UEBA: What it is, and why you need it for better security
UEBA (User and Entity Behavior Analytics) is a term first created by Gartner, which has since become widely adopted in the tech industry. It succinctly captures a concept that has become crucially important in web security: the analysis of user behavior to accurately identify threats.
Traditionally, security components such as WAFs (Web Application Firewalls) were based on a negative security model. Later, positive security began to appear in WAF solutions as well (these models are discussed further below). Both approaches have their strengths and weaknesses.
UEBA provides a quantum leap forward from these previous capabilities. Organizations that are not yet using it will soon find themselves at a competitive disadvantage to those that are.
Web security requires the filtering of incoming traffic; threat actors must be prevented from accessing the backend servers, while legitimate requests are allowed to pass through. The most straightforward approach for this is negative security: by default, all requests are allowed through, except for those which match “negative” characteristics (i.e. pre-defined criteria which identify hostile traffic).
There are a variety of reasons for a request to be deemed hostile. Perhaps its signature matches an entry in a database of known attacks. Or the requestor’s IP address might be in a list of IPs used by threat actors. Or maybe the request itself is malformed, or is noncompliant with defined standards.
Whatever the reason, the key concept of negative security is that each request will be allowed, unless a reason is found to reject it.
As the name implies, positive security is the opposite approach to negative security. Here, each request will be rejected, unless a reason is found to allow it.The characteristics of allowable traffic can be defined in a variety of ways. Requestors’ IP addresses can be whitelisted. Requests might be required to have certain headers. Traffic sources can be pre-approved via an authentication mechanism. And so on.
Useful but incomplete
Both models described above have weaknesses. Negative security cannot protect a network from zero-day exploits. Positive security will usually block zero-days, but at the cost of producing a high rate of false positive alarms (legitimate users that are incorrectly identified as threats and are blocked from access). UEBA is a new approach that can help with these problems.
UEBA uses a baseline of “normal” behavioral profiles and patterns. Once that baseline has been created, it is used to evaluate the nature of incoming traffic. Requestors who conform to the baseline are considered to be normal and safe. Conversely, anomalies and deviations from the pattern are considered to be abnormal, and probably hostile.
When done correctly, UEBA mitigates the disadvantages of both negative and positive security approaches. It helps against zero-days, because it will recognize when an attacker is doing something unusual (even if the exact reason for those activities is not yet understood). And it will mitigate false positives, because over time, UEBA will conform itself to the behavior of legitimate users.
So what does it mean for UEBA to be “done correctly”? The true power of UEBA is only available via modern technologies such as Machine Learning (ML). A UEBA-based web security solution continually analyzes data from incoming traffic. Modern cloud platforms can use Machine Learning to process billions of requests per day (far beyond the capabilities of human analysts). It can store and analyze all the ways in which users interact with a web application—every click, tap, zoom, scroll, etc.— capturing them as usable metrics. More importantly, ML can identify and quantify behavioral patterns that human analysts might not have even considered.
For example, consider an online retailer that sells expensive designer clothing. UEBA might reveal that before customers purchase specific items, most of them will scroll down the page, apparently to check the returns policy (“If it doesn’t fit, send it back with free shipping, and get your choice of a different size or a full refund”). Therefore, a visitor to those product pages who does not scroll is less likely to be a legitimate human customer. This data point, when combined with other metrics, might indicate that this “visitor” is actually a price-scraper bot instead.
A high-performance UEBA solution can consider and analyze dozens or even hundreds of such metrics for every part of a web application—every page, screen, or section that interacts with a user. Their combined weight makes it extremely difficult for an attack to succeed, because any deviation from legitimate behavior will cause the attacker to be blocked.
Furthermore, unlike threat-signature databases and so on, UEBA is based on unique and private analytics which are unavailable to the attacker. Therefore, it is impervious to reverse-engineering. And even if the raw analytics data troves were compromised, an attacker could not realistically construct the corresponding UEBA profiles; the expense and effort would be prohibitive.
UEBA is not a replacement for negative and positive security models. Rather, it complements these approaches. The best security solutions today use a tiered approach: first, they filter incoming traffic with negative and positive security checks, eliminating large tranches of easily-detected hostile traffic with low computing overhead. Only traffic that passes those checks is analyzed with UEBA; its higher computational cost is reserved for detecting more subtle threats that can evade the traditional methods.
Other benefits beyond security
UEBA is obviously a large leap forward in threat detection, and therefore, in achieving robust web security. But it can also provide many other business benefits.
For instance, in the online retailer example, UEBA revealed the scrolling behavior of customers. This indicates that there’s some friction in the sales process for these products, and friction usually reduces revenue. Perhaps conversion rates would increase on those product pages if a prominent summary of the return policy was added right below the “Add to Cart” buttons.
Are there any drawbacks?
UEBA is a much more powerful approach to web security than traditional security products are able to provide. However, this power requires a substantial infrastructure, including performant data collection and storage, and automated processing with Machine Learning. These capabilities are included in the top-tier cloud platforms but are generally unavailable to traditional on-premise security products.
And even among cloud security solutions, UEBA is not always available. Only a few providers today offer effective UEBA capabilities. As with any new technology, this can make it difficult to wade through the marketing claims and find a good solution that actually works as it should.
However, it’s important to select and deploy an effective UEBA-based security solution. Today’s threat actors are highly skilled and sophisticated. Thus, executives which settle for non-UEBA solutions that are “probably good enough” will eventually regret this decision. Furthermore, as mentioned earlier, once you start taking advantage of UEBA, you will probably find many other business-case uses for it.
UEBA offers many compelling advantages. If your organization has not yet begun to use it, it is well worth the effort to do so.