User Behavior Analytics

User Behavioral Analytics (UBA) baselines and analyzes the day-to-day behaviors of the users on our networks.  Using Active Directory, Kerberos, Linux, Content Management or other user account based logging we have the data we need to model out the normal behaviors of all accounts on the network. UBA looks primarily (not exclusively) at three user traits: Account privileges, authentication, and content management.

Account Privileges

Account privileges monitor the user rights of the individual.  Most accounts on the network are going to be standard User accounts. These accounts typically have a variety of restrictions placed on them that prevent the individual from changing their computer’s configuration, downloading and installing new software, or changing network parameters.

Other accounts are going to be administrative, root, or perhaps super user.  These accounts should be limited on the network and must be more tightly controlled. UBA monitors accounts for changes in their behavior. Does a User account get unexpectedly upgraded to admin? Is an Admin account operating at odd hours or on systems not often accessed? And so on.

Additionally, different accounts have different privileges on specific applications.  UBA will monitor for unexpected changes in such privileges, such as a user having Read-only access but unexpectedly changing to Write privileges.

Authentication

Authentication UBA monitors log-on / log-off activities.  There are analytics that focus on geography,  user usually logs in from particular IP addresses or geographies, but now we see a log in from China.  Or we may see multiple users having a variety of failed login attempts on a single application and getting locked out – which may be indicative of a hacker attempting a login brute force attack. Or we see a single user attempting, but failing to successfully log in to multiple applications.  Each of these scenarios – and more – may indicate that an unauthorized user is attacking your network and attempting to break.  Most concerning is when you see these behaviors happening within your internal network, suggesting that there may already be a breach and a hacker is trying to pivot through the network.

Content Management

Content Management UBA attempts to model out the online behaviors of your users.  It models what websites and applications are normally accessed by the user.  An alert may fire for sites completely outside the normal profile of the individual or other unexpected online behavior.  These types of UBA are not often as critical as account privilege or authentication UBA’s, but there is value in monitoring the online activity of users.

UBA is arguably the most important of the three types of security behavioral analytics (the others being Network and Asset). Your users are the most targeted asset in your organization and also the most likely to be breached – usually via phishing. Additionally, the most effective way for a hacker to pivot inside your network is to use the users account to log in to various devices.  So applying mature and effective UBA is critical.

About Security On-Demand

Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.