Zooming in on UEBA: answering the ‘what’ and the ‘how’

Sponsored by ManageEngine

What is UEBA?

User and entity behaviour analytics (UEBA) is a relatively new category of cybersecurity tools that utilise machine learning (ML) algorithms to detect abnormalities in the behaviour of the users and entities that belong to an enterprise network. UEBA monitors and continuously learns from the behaviour of various user accounts and devices in the network, and establishes a baseline behavioural profile for each using statistical and probability models. Following this, any action performed by a user or entity is compared with the baseline to determine if it’s normal or anomalous. Whenever an anomaly is identified, the risk score of the corresponding entity is increased, indicating to the network administrator that there’s a potential threat.

The premise on which UEBA operates is: “Identities can be forged, but not behaviour.” Before we dive deeper, let’s have a look at some UEBA terminologies.

UEBA observes and adapts

UEBA closely monitors the activities of each user and entity belonging to a network, and learns their mannerisms or operational patterns. Our UEBA solution works in association with security information and event management (SIEM) solutions by using activity logs to derive insights about the normal behaviour of the entities.

The following figure depicts a typical day at work for George Langdon, who works as a marketing intern at ABC Corp.

As we saw earlier, when there is a deviation from expected behaviour, the risk score of the entity will increase. Let's assume that George's system is still active past 4pm. While this could be an intruder who has gained illicit access to George's computer, the possibility of George himself working longer hours to complete his work cannot be ruled out. If the latter is the reason for the system being accessed at an unlikely hour, increasing the risk score serves as a false alarm.

To prevent situations like these, UEBA evolves seamlessly. It learns from the entities, and is capable of altering what is considered normal behaviour. In this case, UEBA will first increase George's risk score, but keep checking on his logs. As working for longer hours becomes his routine, UEBA recognises the pattern and brings down the risk score in turn.

Advanced analytics: the brain behind UEBA

The continuous evolution of UEBA is made possible with the help of ML, both supervised and unsupervised. In supervised ML, the system is provided with a set of desirable and undesirable behaviours. When UEBA detects any undesirable behaviour, it increases the risk score. Unsupervised ML for UEBA is the smarter version, which identifies typical and anomalous behaviours on its own. It employs two main statistical models – robust principal component analysis (RPCA) and Markov chains – to conclude if an action is normal.

RPCA is a variation of the widely used principal component analysis (PCA) technique. It's a statistical procedure that uses an orthogonal transformation to convert a set of observations of possibly correlated variables (data points) into linearly uncorrelated variables called principal components. The line of best fit is established for the set of principal components, and the data points that deviate from this line of best fit are termed to be anomalous.

RPCA finds the direction of "the line of best fit" for a set of data points

A Markov chain is a sequence of stochastic events where the probability of the next event in a chain is dependent only on the state of the current event. A list is created by determining the successive state of occurrences of events. Further, as each event unfolds, it's compared with the predicted sequence of events. If any event deviates from the probable list, it's considered an anomaly, and the risk score of the corresponding entity is increased.

A three-state Markov process, with the states labelled A, B and C

Log360 is an integrated SIEM and UEBA solution from ManageEngine. With Log360, organisations can protect themselves from both traditional and sophisticated attacks. The solution provides administrators with intuitive reports and alerts about what's happening in the network. Furthermore, it also allows organisations to automate responses for incident resolution.


By Ram Vaidyanathan, Product Marketing Manager, ManageEngine

To learn more about UEBA and ManageEngine Log360, visit manageengine.com/log-management/ueba/user-and-entity-behavior-analytics-software.html.

Images provided by ManageEngine.