HP: User behavior analytics

User behavior analytics (HP UBA) is the system of ensuring corporate security (HPE UBA), the add-on module of the HP ArcSight system. The solution allows to detect automatically incidents of the information security (IS) by profiling of normal behavioural characteristics of activity of users.

HP UBA helps to solve problems of three types:

• analysis of any events of the user activity
  • access to databases,
  • to file directories,
  • work with removable mediums,
  • transactions in corporate information systems (billing, payments, document flow, work with personal data), etc.

• use of ready mathematical models on profiling of activity on the basis of the received events
  • grouping of the same events (peer group analysis),
  • identification of anomalies (anomaly detection),
  • determination of a regular profile of work (baseline profiling),
  • determination of frequency of emergence of events (event rarity).

• use of results of work of mathematical models to problems of information security
  • identification of insiders,
  • control of privileged users,
  • unusual activity in corporate systems
    • "dormant accounts",
    • "access to cards of VIP-clients"
    • other.

Screenshot of application window 2015

User Behavior Analytics complements security events with an expanded context:

• information on the user,
• working environment of the user,
• organizational and other attributes.

If the event contains only the IP address, nevertheless, it gives the chance to understand the Full Name of the user who showed activity.

A system allows to create the universal card of the user in which all his attributes will be maintained relevant:

• acceptance date on works/dismissals,
• position,
• division,
• region and so forth.

There is a possibility of journalizing of all its accounts in information systems.

Having such information, it is possible to reveal a number of incidents of security. For example, a system will detect considerable differences in activity of the given user from the calculated profile of activity of other staff of this division, this region, this position.

The signal will arrive if the amount of the carried-out transactions on a specific product exceeds observed normal values for the calculated periods of time (one o'clock in the afternoon, a day of the week, week, day of month, month, days off). The activity which is not observed earlier on a specific automated workplace on work with administrative transactions of SAP will be visible.

Profiling is executed by a system automatically, after a task of initial parameters for the analysis. As mathematical models are universal, and use for collecting of events of the connectors HP ArcSight allows to lead this information to a uniform type, between simplicity and functionality the balance is observed. A part of analytics can be executed using a SIEM system, HPE User behavior analytics does it quicker, more simply and using some functions operating in the solution.

2016: Version of User behavior analytics 1.1

On January 28, 2016 the Hewlett-Packard company announced release of version 1.1 of a product of analytics of behavior of the user^[1].

The company issued the premium-version of a product as a part of which the preconfigured profiles of the behavioural analysis work, the generalized experience of use of a system is involved. It allows to fight against incidents of information security more effectively.

Notes