBA should adapt to such changes. Thus a system at which adaptivity is not built-in require periodic maintenance. Data-refresh about the standard nature of behavior of employees in that case becomes the compulsory periodic procedure requiring involvement of analysts.

Besides, it should be noted that at the implementing solutions UBA an important role is played by a certain maturity of security experts and their readiness regularly to use UBA in work. UBA can simply not get accustomed if the bezopasnik is not ready to analyze independently the results represented by a system, to look for violators, to estimate efficiency of the offered models.

Autonomous and built-in solutions UBA

The solutions UBA presented at the market are divided into two types: autonomous and built-in. Built-in are delivered as a part of solutions of other classes focused on adjacent tasks. Now the market of the solutions UBA is halved approximately between the autonomous and built-in solutions.

Features of use of autonomous solutions

Two most critical complexities when using autonomous solutions are their integration into IT infrastructure and filling by sufficient data. Full deployment of the similar solution in large or even medium-sized company can grow in the serious and expensive project. At the same time, as practice shows, results of such project as a result can not pay off.

Autonomous solutions are applicable when in the company there is already a uniform storage in which data for the analysis are saved up. These data can be used as information source for UBA.

Features of use of the built-in solutions

Feature of the built-in solutions UBA is need of purchase and deployment of a "parent" system. The reference platform at the same time can be quite expensive.

On the other hand, if UBA supplements functionality of a full-fledged system of security (as a rule, it solutions of a class SIEM, DLP or IAM/ PAM), the question of filling by data is removed. At the same time "parent" platforms of one of the specified classes are included into a standard set of systems used by security services, and their expansion by the UBA tools allows to use actively already collected information.

In addition to SIEM, DLP and IAM/PAM of the solution UBA can be shared with the systems of other classes: systems of audit and data protection (DCAP), analysis systems of network traffic (NTA), system of protection of endpoints (EDR), intrusion detection systems (IDPS), personnel monitoring system (Employee Monitoring, EM).

Domestic solutions on the behavioural analysis of Zecurion, InfoWatch and SearchInform are components of DLP systems or are focused on use of data from the "parent" DLP systems.

Figure 2. Features of a configuration of solutions of the class User Behavior Analytics

Forecasts

According to Gartner in 2017 - 2018 reduction of number of suppliers of the autonomous solutions UBA, mainly because of a company takeover was observed. So Niara was purchased by Aruba Hewlett Packard Enterprise, Balabit – One Identity, E8 Security – VMware, Fortscale – RSA. It is predicted that by 2021 the market of the autonomous solutions UBA will cease to exist.

Also it is expected that by 2022 80% of the solutions aimed at detection and prevention of threats will use methods and UBA technologies. Besides, also inverse process of rapprochement of UBA and SIEM is observed: the advanced solutions UBA acquire functions of the developed security systems. So IBM and LogRhythm develop functionality of UBA, and the UBA solutions Exabeam and Securonix developed functionality of SIEM.

Comparative overview of the solutions UBA

Foreign solutions

Comparison of the autonomous solutions UBA is presented in a general view in the overview of the market from Gartner "Market Guide for User and Entity Behavior Analytics" (2018)^[12].

Comparison of different solutions of the class UBA on 26^[13] is given in the table on the ROI4CIO project website.

Besides, many foreign vendors post quite detailed descriptions of own solutions of the class UBA on the websites.

Domestic solutions

Zecurion

In version 8.0 of a DLP system from Zecurion released in 2018 the module of the behavioural analysis (UBA) appeared.

Zecurion quite avariciously describes possibilities of the new module and does not disclose details of its internal device. It is mentioned only that "specially developed algorithm" using which the analysis of actions of users is made is involved. In the press release it is also noted that the solution UBA of Zecurion monitors emergence of violations and incidents of security and change of nature of use by employees of communication channels.

Thus, it turns out that for the analysis of behavior of users the UBA solution Zecurion uses, on the one hand, information on security policy violations collected by a "parent" DLP system. And, on the other hand, – data on non-standard activities of employees when using communication channels, such as intensive transfer of data out of limits of a local network of the company.

InfoWatch

In 2018 the InfoWatch company provided on BIS Summit the prototype of the solution of the class UEBA under the name InfoWatch Prediction.

The solution manufacturer says that InfoWatch Prediction is constructed on "a strict mathematical model" using methods of machine learning. As data source for the solution the mail server or a DLP system is called. It turns out that InfoWatch Prediction after all is not the autonomous solution, but the module requiring deployment of the "parent" InfoWatch DLP system.

The solution InfoWatch Prediction is intended for forecasting of the risks of cybersecurity related to the personnel and financial policy, identification of insiders, a compromise of accounts. At the same time in marketing promotion the focus is obviously shifted towards use of the solution for the personnel management purposes and also managerial, financial and personnel records. So, advance determination of employees who are going to leave became the first provided scenario. At the same time in InfoWatch emphasized that the InfoWatch Prediction model trained at the basis of retrospective data sampling predicted the probability of dismissal of employees with an accuracy of 80% in 25 days prior to leaving^[14].

