• United States




User entity behavior analytics, next step in security visibilty

Oct 27, 20156 mins
IT LeadershipNetwork Security

Advanced analytics that focus on identity predicted to offer more visibility than logs.

behavioral analytics keyboard
Credit: Thinkstock

Using advanced analytics that provides context to behavioral analysis makes it easier to identify internal security threats and find individual offenders, said Gartner in a recent report on User Entity Behavior Analytics (UEBA).

As traditional defenses on the network become more and more obsolete, security professionals are scrambling to find the right tools to help them recognize potential threats before they happen all while suffering from data fatigue.

“Statistical analysis and machine learning can find anomalies in data that humans wouldn’t otherwise know about,” the Gartner report stated.

[ ALSO ON CSO: Behavioral analytics vs. the rogue insider ]

When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats.

Gartner projected that, “Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve.”

Behavior analytics have been around for a long time. Historically, they are used to identify threats and determine, “how people are trying to access your network from the outside,” said Ryan Stolte, CTO, Bay Dynamics.

User behavior analytic tools are different in that they shift the focus from sending alerts of potential threats from outside the network to identifying more concentrated and individualized insider threats based on user behavior.  

In the older model of user analytics, the collection of data has resulted in an overload of alerts that are nearly impossible to analyze.

“Rules are based on what a human knows about the data. When rules are not tuned properly, they generate too much noise and too many alerts that are not properly prioritized,” the Gartner report explained.

“In the security space there is a lot of investment lately to collect all of this data and send it into a centralized form, but we need to do more than throwing out alerts,” Stolte said.

Combining behavior analysis with machine learning enhances the ability to determine which particular users are behaving oddly. The success, according the Gartner report, is largely because it is “Much easier to discover some security events and analyze individual offenders than it is in many legacy security monitoring systems.”

These days, attackers are getting past traditional protections by compromising legitimate users, Stolte explained.

“The way the bad guys are getting in is that they look like the good guys. Somebody has stolen my keys, but even if someone can pretend to be me, they don’t know how to walk in my shoes.”

Criminals have found ways to stay one step ahead of the security teams using signature-based behavior analysis by changing their behaviors once a signature has been identified. Does this mean attackers will be able to find a work-around for the latest improvements in the behavior analysis space?

People that are trying to get away with something are going to fly below the radar, said Stolte. “Just writing a rule to detect certain activities should catch it, but the problem is that people know where those lines are.”

Behavior analysis takes security beyond rule writing by looking at activities and behaviors so that even if someone is able to compromise a user’s identity, they still have to be able to act like the user, which is when the alarms start to go off.  

Saryu Nayyar, CEO at Gurucul

“We need to use these analytics capabilities as an indicator to see the change in behavior not just did they cross a certain line or not,” Stolte said.

Saryu Nayyar, CEO at Gurucul, said that there is a difference between a user and an identity. UEBAs can determine, “This user is risky” Nayyar said, “But what matters more is, who is the identity, what is the access, and what is the activity being done?”

Once a user is compromised, the criminal then has to be able to behave in accordance with the normal daily activities of that identity.  Failure to do so will trigger anomalies in the system.  

“Our role through UEBA is to model all good behaviors to surface unknown bad behavior. When we are called in, we look for the unknown unknown,” she continued.

The unknown unknown differs from enterprise to enterprise, which is what makes the element of human interpretation and interaction with UEBAs so critical. The rules and models are contingent upon the risks and threats of each organization, which demands that they remain private and confidential.

Tomer Schwartz, director of security research, Adallom Labs, said the security team performs proactive research and builds intelligence back into the UEBA solution, thereby making the security tool a living, breathing, and evolving system that relies on the human element.

One of the benefits to a security team bringing a human interpretation to the solution, said Schwartz, is that there is, “A cycle of constantly improving and tuning the algorithms used for the UEBA engine, based on research and the results of their performance.”

When the problem is insider threats, which means the enterprise is looking at an employee who has all the credentials and technology to access everything, UEBAs can be useful in determining what activities are legitimate versus potential threats.

Having the flexibility to change specific data sources or provide more information, allows enterprises to “tune the likelihood of a particular event to correlate with a suspicious activity, to develop completely new algorithms to solve specific use cases,” said Schwartz.

The result is a security system that will hopefully provide the right signal to noise ratio which addresses both the problem of big data and identifying internal threats, but will that ratio come at the cost of employee privacy concerns?

[ ALSO ON CSO: A secure employee departure checklist  ]

“It is absolutely a conversation that everybody should have. The reason we are doing behavior analytics is on behalf of the person. On behalf of everyone, we are watching you and then telling you when you are not acting like yourself,” Stolte said.

In many ways UEBAs work like a credit monitoring service in that no one is sitting and watching each purchase an individual makes. However, when an oddity shows up that doesn’t seem in line with a user’s normal activities, it sets off an alert.

The success of these capabilities relies on the collection of a lot of information. Right now, the companies that can afford the innovation teams and have the financial structures to adopt UEBAs are seeing the benefits, said Nayyar.  

Gartner predicted, “By 2017, at least 20 percent of major security vendors with a focus on user controls or user monitoring will incorporate advanced analytics and UEBA into their products, either through acquisitions, partnerships or internal development.”

Over the next few years, enterprises of all sizes and across all industries should expect to see these service packages expand and evolve into more affordable and available products.   


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author