User Behavior Analytics – Dawn of a New Era in IT Security?



Balabit-Marton_Illesby Márton Illés

Many companies’ worst nightmare – a sophisticated external attacker or malicious insider – is already within its perimeter. Nowadays, attackers are intelligent, well-funded, and their attacks are increasingly complex and well targeted. The recent, high-profile breaches, such as the case of Sony, Target or Ashley Madison, were carefully planned and went undetected for some time, with the attackers moving freely inside the victim’s IT environment. Malicious insiders hold an advantage over a company’s primary security tools, because these tools are designed to protect against external threats, not against trusted employees. Targeted attacks by humans use a combination of IT vulnerabilities, social engineering, and ordinary crime to gain unauthorized access.

It means that the new perimeter, where companies have to focus, is users. They are the new focus of security measures instead of the infrastructure. User Behavior Analytics is the incarnation of this approach, the user-focused IT security: it concentrates on what internal and external users are doing in the system. By detecting deviations from normal behavior, User Behavior Analytics solutions help companies focus their security resources on important events, and also allow them to replace some controls, yielding greater business efficiency.

  Top 4 Benefits of UBA  
1.Decrease the likelihood and impact of breaches.

2. Identify suspicious activities and detect unknown threats coming from both inside and outside the organization.

3. Increase the efficiency of security teams.

4. Enhance the flexibility of business while improve security.

Advanced Persistent Threat might be a buzzword for many people, but talking about it is basically realizing that there are attackers that are and will always be ahead of us. It’s not a matter of when will these attackers infiltrate our network — if our data is valuable enough for them, they will keep on trying until they get in or they are already inside. It’s a matter of whether we’ll detect them before they do real damage.

Is UBA the killer of traditional security solutions?
Traditional IT security products and techniques are utilizing some form of pattern based technology to detect and to stop attacks. Preventive security products have some form of built in knowledge of attack vectors sometimes extended with simple heuristics, like anti-virus or APT defense products. Monitoring solutions like IDSs or SIEMs are also following this path by utilizing patterns either supplied by the vendor or created by the user. However in both cases the products can only detect events or attacks that these are prepared for. While heuristics can extend the capabilities of these security tools to detect polymorphic viruses or previously unseen attacks using similar patterns, it cannot address previously unknown attack techniques as it is not feasible or simply not possible to create heuristics, or “universal” patterns, for such cases.

UBA solutions provide a great opportunity to defend against APTs and other threats involving the user credentials of an insider – but it doesn’t mean that these are the silver bullets of the IT security industry. UBA tools do not substitute, but complement the blind spots of SIEM solutions. Currently, there is a huge imbalance between those security tools, which are controlling and those which are monitoring the IT infrastructure. CISOs mostly focuses on prevention, tries to understand known threats and defines levels of trust, thus they build more and more layers of access controls, policies and walls, and use predefined patterns and rules to detect these threats. But even bigger walls and even more controls did not yield the expected result, as the recent data breaches proved that.

Furthermore, a strategy that is based purely on access controls, incident management and identity management is not sustainable. Outsourcing, cloud computing and BYOD mean that keeping up with change requires vast amount of resources, and unacceptable restrictions on “business-as-usual”. Too much control can’t ensure security and allow people to do their job at the same time – people must be trusted to do their job. UBA tools give exactly this freedom to users, but immediately intervene and react if one of them become a real threat for the company.

How does UBA work?
Users leave their footprints all around the system as they use the company infrastructure. Their actions appear in logs, audit trails, changelogs in business applications and in numerous other places such as SIEMS or PAM solutions. This is a huge amount of valuable data that already exists. UBA solutions do not require predefined correlation rules any additional probes or agents to be deployed; simply work with the existing data. The first step is collecting that information. UBA do not add new layers of monitoring – it only collects and analyzes the already existing data. As most of the UBA tools logs exactly what kind of data was accessed by the security analyst, users can be sure that the data was used only for security reasons. Moreover, certain UBA solutions – such as Blindspotter from BalaBit – are able to implement pseudonymization.

Using the gathered data it is possible to build a baseline of what’s “normal” for those users. When are they usually active, what services are they using, how they are using those services and so on. UBA solutions uses different machine learning algorithms to create a profile of users.

After this baseline is established, UBA tools are able to compare activities to the usual behavior of users and identify unusual behavior in real time. An attacker using a hijacked account or a malicious insider will interact differently with the system than a normal user would – for example he would access different servers, log in from other places at another times, download more and differing data. By comparing these activities to the baseline we can catch such activities as they are happening.

  What is Machine Learning?  
Machine learning (ML) provides computers with the ability to learn without being explicitly programmed. ML solutions are able to reveal the trends and patterns behind the data with a good approximation. With the sorting and clustering of data, these algorithms are also able to create forecast for the future. A typical example is the product recommender systems of webshops: these recommends products to users based on their buying habits or those of similar users.

By detecting suspicious activities in real-time, it becomes possible to react immediately. Automated responses can significantly reduce the time a malicious attacker has before any counter measure is taken. In most attack scenarios, the high-impact event is preceded by a reconnaissance phase. Detection and response during this phase is critical to preventing any further high-impact activity. Reactions can range from a simple notification to the suspension of the account in question and can be done automatically or by involving human intelligence for a more detailed assessment.

What is UBA good for?
UBA is not the new silver bullet of the industry, but a sophisticated tool to address some of the biggest IT security challenges of the 2010s’: it is able to detect malicious actors coming from the outside through compromised accounts or insiders using their normal credentials, while significantly improves the efficiency of security teams by providing a prioritized list of security events.

Márton Illés is a product evangelist for BalaBit.

Leave a Reply

WWPI – Covering the best in IT since 1980