The vendor suggests customers to check independently capability of the solution InfoWatch to solve problems of search of employees who are going to leave. But here everything rests against data again. It is offered to provide to the solution for the analysis data in a year and to be convinced that it issues good results. But what difficulties on loading and data processing customers can face even if necessary data on employees are available for them, it is not specified.

Also it is not entirely clear about retrospective these employees for what period there is a speech. In different places in presentation materials of vendor it is told differently. On the one hand, representatives of InfoWatch say that they can show to the client a system rabotospobnost almost instantly^[15]. On the other hand, it is mentioned that industrial tests of InfoWatch Prediction (those which gave forecasting accuracy in 80%) used data array about behavior of employees in three months of work. It turns out that again there is that restriction in at least 90 days necessary for any solution on the behavioural analysis for demonstration of the efficiency or its absence. Anyway to the first public responses about operation of the solution by customers it is difficult to judge whether InfoWatch Prediction solves the stated problems.

SearchInform

Also in 2018 the SearchInform company presented to the market the solution on the behavioural analysis. SearchInform ProfileCenter was stated as "a diagnostic system of behavior and tendencies of the person in different life situations".

According to vendor, for creation of a reliable portrait of the employee it is necessary to analyze or accumulate retrospectively data on average 1 – 2 month.

Using the greatest possible quantity of data sources of a "parent" DLP system, the solution ProfileCenter creates a psychological portrait of the user, reveals weak and strengths of the personality, trait of character, basic values, requirements, tendencies, etc., etc. At the same time algorithms separate users on risk groups, for example: "Demotivated", Talkers, Idlers, Rowdies, Critics, Manipulators, Leaders, Egoists.

In this case there is a question of transparency of the verdicts rendered on the basis of such computerized analysis. In the USA for the analysis and confirmation of the results represented by artificial intelligence are attracted highly professional ^[16]. As practice shows, domestic specialists of the sphere of security also do not hurry to rely on the algorithms closed from them. Even very difficult, but in detail described methods of the mathematical analysis or machine learning it is more preferable than the results created in a solution subsoil on the basis of more than 70 criteria^[17].

For the purposes of creation of a profile, i.e. identification of stable behavior of employees, not business, but natural "live" texts from personal correspondence are used. The minimum information volume for profiling – 30 thousand basic text units. At once there is a question: if the employee sends the engineering design to 60,000 words and adds to it several words (even if natural) personal correspondence how the solution interprets the similar text?

"At the exit" ProfileCenter reports analysis results in order that it was independently possible to draw conclusions on personnel of the company and to estimate risks. However, so far in public field there are no descriptions of real examples of work of the solution at customers. Anna Popova, the head of the DLP block of Infosecurity Group, service provider in the field of cybersecurity, emphasizes that the solution still "should be tested^[18]".

In general, ProfileCenter on the characteristics costs away from solutions of the class UBA as they are defined by the international analytical agencies. The algorithms applied in a system are aimed at classification of employees by these or those psychotypes. It is as a result more logical to carry this solution to a class of the Employment Testing systems (Screening) Software used for problems of the sphere of personnel management. Thus, target audience of ProfileCenter is rather advanced HR, but not security.

Conclusion

In recent years in global market of the systems of security there are more and more demanded solutions intended for the analysis of the user behavior. UBA systems actively accustom the industries aimed at monitoring of personnel, the analysis of behavior, identification of significant deviations in stable behavior of employees for the purpose of detection and prevention of incidents of security, identification of threats to business, prevention of violations and risk management. So those spheres for which influence of a human factor is critical. The person, according to modern approach in security, is the main source of violations, threats, and risks. The systems of the behavioural analysis are useful also to such activities as personnel management, finance, strategic management and acceptance of management decisions.

These systems are good the fact that, using the most advanced methods of the analysis, they develop by practical consideration, discard the outdate techniques and tighten the most effective in the arsenal.

The range of application of UBA in the field of security is quite wide: it both identification of malicious insiders, and prevention of leaks of valuable information, and identification of the compromised accounts, and counteraction to unauthorized access to data, and prevention of cyber attacks, and localization of zero-day of threats.

Foreign market can brag of a big variety of UBA products – both autonomous, and built in the adjacent systems on security (as a rule, it is class systems of SIEM, DLP, IAM and others). A trend such is that autonomous solutions gradually give way built in as the developed "parent" systems are capable to provide necessary data for the analysis at once.

Domestic developments in the field of the behavioural analysis are built-in, go complete with the developed DLP systems. The Russian market of these solutions is still young and small. At the market there are several noticeable players, in particular Zecurion, InfoWatch, SearchInform, and other. Each of solutions of these vendors has the perspectives, features and restrictions. In fact these systems so far only enter the market. Respectively, all of them still should pass a running in in combat conditions on customers.

The greatest perspectives seem at those solutions which not only will provide accomplishment of basic problems of the systems of the class UBA, but also will promote mastering of new opportunities. Treat such auxiliary things: an explanation of the principles of work, existence of techniques of application, positive experience of "running in", ready scenarios of use, clearness of steps when mastering tools. Also remain unconditional advantages the smallest period of full inclusion in work at new deployment and to use capability for the analysis retrospective data at deployment on the functioning platforms of customers.

Notes