Use User and Entity Behavior Analytics (UEBA)

powered by AI to identify unusual login patterns or

access requests:
• cybersecurity solution that uses algorithms and machine learning
to detect anomalies in the behavior of not only the users in a
corporate network but also the routers, servers, and endpoints in
that network.
• For a UEBA solution to be effective, it must be installed on every
device used by or connected to every employee across the
organization. This includes devices not only owned by the
company but also owned by the employee, as even devices used
part time can be targets of a cyberattack.
• UEBA goes further than simply monitoring human behavior—it
monitors machines. A server in one branch office may suddenly
receive thousands more requests than usual one day, signaling
the start of a potential distributed denial-of-service (DDoS)
attack. There is a chance IT administrators might not notice this
type of activity, but UEBA would recognize it and take further
action.
• It can significantly enhance security within a Zero Trust Network
by identifying unusual login patterns or access requests.
Steps to Implement AI-Powered UEBA:
1. Data Collection:
Collect data from various sources such as login attempts,
access logs, network traffic, application usage, and endpoint
activity.
 Ensure continuous data collection to keep the AI models updated
with the latest behavior patterns.
UEBA systems gather comprehensive data, including user
activities, network traffic, and access logs. This data forms the
backbone of UEBA’s analysis, feeding into sophisticated algorithms
that scrutinize every aspect of user behavior within the network.

2. Baseline Behavior:
Use AI to analyze historical data and establish a baseline of
normal behavior for each user and entity. This includes typical
login times, locations, devices, and access patterns.
Create detailed profiles for users and entities, capturing their
typical behaviors and interactions within the network.
The core of UEBA functionality lies in its ability to establish a
baseline of “normal” behavior for each user and entity. It then
continuously compares current activities against this baseline,
flagging anomalies that could indicate potential security threats,
such as data exfiltration, insider threats, or compromised accounts.

3. Anomaly Detection:
AI continuously monitors current activities and compares them
against established baselines to detect anomalies in real time.
Employ machine learning algorithms to identify subtle deviations
and patterns that may indicate potential security threats.

4. Risk Scoring:
 Consider the context of detected anomalies, such as the
sensitivity of the accessed data, the user’s role, and the overall
risk environment.
Assign dynamic risk scores to each activity, where higher scores
indicate greater potential threats.
5. Automated Alerts and Responses:
Automatically generate alerts for security teams when unusual
behaviors are detected. Include contextual information to help
prioritize and investigate alerts.
Implement automated responses for high-risk activities, such as
locking accounts, requiring additional authentication, or blocking
access.

6. Continuous Learning and Adaptation:

Incorporate feedback from security analysts into the AI models to
improve accuracy and reduce false positives.
Continuously update AI models with new data to adapt to
evolving user behaviors and threat landscapes.

Scenario:
User A typically logs in from New York between 9 AM and 5 PM using a
corporate laptop.
User A attempts to log in from a foreign country at 2 AM using an
unknown device.
Behavior Analysis: AI-powered UEBA detects that the login attempt
from a foreign country and at an unusual time deviates from the
established baseline for User A.
Risk Scoring: The system assigns a high-risk score to this login attempt
due to multiple factors: unusual location, time, and device.
Alert Generation: An alert is generated and sent to the security
operations center (SOC) for further investigation.
Immediate Action: The system may automatically prompt the user for
additional authentication (e.g., MFA) or temporarily block the login
attempt pending review.

Insider Threat Detection: UEBA solutions can identify potentially

malicious activities by insiders, such as employees accessing or

downloading sensitive data at unusual times or in unusually large

quantities, which could indicate data theft.

Compromised Account Identification: If a user's behavior suddenly

changes - for example, accessing different systems or data they don't

normally use, especially at odd hours - it could suggest their account

has been compromised.

Healthcare Privacy Monitoring: In healthcare, UEBA can help ensure

compliance with privacy laws by monitoring access to patient records

and identifying if staff are accessing records without a legitimate need.

Data Exfiltration Prevention: By monitoring data access and

movement, UEBA can identify potential data exfiltration

attempts, such as copying large volumes of data to external drives

or uploading it to cloud services.

Phishing Attack Detection: UEBA can sometimes detect the

aftermath of phishing attacks, such as when credentials are used

unusually following a successful phishing expedition.

Integration with Other Security Systems: UEBA often works with

security systems like SIEM (Security Information and Event

Management), enhancing overall threat detection and response

capabilities.
Automated Alerting and Incident Response: UEBA systems can

automate alerting security teams about suspicious activities and

sometimes integrate with response systems to take immediate

action, like blocking a user or changing access controls.

advanced Persistent Threat (APT) Detection: UEBA can be instrumental

in detecting APTs, where attackers infiltrate systems and remain

undetected for long periods, as it can spot subtle, long-term changes in

behavior.

Benefits of AI-Powered UEBA:

The primary benefit of UEBA is that it allows enterprises to detect a
much wider range of cyber threats. Brute-force attacks, DDoS, insider
threats, and compromised accounts are just a few categories of threats
that UEBA can detect.
• Improved Threat Detection: AI can identify subtle and
complex threats that might be missed by traditional rule-
based systems.
• Reduced False Positives: By continuously learning and
adapting, AI can reduce the number of false positives, allowing
security teams to focus on genuine threats.
 • Proactive Security: AI-driven UEBA enables proactive
detection and response, helping to mitigate risks before they
escalate into significant security incidents.
• Enhanced User Experience: Automated, context-aware
security measures can minimize disruptions to legitimate users
while ensuring robust protection.

