User and entity behavior analytics (UEBA), which is projected by Research and Markets to grow to a more than $900 million industry by 2021, is used to identify cybersecurity threats. It works by using advanced algorithms (often coupled with large-scale storage systems for data warehousing purposes) to establish a baseline of certain activities routinely conducted by users or systems. It can then identify and alert upon behavioral anomalies which signify a deviation from these baselines. Such deviations might represent malicious activity, either intentional intrusion attempts or the result of malware compromise.

The history of UEBA

UEBA was first developed by companies like Netflix and Amazon to suggest products based on users’ interests and previous purchases and behaviors.

After the Target data breach of late 2013, UEBA’s usefulness as a cybersecurity tool became apparent. Target was logging data pertaining to the illegal activity but the intrusion wasn’t caught in time because the data wasn’t being utilized for alerting purposes. This led to the use of UEBA to analyze and extract value from the behavioral data being generated. However, routine “off the shelf” machine learning algorithms couldn’t successfully process this information and resulted in an unmanageable amount of false positives, causing security teams to waste time chasing non-existent fires.

SEE: Intrusion detection policy (Tech Pro Research)

How UEBA is being used now

Using machine learning and proprietary algorithms, UEBA can detect unusual behavior, compare the behavior to the user’s peers and overall business unit, determine the presence of any associated vulnerabilities, and identify the value of the asset under attack.

In addition, UEBA can engage application owners responsible for the asset under attack and ask them to qualify if the behavior is business justified or not. Based on the responses, UEBA can then deliver a prioritized list of threats to investigators that need immediate mitigation.

UEBA continues to evolve and become smarter as it learns which unusual behaviors are truly critical. Using machine learning, UEBA tools adapt so that unusual behaviors that are actually business justified are never flagged again, which significantly reduces false positives and noise. On the other hand, if the UEBA tool prioritizes a threat that needs immediate investigation, the tool knows to look for other threats that have the same characteristics.

SEE: ZDNet/TechRepublic special report: How to implement AI and machine learning (free PDF)

What’s in store for UEBA in 2018

The UEBA capabilities described above are not yet widely used but are expected to rise in popularity and usage as we enter 2018.

Ryan Stolte, CTO and co-founder risk analytics firm Bay Dynamics, said 2018 will be a transformative year for UEBA. Here are some trends he said we can expect to see:

More integration with traditional security tools

This will provide better ability to detect and prioritize threats. For example, UEBA is being integrated with data loss prevention (DLP) technologies to pare down the countless DLP alerts and generate a quality working list of top threats that need immediate investigation.

Integration with cloud access security brokers

In the case of DLP, one of analysts’ biggest challenges is that they receive so many alerts each day, and have limited resources to investigate them. They attempt to piece through each one, but oftentimes end up wasting time on false positives or less impactful threats, while the truly critical ones slip by. By integrating with UEBA, analysts receive a targeted list of what to focus on each day.

Integration with user authentication tools

This will help companies understand how much authentication a user requires to access sensitive assets based on their behavioral profile. For example, if a user tries to access a sensitive database, but UEBA tools have previously detected her to have a habit of frequently clicking on suspicious links and sending private corporate data to her private email address, the company knows to add extra layers of authentication and may further limit access to highly classified data, or to take disciplinary action as needed. Improved machine learning capability

The machine learning aspects of UEBA technology will also be refined as performance improves. Soon the technology will operate so rapidly that it will easily be able to judge an event based on historical evidence, weed out false positives, then pass along the most critical events to investigators in a matter of minutes. The goal is to give investigators enough information to be able to meaningfully respond to UEBA information from a real-time perspective.

In one case, UEBA might be able to detect employees sending valuable intellectual property data to their personal email accounts in order to start a competing business. In another, an intruder using stolen credentials can be identified via differing behavioral characteristics from the actual employee, such as logging into a classified database not normally accessed.

Also see: