Documente Academic
Documente Profesional
Documente Cultură
Five Essential UEBA Use Cases
Table of Contents
1. Detecting abnormal user behaviour 4
2
Five Essential UEBA Use Cases
We seem to be hearing a lot about threats originating from inside the perimeter
these days rather than outside.
UEBA technology gathers large amounts of data on user activity and behaviour
from various data sources. The system then learns the behaviour of users and
entities (devices, servers and other endpoints) by applying scenario-based
algorithms that use machine learning, statistical analysis, peer group analytics
and other techniques.
Once the system has established a baseline of what 'normal' user or entity
behaviour looks like it can detect and report anomalies and unusual activities
far quicker than manual checks.
3
Five Essential UEBA Use Cases
It is simpler to understand what is abnormal user behavior with the help of an
example. Say, if User A typically logs in at 09:00 a.m, checks their email,
performs some usual work activities and browses the internet over lunch, then
all is well. However, if one fine morning User A logs in at 03:00 p.m instead,
from an overseas location, exports a large amount of data from a company
database and logs on to a cloud storage website then alarm bells start to ring.
4
Five Essential UEBA Use Cases
The security solution should be able to distinguish and detect such suspicious
activity and block the user out.
For example, if User A has a tendency to make a mistake while logging in, so
we set a threshold at 10 times for User A. However, if User A now fails to log in
say 30% more times than normal, that is 13 times, we can say this is unusual.
The following query checks for a login failure action and verifies it against the
predetermined limit. If it exceed the threshold, it raises a module and blocks
the user out.
5
Five Essential UEBA Use Cases
The longer the password, the higher are the number of combinations that will
need to be tested; if a password is weak, the attacker will hardly require any
effort and can crack it within seconds. This is why it is extremely important to
create strong passwords across all accounts and systems. However, even with
a strong password, employees can fall victim to insider threats if proper
measures of security are not set in place.
Let’s understand this better with the help of the following use case:
For example, if User A attempts to log into an account and fails more than nine
times within a time period of about 15 minutes, we can conclude to say that
User A is attempting a brute force attack.
The following query will check for consecutive login failures that exceed the
predetermined limit, in this case nine times, in the set time period, here 15
minutes. It detects such an action as an attempt of a brute force attack and
raises an alert.
Cron Schedule: 0 * * * *
6
Five Essential UEBA Use Cases
For example, if User A has left the organization and implementation of normal
policies and processes have not deactivated the account. If there’s any activity
observed in User A’s account after 60 days of leaving the organization, it will be
considered suspicious and the security solution should provide into employees
that haven’t used their credentials over a long duration.
The following query detects any attempt of accessing such a dormant account
and raises an alert.
7
Five Essential UEBA Use Cases
The following query detects such an activity of a new account being created
by an authorized user and raises an alert.
8
Five Essential UEBA Use Cases
The following query checks for any such action of a user account being
deleted and verifies if the action is performed by an authorized user, if not it
detects this suspicious activity and raises an alert.
9
Five Essential UEBA Use Cases
The following query checks for actions of resetting an account password and
immediately verifies if the action is performed by an authorized of the account.
It quickly raises an alert if password is reset by anyone other than an
authorized user.
The following query first checks if the system’s audit policy has been changed,
if a change is detected, it then verifies if the change has been made by an
authorized user, and an alert is raised if the action was performed by an
unauthorized user.
10
Five Essential UEBA Use Cases
11
Five Essential UEBA Use Cases
About DNIF
DNIF is a first-of-its-kind NextGen SIEM with multi capabilities like UEBA, Log
Management, SOAR, Security Analytics and Threat Intelligence, all bundled up
together onto a single platform to bring in process efficiency, better
manageability and reduced risks.
ttps://dnif.it
WEB h
EMAIL hello@dnif.it
USA INDIA
2570 N. First Street 2nd Floor, San Jose, 2nd Floor, Reliable House, KanjurMarg
CA 95131, USA (w), Mumbai 400078, IN
© 2018 NETMONASTERY NSPL. All rights reserved. NETMONASTERY, DNIF, DQL, The “OPEN” Big Data Analytics Platform are
trademarks or registered trademarks of NETMONASTERY NSPL and/or its affiliates in the INDIA, and/or US and other countries.
The title image is a photo by Cayetano Gil on U
nsplash and is used with full credit to the owner.
12