Example Tools for AI-Powered UEBA

• Splunk User Behavior Analytics: Integrates with Splunk’s SIEM

to provide advanced UEBA capabilities

• Microsoft Azure Sentinel: Offers built-in UEBA features

powered by Azure’s AI and machine learning capabilities.
• IBM QRadar: Includes UEBA functionality to detect insider
threats and anomalous behavior.
• Exabeam: A dedicated UEBA platform that leverages machine
learning for behavior analysis and threat detection.

UEBA vs. SIEM

SIEMs are good security management tools but are less sophisticated
when it comes to more advanced threat detection and response. SIEMs
can handle real-time threats rather easily, but they may be unable to
detect a sophisticated cyberattack. This is because sophisticated
cyberattackers avoid simple one-off threats and instead engage in an
extended attack that can go undetected by traditional threat
management tools for several weeks or even months.
On the other hand, UEBA solutions are capable of detecting more
sophisticated threats, such as those that might be undetectable day to
day but over time display a surprising pattern. Malvertising is an
example of this, a seemingly harmless advertising applet downloaded
to a browser that collects user data or infects a user's device.
What are sophisticated cyberattacks ?
Possess deep knowledge of computer systems, networks, and security
mechanisms. Often have significant funding, enabling them to acquire
zero-day exploits and advanced hacking tools. Utilize sophisticated
toolsets, including advanced persistent threat (APT) frameworks and
state-of-the-art malware.

Notable Examples of Sophisticated Cyberattacks

25. Stuxnet
o Description: A highly sophisticated worm that targeted
Iran’s nuclear facilities by exploiting multiple zero-day
vulnerabilities.
o Impact: Demonstrated the potential for cyberattacks to
cause physical damage to critical infrastructure.
26. SolarWinds Attack
o Description: A supply chain attack where attackers
compromised the software update mechanism of
SolarWinds' Orion platform, affecting numerous high-profile
organizations.
 o Impact: Led to widespread data breaches and highlighted
the vulnerabilities in supply chain security.
27. Operation Aurora
o Description: A series of cyberattacks conducted by a group
believed to be based in China, targeting intellectual property
and source code of major corporations like Google.
o Impact: Raised awareness of the risks associated with state-
sponsored cyber espionage.

Both SIEM and UEBA have important capabilities that allow

organizations to meet their business and security needs. Because
insider attacks are real and costly, consider UEBA as a complement to
SIEM.

UEBA vs. NTA

Network traffic analysis (NTA) solutions use machine learning,

advanced analytics, and rule-based detection to monitor and analyze all
traffic and flow records on enterprise networks. An NTA system is also
able to identify potential threats and suspicious activity. So how is it
different from a UEBA solution?

NTA has certain benefits. The first is that it allows companies to see all
events, not just logged ones, across their entire network. This includes
every aspect of a cyberattacker’s activities. Further, NTA enables
companies to profile both user accounts and network devices (just as
UEBA can), and it deploys with relative ease.

As with SIEM, an organization with more sophisticated security needs

will likely require both an NTA and a UEBA solution in place at the same
time. NTA cannot track local events, such as those from a device that is
not connected to the network, and generally lacks the ability to identify
more advanced security issues in the way that UEBA is capable of.
UEBA capabilities are now integrating with XDR (Extended Detection

and Response), an advanced threat detection tool that evolved from

EDR (Endpoint Detection and Response). XDR represents a significant

progression, offering deeper insights and a broader scope than

traditional SIEM products . It enhances threat visibility across various

data sources like networks, endpoints, and clouds.

XDR amalgamates the functionalities of EDR, UEBA, NTA (Network

Traffic Analysis), and next-gen antivirus into a unified solution,

providing comprehensive visibility and sophisticated behavioral

analytics. This integration not only accelerates investigation processes

but also significantly boosts the efficiency of security teams through

automation, ensuring a more robust defense against security threats

across the entire infrastructure.

Cons of UEBA:

• Managing False Positives and User Experience

UEBA systems must be finely tuned to minimize false positives, which

can overwhelm security teams and potentially impact the user
experience. By managing false positives, an organization can reduce the
workload of security teams and improve the user experience.
• Offers a narrow view of network behaviors and events since UEBA

logs are only enabled on a small part of a company’s network.

• Relies on third-party logs to monitor, identify and analyze potential

threats and assign risk scores – if/when a third-party logger fails, a

UEBA can’t do its job.

What are third-party logs?

Types of Third-Party Logs

7. Cloud Service Provider Logs

o Examples: AWS CloudTrail, Azure Activity Logs, Google
Cloud Audit Logs
o Information Provided: API calls, configuration changes, user
activities, and access logs
8. SaaS Application Logs
o Examples: Salesforce, Office 365, Google Workspace
o Information Provided: User activities, login attempts, data
access, configuration changes
9. Security Tools and Services
o Examples: Antivirus logs, intrusion detection/prevention
system (IDS/IPS) logs, endpoint detection and response
(EDR) logs
o Information Provided: Detected threats, blocked attempts,
scan results, endpoint activities
10. Network Devices
o Examples: Firewalls, routers, switches
o Information Provided: Traffic logs, access control logs,
connection attempts, configuration changes
11. Identity and Access Management (IAM)
o Examples: Okta, Duo Security, Auth0
o Information Provided: Authentication and authorization
events, MFA attempts, user provisioning and de-provisioning
activities
12. Third-Party Integrations
o Examples: Payment gateways, social media platforms, CRM
systems
o Information Provided: Transaction logs, API calls, user
interactions, integration activities