User and entity behavior analytics: The intelligent guardian of your business


By Sareeka AG, Product Marketing Specialist - IT Security, ManageEngine

Identities are easy to fake, but not actions.

Closely monitoring the behavior of a person can reveal a lot about their true intentions. Similarly, keeping a close watch on a machine's activities can expose potential security problems. Blending security information and event management (SIEM) with user and entity behavior analytics (UEBA) can bring numerous users and devices belonging to an enterprise under surveillance. UEBA utilizes machine learning to identify anomalies in users' activities and then present them to network administrators to take corrective actions before they turn disastrous.

Illustration of person at desk reviewing their risk score

Read on to learn how UEBA can protect your network from today's prevalent cyber threats.

It's a busy day at the hospital. As numerous patients wait their turn at the registration counter, computers throughout the hospital freeze one by one, displaying a ransom note that demands bitcoins. In this scenario, not just the clinic's operations but hundreds of lives could be at stake. This is an example of locker ransomware, which renders any infected device's user interface inaccessible.

Ransomware attacks involve multiple stages: distribution, infection, staging, scanning, encryption, and payday. UEBA can detect excessive file accesses or the execution of non-native files, and then increase the risk score of the corresponding entity. This warns security personnel to take preventive measures and eliminate the attack in its early phase.

Brute-force attackers primarily target organizations with huge reserves of critical data, where user accounts are likely to have weak passwords. Higher education institutions and government departments are more likely to fall prey. Apart from disrupting the organization's functions, the attackers can ex filtrate research files and compromise sensitive databases. UEBA can identify when a user logs in after multiple failed login attempts, or when a server access attempt is made from a remote location instead of regular access from the office. Both actions increase the risk score and serve as an indicator of a potential threat, helping to prevent an attack before the actual onset.

It is no secret that the credit card details of millions of people are available on the dark web. Data exfiltration by a bank's own employees for monetary and vengeful motives is one of the ways in which these details end up there. Insider attacks are extremely successful and difficult to detect as the user already has permission to access critical data. Many businesses have no clue what information was stolen until it is used to execute illicit attacks.

With several data protection compliance regulations in place, such attacks don't just tarnish the reputation of the organization involved, but can also land them in legal trouble. UEBA can be a savior in such scenarios by identifying pattern anomalies, such as an employee printing a file while the expected behavior is just adding or deleting entries in that particular file or database.

Information is a prized resource in today's world; every organization that has valuable data is under constant threat of exposure. UEBA is an ideal watchdog that continuously learns from user actions and indicates potential threats.

Staying vigilant with UEBA can save you from making it to the "companies worst hit by cyberattacks" list. To learn more, have a look at our whitepaper "Understanding UEBA".

Sustaining Partners