UEBA what is behind a new trend on information security market?

What is UEBA technologies

UEBA (User and Entity Behavior Analytics is behavioural analytics of users and entities) is rather new trend which becomes popular in the cybersecurity market. The essence of this technology consists in its name - it is the behavioural analysis of the high level of accuracy allowing to predeterminate situations in which the loss can be caused to the company. Entities are meant as business applications, servers, workstations, data warehouses, databases and so on.

Especially it is relevant for the big companies with thousands of users, thousands of users generate tens of millions of events: are connected to corporate systems, copy, send information as in the company, and outside, work with external resources, e-mail, the financial and technology systems. As a result we obtain full Big Data — the area manager SOC of Information Security Center of Jet Infosystems company Anna Bogdanova explains.

It is clear, that work with these Big Data at the expense of own personnel can be extremely difficult and give it on an outsource — expensively. For example, if for detection of incidents of information security to use only SIEM systems, then for them it is impossible to think up and configure the sufficient rules of correlation of events detecting everything possible cybersecurity incidents and to think over all exceptions to the rules to minimize number of false operations. UEBA technologies which detect deviations from normal ("average") behavior of users or entities help to solve this problem.

The self-training systems of the class UEBA uses the same data which are collected by SIEM-applications then process them and create specific behavioural templates for each user or an entity. These profiles are constantly specified and detailed. At the same time a system can be customized so that not to react to each incorrect password entry, a noncritical error in configurations or accidentally pop-up banner.

It helps UEBA-applications to reduce the number of false operations considerably. Instead a system works with cases of access to external and internal resources (including that which does not belong to working activity), to cloud services, corporate information systems (for example CRM, ERP or APCS). Actions of VIP-and privileged users and technology accounts, applications launch and processes at workstations and other suspicious or abnormal actions are especially carefully considered.

From what threats protects UEBA

Solutions of the class UEBA help the companies to be protected from the most different threats. Among them: unauthorized access to confidential information, purposeful attacks, leaks of confidential information and databases, fraudulent activity, thefts of intellectual property or trade secret, viruses encoders, malware, violations production and business processes and many others.

Actually, it is not about some special class of threats, and about a method of detection of suspicious activity, other than traditional approach.

Let's say a certain user began to address the job search websites though he before it did not do — Anna Bogdanova gives an example. — Then he was connected to the CRM system and copied the database of customers of the company, placed on a file server and sent himself the link to an external personal mailbox. UEBA will record each stage of this incident: the atypical appeal to the job search websites, copying of the database of customers, placement of large volume of data on a file server, sending an e-mail for an external personal mailbox. And on each of stages there will be notification of the security officer.

What UEBA differs from the previous generations of solutions for the behavioural analysis in

Modern UEBA use more advanced mathematical models, than those cybersecurity solutions which were used earlier. They are capable to work with considerably large volume of data and also to distinguish vectors or chains of the attacks (kill-chain).

Such solutions can lower or raise a priority of this or that event depending on to what stage kill-chain it belongs. And if the attack does not reach the final, then in general the priority of all events of the previous stages goes down. Depending on setup of sensitivity, UEBA can not notify the security officer on the attack which ended with failure for the cybercriminal even. For example, if the security perimeter was not overcome — Anna Bogdanova specifies.

At the same time UEBA solutions can be used as in itself, and together with SIEM systems. Analysts call the last option preferable because a SIEM system is the most full-fledged supplier of data for UEBA.

As it is correct to implement UEBA technologies

UEBA carry to a class of expensive solutions therefore usually the companies hold long preliminary pilot testing — about 3 months. This time is enough for self-training of a system: it will receive the sufficient amount of data, in particular magazines of the most critical business systems and sources of IT infrastructure. Integration with an enterprise information system which contains the most up-to-date data about workers will allow to implement exact identification of users.

The subsequent implementation of UEBA can happen quickly enough, especially if this solution is the add-on module to the SIEM system of the same producer. Acceptance tests by analogy with pilot testing should include emulation of actions of the potential violator — Anna Bogdanova notes.

The cost of similar solutions depends on the volume of the processed data (the number of events per second or traffic volume). The cost of works on integration, in turn, will depend on quantity of data sources, the value of installation of a SIEM system, distribution of a network architecture, need of completion of the regulating documents on detection and investigation of incidents of cybersecurity and other factors.

What perspectives of UEBA in the Russian market

According to experts of the cybersecurity industry, the Russian market ripened before award enforcement of UEBA as already rather large number of the companies have successfully functioning SIEM systems and SOC. Such organizations have an understanding that it is necessary to reduce the labor costs by detection of cybersecurity incidents and also to increase efficiency of this process due to the greatest automation. Analysts predict significant growth in the market of solutions of the class UEBA in Russia in 2018-2020.

For detailed calculation of implementation cost and a payback period of UEBA solutions in your organization mailto:av.bogdanova@jet.msk.su can [address specialists of the company "Jet Infosystems].