UEBA 🟢 Protection

UEBA (User and Entity Behavior Analytics) is an advanced category of cybersecurity solutions that useartificial intelligence and themachine learning to detect abnormal and potentially malicious behaviour by users and entities within a computer network.

To put it simply, UEBA does not simply search for signatures of known attacks (as traditional antivirus software does) or check predefined rules (as traditional firewalls). THE UEBA learn what is "normal for each user and each entity (machines, applications, servers, etc.) and alerts you when behaviour deviates from this norm.

UEBA is a proactive cybersecurity approach that :

• Establishes baselines of normal behaviour : By continuously analysing activity data (logs, network flows, etc.), UEBA creates a 'typical' behaviour profile for each user and entity. This profile includes various aspects such as connection times, applications used, data consulted, connection locations, etc.
• Detects behavioural anomalies: the UEBA monitors activity in real time and compares each action to the established normal behaviour. Any significant deviation from this baseline is considered an anomaly and сигналиé for investigation.
• Provides a contextual risk score : UEBA does more than simply detect raw anomalies. It contextualises each alert by taking multiple factors into account: the severity of the anomaly, the history of the user/entity, the type of resource affected, etc. It then assigns a risk score, enabling security teams to prioritise the most critical alerts. It then assigns a risk score, enabling security teams to prioritise the most critical alerts.
• Adapts and learns continuously: Thanks to machine learning, the UEBA is constantly refining its baselines of normal behaviour as the habits of users and entities evolve. This makes it more accurate and reduces false positives over time.

Examples of UEBA applications

Imagine the following scenarios and how the UEBA detects them:

1. Compromised user account :
   • Normal behaviour : employee 'John Smith' usually logs in from his office in Paris between 9am and 6pm, accesses marketing documents and uses CRM and email applications.
   • Abnormal behaviour detected by the UEBA: Suddenly, "Jean Dupont" logged on from China at 3am, tried to access confidential R&D files and downloaded a massive amount of data.
   • UEBA Alert: UEBA сигналиe a strong behavioural anomaly for the "John Smith" account with a high risk score, сигналиant a possible account compromise and data exfiltration attempt.
2. Internal threat malicious :
   • Normal behaviour : a system administrator performs maintenance tasks on servers, configures user accounts and monitors system logs.
   • Abnormal behaviour detected by the UEBA: the administrator starts to create user accounts with excessive privileges, disables audit logs and accesses databases. sensitive data for no apparent reason.
   • UEBA Alert: the UEBA detects a significant change in the system administrator's behaviour, indicating possible internal malicious activity, such as the preparation of a future attack or the exfiltration of data for personal use.
3. Watering hole attack on a web server :
   • Normal behaviour : a web server responds to standard HTTP requests, hosts public web pages and interacts with a database to display dynamic content.
   • Abnormal behaviour detected by the UEBA: the web server starts to initiate outgoing connections to suspect IP addresses, run unusual processes and consume abnormal amounts of memory and CPU.
   • UEBA Alert: the UEBA detects abnormal behaviour on the web server, a possible compromise and the use of the server as a starting point for attacks on other systems (rebound attack).
4. Compromised application :
   • Normal behaviour : a business application uses standard SQL queries to interact with its database, processes transactions and generates reports.
   • Abnormal behaviour detected by the UEBA: the application starts to generate abnormally long and complex SQL queries, attempts to access database tables it has never accessed before and initiates network connections to non-standard ports.
   • UEBA Alert: the UEBA detects deviant application behaviour, suggesting a possible vulnerability exploited (as a SQL injection) or a compromise of the application itself.

AI applications in the UEBA: The heart of intelligent detection

L'IA and more specifically the aAutomatic learning (Machine Learning - ML) are at the heart of UEBA's operations. Here are the main uses of AI in UEBA solutions:

• Unsupervised learning for normal behaviour baseline : Unsupervised ML algorithms are used to analyse large amounts of activity data and automatically identify typical patterns of behaviour for each user and entity. These algorithms can detect complex correlations and trends that would be impossible to identify manually. Examples of algorithms used: clustering, principal component analysis (PCA), density-based anomaly detection algorithms (DBSCAN, Isolation Forest).
• Supervised learning for anomaly detection and risk classification : Once baselines have been established, supervised ML algorithms can be trained to recognise anomalies and classify them according to their level of risk. These algorithms learn from feedback from security analysts (alerts validated as legitimate or false positives) to improve their accuracy over time. Examples of algorithms used: decision trees, random forests, support vector machines (SVM), neural networks.
• Natural Language Analysis (NLP) for log and text analysis: Some UEBA solutions use NLP to analyse text logs, emails or other unstructured data. This extracts additional contextual information and improves the detection of anomalies based on language content (e.g. detection of suspicious communications, spam, etc.). phishing internal).
• Automated response and investigation (SOAR - Security Orchestration, Automation and Response) : AI can also be used to automate certain actions in response to incidents detected by the UEBA. For example, a high-risk UEBA alert can automatically trigger the isolation of a compromised workstation or the resetting of a user account password. AI can also help automate the investigation of alerts by providing a summary of the anomalies detected, the entities affected and recommendations for action.