TAdviser Guide for UEBA Systems

Users of information systems leave many digital traces in various information systems. Analysis of this information can be used for a wide variety of tasks, and the first of them is information security. At the same time, information security event management (SIEM) systems that monitor IT systems cannot always analyze information about user actions - they are designed to control equipment and cannot take into account the peculiarities of human behavior. Therefore, to analyze user actions, a separate class of solutions has appeared that process information about users themselves - their actions, their IT tools and the data they access. These solutions have become known as User and Entity Behavior Analytics (UEBA) systems. Sometimes incomprehensible objects (Entity) in the name are skipped and it turns out that they analyze the behavior of only users - UBA solutions.

What is UEBA?

Technologically, these solutions are a continuation of the development of entire classes of systems, such as DLP, SIEM, fraud protection and employee time accounting. The purpose of the solution is to profile the activities of employees, identifying both insiders and hacked credentials that are used by unauthorized hackers. However, in the case of fraud protection systems, UEBA can be used, among other things, to determine cases of uncharacteristic behavior of bank customers, up to the detection of actions under duress or manipulation. In some cases, when solutions have grown from accounting time systems, it can also be used to develop employees' competencies, since their behavior can identify their weaknesses or cases of non-compliance with digital hygiene rules. In general, UEBA systems are engaged in the following tasks:

• Identification of compromised credentials of users and workstations, which is determined by changing their activity profile;
• Identification of insiders whose activities do not correspond to the profile of their work duties;
• Monitoring the activities of employees to minimize their access rights;
• Identification of employees who do not comply with information security or digital hygiene rules;
• Analyze the work of remote employees in order to control the quality and competence of their work.
• Identify cases of phishing or manipulation in customer actions.

Architecturally, solutions are built in the same way as SIEM systems, which are divided into levels of information collection, storage and processing. UEBA tools use the following information as data sources for analysis:

• Records of system logs of servers, workstations, routers and other devices;
• Registers of access control and authentication systems;
• Data of the UEBA special software agent, which is installed on the user's device and records the activities of both the user himself and the programs;
• Data from other information security solutions - firewalls, antiviruses, SIEM products and DLP systems;
• User correspondence in social networks, instant messengers, by e-mail;
• Company personnel registers, business processes and other corporate information.

Although the technology of behavioral analysis of users has been known for a long time, however, it is still not included in the software classifier, which is approved by order Ministry of Digital Development of 22.09.2020 No. 486. Therefore, when entering into the registry, developers have to use alternative classifier codes such as 03.14 'Intrusion Detection and/or Prevention Tools' or 03.02 'Information Security Event Management Tools'.

Description: Go > > >

Manufacturer: Security Vision

Number in the register of the Ministry of Digital Development: No. 364 dated 08.04.2016

Security Vision specializes in creating tools for building Security Operation Center (SOC). One of its components is the Security Vision UEBA product, which analyzes the traffic of the protected infrastructure to detect deviations using artificial intelligence. With the help of more than a hundred built-in analytical rules, the system allows you to identify suspicious activity and draw the attention of the SOC operator to it and further propose response options.

Security Vision UEBA detects changes in the work of users, their accounts, devices and processes, traffic volume indicators and other behavioral attributes. To do this, raw data streams from various sources are processed: data lakes, SIEM, NGFW, proxy servers and other network, Windows and Linux devices. The UEBA module provides detection of new types of incidents, which are difficult to detect using signature methods. Built-in behavioral analysis capabilities can be augmented by tuning new or adapting existing sigma and correlation rules, managing the threshold values of the mathematical statistics engine, and training the system on live traffic. Security Vision UEBA offers:

An advanced set of correlation rules that allows you to detect complex attacks. The system not only analyzes network traffic, but also monitors events on hosts, combining data from various sources.

Statistical methods allow you to automatically collect detailed information about system behavior, such as host, process, and network activity, which allows you to create more accurate risk detection rules and reduce the number of false positives.

Different machine learning models for comprehensive analysis of network traffic and events on hosts, for example, models with a teacher to detect known threats, and models without a teacher for new, previously unknown anomalies.

The flexible interface allows the user to easily configure the parameters of these rules and adapt the system to the specifics of any organization, and the on-premium installation allows you to perform all calculations locally to ensure data security.

