Skip navigation
Product & Engineering

Threat Detection: What is User and Entity Behavior Analytics (UEBA)?

Threat detection is one of the most difficult problems in security. Enterprise companies with dedicated InfoSec teams and security operations centers (SOCs) dig through an average of 2.7 billion events each month to detect an average of just 23 true positive threats, ranging from compromised accounts to insider threats, according to Skyhigh Networks’ Cloud Computing Trends 2017 report. From monitoring to alerting to investigation, it takes all of their resourcing to detect and lock down those threats.

Yet despite that resourcing and effort, we know attackers still manage to get through as evidenced by the proliferation of high profile hacks across all industries. The security industry has attributed this to a rise in “advanced persistent threats” (APTs), a term which describes a strategic attacker using sophisticated evasion and intrusion techniques, like social engineering, to avoid tripping alerts.

What can your organization do within your resource constraints to detect these seemingly invisible threats?

As a trusted security advisor to over 10,000 customers across 100 countries in industries ranging from healthcare and technology to financial services and government, we at Duo have a unique vantage point from which we watch the field of threat detection evolve. The most security forward organizations we work with have adopted a new detection paradigm to hunt down these APTs: user and entity behavior analytics (UEBA).

For context, the standard for threat detection today is rule-based, deterministic detection. Let’s say you are particularly sensitive to what time of day your users are accessing a critical asset like your contract management system, so you communicate a policy to your users that no one is to access the system after business hours. To detect any attacks on this critical asset, you set up an alert rule that informs you of any access attempts after 5 p.m. Your rule in some way expresses this if/then statement: if a user accesses the contract management system after business hours, then alert me. The result looks like this:

UEBA chart 1

You may add some more alert rules that trigger in the case that the user exceeds some threshold of failed authentication attempts within 60 seconds, attempts to access the asset from an unmanaged device, or originates from a blacklisted IP. This is a good start. But unless the scope of your environment is so narrow that you already know all possible situations you will encounter, this alert setup is unfortunately far from sufficient.

Let’s now say you have multiple salespeople, and one of them is frequently working late or traveling and wants to record new sales contracts. And you also have multiple offices, which your salespeople frequently travel between. What timezone do you map your organization’s business hours to? How do you adapt access policies in a way that they do not impede business operations? Security teams relying on rules-based alerts run into problems as their environment gets more complex, and security holes begin to form in this conventional model of threat detection.

UEBA embodies a different approach. It involves using data to model what “normal” behavior is for each individual user. Based on our model of what is normal, we can trigger alerts when something abnormal is observed.

UEBA chart 2

As opposed to a rule-based alerting system, which is deterministic, this system is probabilistic; it measures risk rather than right and wrong. A sophisticated UEBA system models multiple dimensions at once and learns from its success and failures to get better over time. You don’t need to setup and manage a heavy list of alert trigger - all you need is activity data. Instead of reacting to problems by creating new rules, this approach allows security teams to be proactive by investigating unusual behavior on the individual level.

Stay tuned in the coming weeks to learn about how to use analytics-based threat detection with Duo.