7 Security Risks User and Entity Behavior Analytics Helps Detect

User and Entity Behavior Analytics (UEBA) technology is a relatively new entrant into the cyber-security tools arena that aims to provide capabilities that classic network security tools such as firewall and intrusion preventions systems (IPS) cannot. With UEBA, rather than just looking at network traffic and anti-malware scanners for indicators of compromise, organizations gain insight into user behavior. UEBA systems can identify different types of anomalous user behavior and actions that might serve as indicators of threat and compromise. In this eWEEK slide show using industry information from Ryan Stolte, co-founder and CTO of Bay Dynamics, eWEEK outlines seven things that UEBA technology can help to uncover.

Bad guys, outsiders and insiders alike know that traditional security tools work on basic thresholds. They know if they do the same thing more than “X” amount of times, it will raise a red flag. So they keep their activity slow enough with low volume to stay under the radar. An example of this would be leaking a small number of credit card numbers via email just once a day. UEBA can pick up this pattern and identify it as a recurring behavior that needs to be investigated.

UEBA can help uncover a group of people who work closely together who suddenly change their behavior in the same way. For example, a team has decided to pull off a heist of customer records it intends to use for its own gain, but it knows security controls are watching. So each member takes a bit of what the team is trying to steal and emails it to their personal accounts. UEBA will not only find the abrupt change in the users’ behavior, but will also flag that it is a consistent change within the team, and highlight the entire group.

Every employee has a role and is required to perform certain actions tied to that role. For example, Joe is on a team responsible for printing mortgages. Tom, who works for the same company but is a retirement plan financial adviser, prints two mortgages during the span of two weeks. While printing mortgages is normal for Joe, his team and his company, it’s not a normal action for Tom or anyone on his team. UEBA can pick those people out of the crowd and enable security teams to investigate them without having to scrutinize the others.

Very often if an attacker is blocked in his or her attempt to exfiltrate sensitive data, the attacker will try another method to get around the system. For example, Jane attempts to email a file with sensitive data to her personal account, but it’s blocked. She proceeds to upload the file to cloud storage on her personal site, but again she’s blocked. She then tries to put the file on a USB stick, but once more she’s blocked. She clicks “print” and—success! Or so she thinks. UEBA technology can piece all those actions together, and Jane receives a deskside visit from an investigator.

Some people just can’t help jiggling and shaking door knobs when they walk down the hallway. Many are just curious or like pushing the limits, but the truth is these are the people who are most likely to open that file that they know they shouldn’t open. They go to websites that are blocked and keep on trying, assuming nobody is really looking. These employees are likely to be a welcome entry point for a phishing attack. UEBA can spot the “door jigglers” and warn them about the risky behavior.

UEBA spots behavior changes that are consistent with those of others who were preparing to leave a company. This enables security teams to find the employees before they let their company know they’re leaving. This is important because sensitive data can leave a company when an employee leaves. Since UEBA can see changes in behavior that may indicate an employee is preparing to quit, these employees can be found before data slips out the door.

Unlike door jigglers, these are true bad actors, scouring file systems and trying to log into whatever they can find as they look for golden nuggets. These people have big dreams and keep looking until they find that golden sensitive data—or until UEBA finds them.