The product can be used to:

• Collecting "raw" events from various sources;
• Processing NGFW events, hosts, proxy servers, SIEM, data lakes, etc.;
• Determining the weight of events and calculating scoring values;
• Tracking the state of selected objects even without taking into account the "weight" of events;
• Automatic formation of typical models of behavior of infrastructure facilities;
• Detection of deviations and anomalies in the behavior of objects;
• Combining analysis technologies with more than 25 correlation rules;
• Combining analysis technologies by collecting statistics on more than 45 rules;
• Combining analysis technologies using an ML model;
• Automatically send incident and event information to SOAR or SIEM.

If the set thresholds are exceeded or important assets are separately tracked even without taking into account the "weight" of events on them, the system automatically groups all related events into a single suspicion of an incident and launches response procedures. For each incident, additional information is collected to better understand its nature and make informed decisions, and automated actions and flexible settings allow you to effectively respond to threats.

Manufacturer: InfoWatch

Number in the Ministry of Digital Development register: No. 19043 dated 18.09.2023

InfoWatch was originally involved in the development of leak prevention systems - DLP. The flagship product is InfoWatch Traffic Monitor, but over time it has overgrown with various additional systems, one of which is the InfoWatch Prediction system, which also allows you to perform tasks for analyzing user behavior - UBA.

According to the company, the UBA system repeatedly increases the efficiency of DLP. If the latter reports incidents that have already occurred, then the UBA system suggests where there are information security risks that have not yet worked, and what to pay attention to in the first place. The UBA system helps to notice those violations that are still outside the "visibility" of DLP, to identify deviations from the normal course of business processes. The UBA system is particularly relevant in times of instability and profound change, as employee motivations may be less predictable and consequences even more sensitive.

UBA-system InfoWatch Prediction automatically generates a rating of employees with suspicious behavior. To do this, it collects data on user actions received from different InfoWatch products and analyzes them according to several hundred parameters. Artificial intelligence used in the InfoWatch UBA system helps to automatically form risk groups based on the dynamic behavior models of each employee. AI also allows information security specialists to analyze millions of events to identify suspicious behavior, which simply cannot be done "manually" without an automated event information processing tool.

In general, InfoWatch Prediction solves the following tasks:

• Creates an automatic rating of suspicious employees by more than 230 parameters;
• Identifies anomalies for each employee to analyze his actions;
• Establishes the relationship of events on the anomaly schedule;
• Uses DLP InfoWatch Traffic Monitor data and Activity Monitor employee monitoring systems.

Manufacturer: Solar Group of Companies

Number in the register of the Ministry of Digital Development: No (Solar Dozor 7: No. 7441 dated 30.11.2020)

Solar's DLP solution called Solar Dozor has existed since the time when the developers were part of the Jet Infosystems system integrator. In fact, this is the company's flagship product, which also includes a tool for controlling user behavior. Now it is a Solar Dozor 7 module that implements the tasks of analyzing information about the behavior of accounts and devices. The tool allows you to form behavioral portraits of corporate users, search for the characteristic features of their activity of the most suspicious of them, build profiles of stable behavior and identify abnormal deviations from them.

The UBA module operates as part of a DLP system that requires additional resources to operate. Therefore, the requirements for them should be rational and proportionate to the personnel of the organization. Due to these limitations, UBA relies on metadata of information security policy messages and events, information about information objects and materials from the dossier of persons. The communications channel that Door UBA oversees is corporate mail. Over time, it is possible to connect other communication channels.

The functionality of the module is as follows:

• Monitoring of risk groups and dangerous trends by behavior patterns.
• Identify vulnerable persons and persons with suspicious behavior within the template. Conduct an investigation of a specific person.
• Joint analysis of behavioral abnormalities, suspicious features, and related safety events.

Manufacturer: NGR Softlab

Number in the Ministry of Digital Development register: No. 9438 dated 04.03.2021

Russian developer of information security solutions NGR Softlab has been operating on the market since 2019. The company's portfolio includes intelligent security management systems, information security analysis and monitoring tools, including the UEBA ─ Dataplan class solution.

Dataplan ─ an analytical platform for solving information security problems. The platform collects, stores and processes large amounts of data from different sources using machine algorithms to make data-driven decisions when investigating information security incidents and business process violations, identifying hidden information security threats and company activities, and managing risk. Dataplan is deployed in Linux Ubuntu Server at least 18.04 x64 (recommended version 20.04 LTS) and Astra Linux Special Edition 1.7.

