UBA, or looking for users "with disabilities"

At the end of the 2000s, the term “big data” appeared in IT, meaning a series of approaches, tools and methods for processing large-scale structured and unstructured data to obtain results perceived by the human eye.



Of course, the use of these approaches could not but extend to information security solutions. Since about 2012, the phrase “big data security analytics” has become very popular in the field of information security. More and more players in the IS market have begun to use analytical data processing technologies in their products. In parallel, the active use of machine learning algorithms began.

')

The result of this integration was a significant increase in the functionality of the products. And manufacturers SIEM even announced the birth of a new generation of their decisions. It’s hard to argue with that - indeed, analytics in terms of threat detection and risk assessment has reached a completely different level.

What is UBA

In this article, we will look at the already quite well-known in the West, but as yet, little used in Russia, the class of solutions User Behavior Analytics, UBA. Analysis of user behavior can be considered a good example of using “big data security analytics”.



Solutions of this class deal with the analysis of all actions related to specific users, including the analysis of data processed by users, control of the devices they use, monitoring of ongoing processes and running applications, accounting for users' network interaction, etc. UBA builds a model in which all log files, authentication requests, data access, workstation activity, and network activity are associated with specific users.



A good example of model filling can be the integration of UBA with a DHCP server. Some systems, such as proxy servers without authorization, can only identify a user by IP address. Understanding which IP address to which user device was issued at a specific time, you can reconstruct in more detail the steps that the user performed when accessing a particular resource.



The result of the work of UBA-solutions is that each user of the information system receives a certain “level of reliability”. For clarity, either a color scale or a percentage indicator is used. The IS administrator, tracking the changes in the levels of reliability, can respond in a timely manner to the anomalies detected using UBA and take prompt measures to protect information assets.



The potential customer will probably say: “Why do we need UBA? We are already tracking user behavior with the help of SIEM. Here, even with the IdM-system, they performed the integration ”.



It is important to understand here that the classic algorithm “collect logs - write a correlation rule - set up dashboards” to monitor user behavior is already not working well. Yes, you can use self-written correlation rules, but you need, first, to develop and then support their work, and second, you need, in fact, to understand where to look and what to look for. UBA allows you to step a little further and detect suspicious user behavior that falls out of sight of SIEM solutions. Roughly speaking, UBA helps to find “that, I don’t know yet what”.

UBA usage scenarios

To understand what UBA is for and how it works, it is best to consider the use case scenarios. Scripts will be simple, but from this and more understandable.



Compromised accounts

The timely detection of compromised records is one of the most important tasks of information security. As long as an authorized user is working with the resources of the corporate system, it is almost impossible to find out by standard means - is this the user for whom he claims to be. Machine learning technologies and advanced analytics allow UBA to create a profile for each account, map this profile to a baseline, and then detect anomalies in user actions. The idea is that the attacker most likely will not act exactly as the user from whom the account was stolen. The difference from the “typical” behavior is an indicator for UBA.



When setting up any information system, so-called service accounts are involved. For example, setting up a backup procedure or mechanism for updating system components via the Internet. Quite often, these accounts have too wide, redundant rights that are configured at the implementation stage and then safely forgotten. And almost always there is no monitoring of the activity of such records. In this regard, the compromise of a business account can lead to serious problems. UBA allows you to mark such accounts with a separate flag, and then apply advanced mechanisms for monitoring and detecting suspicious activity of these accounts.



Abuse of rights

Identifying abuse of privileged accounts is also a UBA task. In some part of its functionality overlaps with the functionality of solutions of another class - Privileged User Monitoring (PUM). But if PUM deals with tracking of all sessions and acts as a tool for the subsequent analysis of the actions of users with elevated rights, then UBA is designed to detect and warn in advance about deviations in the behavior of such users. Not an easy task, given that administrators are usually allowed everything, but it also needs to be solved somehow. For example, the fact that, instead of daily tasks on managing Active Directory objects, a domain administrator starts to connect to employees' computers and download any files from them, can be suspicious. UBA using extended analytics will reveal such an anomaly.



Excessive curiosity

In any organization, sooner or later, insiders appear to search for confidential or other valuable information in the corporate system. This may be a hacker who illegally obtained authorized access to the network and is engaged in scanning resources in the hope of finding and accessing information that can then be sold or otherwise used for their own benefit. The analytical capabilities of UBA allow you to set a baseline for normal behavior for each user. If at some point an employee begins to actively search through the contents of network drives - this is at least a reason to pay attention. In the case when UBA is integrated about the access control system, it may even become suspicious that an employee visits premises where he has never been required to be before.



Leak Detection

Another UBA task is to identify data leakage attempts. Strictly speaking, for this on the IS market there are solutions of a separate class. But as you know, the more complex and sophisticated the data transfer methods become, the more difficult DLP solutions to control all potential leak channels. Something like this problem can be solved by controlling the bandwidth used for each user, but this is not enough. And again, the baseline of data usage is activated, and anomalies in user behavior are again detected ... The criterion can be, for example, a sharply increased number of letters with large attachments sent to external mailing addresses.



Not at the wrong time, in the wrong place

A rather frequent example of the operation of UBA is the detection of suspicious connection times and user geolocation. For example, in the organization, all users are allowed around the clock remote connections to the head office from remote sites, from home, from the hotel, from the customer’s territory. Everyone is allowed, but not everyone needs it. And when the chief accountant suddenly connects to the working computer at night (no matter why), it can immediately be revealed by UBA as a probable account compromise.



One account for three

Another important task that UBA is designed to cope with is the discovery of so-called “shared” privileges. A simple example of such a situation: an employee shares with his colleagues a login and password to access the information system. The risk of security breaches increases many times if this employee has a privileged account. The most obvious problem in such a situation is the loss of accountability, that is, the impossibility of unambiguously determining who exactly used the account. UBA, using data from the SIEM-system, as well as authentication and access control systems, allows to reveal the fact of simultaneous use of credentials by more than one employee.



Error configuring access

As is known, no system is insured against the impact of the human factor. For example, when setting up access rules, an HR service employee mistakenly is given the opportunity to view or even edit the confidential source code of a program code. UBA, when users access resources, reveals such anomalies (“there can be no such access, because there can never be”).



Leaving staff

For many organizations, leaving employees are a real headache. Quite rarely does an organization have a mechanism that allows an employee to be “under control” immediately after writing a letter of resignation. UBA has the ability to “mark” such employees and then more strictly monitor their use of corporate resources, detect behavior abnormalities that may signal data leakage, sabotage and other troubles.

UBA evolution

Recently, another abbreviation began to flash on the information security market: UEBA, User and Entity Behavior Analytics. By and large, this is a new name for UBA.



The emergence of a new word - “Entity” - finally consolidated the awareness of the fact that for a full analysis of user behavior it is not enough to track only its activity. A lot of extremely useful information brings knowledge about the company as a whole, its organizational structure, customized access groups, etc. In addition, the replacement of the UBA decision class name with UEBA at the same time excluded products intended for detecting financial fraud from its composition.



The relatively recent “Market Guide for User and Entity Behavior Analytics”, released by Gartner in September 2015, contains information on two dozen companies that are trying to occupy the UEBA solutions market with varying success. The names of these companies (with the exception of three or four) are virtually unknown in the Russian market. More active penetration of UEBA into our market is most likely a matter of time. The technology is promising, there will be customers for it.