With Dataplan, the company can:

• obtain additional information to assess the current state of the information protection system and the infrastructure of the organization
• create a "portrait" of the user and infrastructure elements based on retrospective analysis
• optimize costs for implementation of means of protection against NSD, access control, leak prevention, etc.
• Identify signs of hidden information security threats that are not detected by standard information security tools

Manufacturer: Kaspersky Lab

Registry number Ministry of Digital Development: No (Kaspersky Fraud Prevention Automated Fraud Analytics: № 5954 from 19.11.2019)

The main activity of Kaspersky Lab is the development of antivirus software, which is why various components of Fraud Prevention are registered in the registry of the Ministry of Digital Development as antivirus products. Although Fraud Prevention itself is designed to detect financial fraud, multi-factor authentication and reduce operating costs. Actually, one of the methods for identifying fraudsters is to control and analyze user behavior, so the UEBA module was also built by the company to form additional signs of potential fraudsters.

The work of the Fraud Prevention behavioral analytics module is based on the fact that when interacting between users and the service, information is accumulated about the typical behavior of the company's customers. Fraudsters and bots do not fit into such behavior, which becomes a reason to take a closer look at such suspicious clients or objects. Based on the information collected earlier, the UEBA system generates patterns of normal user and object behavior using machine learning and statistical analysis. Subsequently, real user activity data is mapped to these patterns. If an action differs significantly from the template, for example, an employee sends a letter to a top manager with whom he usually does not interact, or a large amount of data is transmitted to some external server, the system notifies security specialists.

Using UEBA technologies built into Fraud Prevention, you can:

• Identification of insider threats;
• Detection of complex targeted attacks using legal tools, the work of which antivirus programs do not consider malicious;
• Identifying compromised corporate user accounts.

Manufacturer: Zecurion

Number in the Ministry of Digital Development register: No. 2469 dated 20.12.2016

Zecurion is also one of the Russian manufacturers of DLP solutions, so its flagship product is Zecurion DLP. Its developers are trying to keep abreast of the main market trends, so the company has developed and offers as part of its solution, including the UBA module. The functionality of the product allows not only to control data and see the activity of employees, but also to manage information security risks and quickly identify potentially dangerous employees, groups and entire departments.

The UBA module allows the DLP system to operate no longer at the level of control over the storage, movement and processing of data, but to detect suspicious and abnormal user behavior. Moreover, the system monitors all actions of employees during the working day.

Using the UBA module, the Zecurion DLP platform allows you to solve the following problems:

• Detect anomalies in user behavior;
• Profile employees and compare them to each other to identify risk groups;
• Implement a classic risk-oriented model when working with information about employees;

Manufacturer: F.A.C.C.T.

Number in the Ministry of Digital Development register: No. 23833 dated 29.08.2024

Initially, the product was the flagship for Group-IB, which in the process of spinning off the international part was renamed F.A.C.C.T. However, it is protection against fraud in the financial sector that remains a priority for the company, and it develops all related technologies. The product developers did not pass by the functionality of behavioral analysis.

With the help of F.A.C.C.T. Fraud Protection, in particular, the following UEBA tasks can be solved:

• Create a global user profile;
• Using machine learning to analyze the relationships between users, devices and communication channels;
• Blocking bots that occupy the resources of financial and other companies;
• Identification of atypical user behavior, which may be associated with the influence of unauthorized attackers on users.

Manufacturer: R-Vision

Number in the Ministry of Digital Development register: No. 19431 dated 04.10.2023

R-Vision is developing tools to build SOC incident response centers. One of its products is R-Vision User and Entity Behavior Analytics (UEBA), which continuously monitors security events by analyzing data from sources, including system log management systems, SIEM and endpoint protection. R-Vision UEBA analytical tools allow you to timely identify signs of an attack, prioritize threats and analyze the entire sequence of abnormal events.

R-Vision UEBA aggregates information security events from various sources. Further, it conducts a comprehensive analysis of the collected events, studying the behavior of objects and their groups, forms profiles of normal behavior and records suspicious activity when it deviates. Detailed information about threats and incidents is saved as a timeline on which anomalies are noted. Subsequently, the generated warning is transmitted to the R-Vision SOAR system to respond to the incident and prevent the threat.

The product can be used for the following tasks:

• Detection of anomalies that are not obvious to classic SIEM detection rules;
• Analysis of illegitimate actions related to a specific object or user;
• Getting full context on an object when investigating an incident.