USER + ENTITY

BEHAVIOR
ANALYTICS (UEBA)
THE HEART OF NEXT-GENERATION
THREAT HUNTING

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

INTRODUCTION

Every year, despite best efforts to

defend against attacks, the number
and impact of data breaches continues
to escalate. Across nearly every
sector from healthcare to government,
entertainment to retail enterprises are
being outmaneuvered by threat actors.
If you sense a certain dj vu, youre right.
Each time another data breach comes to
light months after an intruder infiltrated the
enterprise, we realize yet again that traditional
security solutions are failing to keep an
enterprises data safe.

Heres what Gartner says about UEBA:

UEBA successfully detects

malicious and abusive activity
that otherwise goes unnoticed,
and effectively consolidates
and prioritizes security alerts
sent from other systems.
Is UEBA the missing piece of the puzzle that
security teams have been waiting for? This
ebook answers that question and explains
how UEBA technologies can serve as a critical
component of the enterprise security stack.

However, theres a new technology thats giving

security executives renewed hope: User and
entity behavior analytics (UEBA).

SOURCE: Avivah Litan, Market Guide for User and Entity Behavior Analytics, Gartner, September 22, 2015

THE

DETECTION + RESPONSE

GAP

265
DAYS

The average amount of time passed to identify data

breaches caused by malicious attacks

69
DAYS

The mean amount of time passed

to contain a data breach

SOURCE: 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2015

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

TRADITIONAL
SOLUTIONS ARENT
FINDING THREATS
FAST ENOUGH

At this point, its obviousespecially

to our cyber adversariesthat
traditional security solutions arent
detecting advanced threats quickly
enough.
Thats because most prevention
and detection tools are based on
signatures and rules, which limit
their ability to effectively identify
advanced persistent threats.

While traditional prevention and detection

solutions are important tools to collect and
aggregate various feeds of log data, their
analytics are typically focused on real-time
alerting using simple correlation rules. Plus,
using a security information and event
management (SIEM) system alone can result
in too many false positives, overwhelming
the security team with investigating minor
issues while the real threat continues
to go undetected.

Enterprises need to complement

real-time analytics with heavier-duty,
machine-learning analytics that can
look for deviations from normal
patterns of behavior over a long
period of historical baselines.

DROWNING IN

ALERTS + DATA

17,000

MALWARE ALERTS RECEIVED ON AVERAGE BY AN

ORGANIZATION IN A TYPICAL WEEK

4%

OF ALL ALERTS ARE INVESTIGATED BECAUSE OF ALERT

UNRELIABILITY AND THE VOLUME OF FALSE POSITIVES

SOURCE: The Cost of Malware Containment, Ponemon Institute, January 2015

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

USER AND ENTITY

BEHAVIOR ANALYTICS:
THE MISSING LINKS

What if you complemented signatureand rule-based security with behavioral

analysis to detect threats faster and
decrease false-positive alerts?
Thats exactly the purpose
of UEBA technology.
START WITH USERS
User behavior analytics (UBA), as previously
defined by Gartner, detects insider threats,
targeted attacks, and financial fraud by looking
at patterns of human behavior and applying
analysis to detect anomalies from patterns.
Using big data techniques, this technology
uncovers deviations from baseline
user behavior.

ADD ENTITIES
Gartner recognized that UBA is narrow in its
focus on individuals. By expanding the analysis
to entities, organizations can better detect
malicious activity. In UEBA, entities can include
devices, applications, servers, data, or anything
with an IP address.
COMPLEMENTING SIEMS
UEBA can make automated detection
systems such as SIEMs more effective by
complementing signature- and rule-based
detection with behavioral analysis.

SIEM

UEBA

Velocity of Data

Real-time alerting based on

streaming data flows

Batch-based analytics on large

historic data sets

Anomaly Detection

Static, rule-based

Self-learning

Types of Anomalies

Event-based

Entity-based

Algorithms

Standard deviation, simple

matching

Supervised machine learning,

unsupervised machine learning,
Bayesian inference, graph algorithms

False Positive Rate

Higher

Lower

WHATS BEHIND THE

ADVENT OF

UEBA?

UEBA is less the result of a sudden breakthrough

and more the result of multiple trends and drivers
coming together at the right time.

Increasing sophistication
of cyber threats

Gaps in threat detection when relying

only on rules-based security solutions

Cheaper computation and storage

platforms, such as Hadoop, for
consuming and normalizing large
amounts of data
Increasing sophistication of behavioral
analytics through new machine
learning and graph techniques

The ability to deploy

machine-learning techniques
at scale on big data platforms

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

UEBA AND
LINKED DATA:
A KILLER COMBO

While UEBA is a big step in the right

direction, many current solutions
dont go far enough.
Think about adversarial behavior and how
it pivots across multiple vectors. With only
a single view of a user or entity, your team
might miss the bigger picture and hence the
stealthy movements and tiny footprints of an
attacker. Also, many solutions dont provide
a way to explore the raw activity and data
beyond detections, limiting your teams ability
to assess a suspected issue and understand
its scope.
To sniff out threat actors, it takes multiple
dimensions of correlation, including other data
and sources of contextual information such
as threat intelligence, vulnerability scans, and
data loss prevention systems. The more data
types, entity variations, and behavioral analysis

you have, the greater the context, accuracy,

and precision of your analysis. To relate
behaviors across multiple domains, threat
vectors, time, and space, you need something
called linked data.
BRINGING IT ALL TOGETHER
Linked data is an ideal way to fuse disparate
cybersecurity datasets into a common
ontology so that it can be more easily
searched and discovered. It also adds
weight and directionality to the relationships
between assets, users, and devices, which
can be leveraged for more powerful search
and analytics to discover malicious patterns.
Using a linked data approach, analysts can
investigate alerts in a faster, more efficient
way than traditional, row-based log analyses.

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

CASE STUDY:
DETECTING LATERAL
MOVEMENT WITH
UEBA AND
LINKED DATA

WHAT IT IS
Lateral movement is the process an attacker
uses to expand his or her access to computing
resources throughout a network.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
By tracking unusual authentications and
by looking for other hints in logs that might
indicate specific mechanisms being employed,
UEBA and linked data can identify lateral
movement activity.

RESULTS OF SQRRLS
LATERAL MOVEMENT DETECTOR
Sqrrls lateral movement detector identified
a collection of credentials that an advanced
persistent attack had compromised at a
Fortune 100 financial services enterprise. The
credentials were being used to log into various
systems for which they were not typically
used (e.g, an engineers credentials were used
to log into a financial system). Sqrrls lateral
movement detector identified a star pattern
of multiple, failed logins combined with a
stringed progression of rare login successes.
Sqrrl also correlated how hosts involved in
the lateral movement connected to each other
by leveraging netflow data in addition to user
authentication logs.

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

ADD THREAT
HUNTING
TO THE MIX

Unlike waiting for an alert to surface a potential threat, hunting for cyber
threats lets your security team be proactive to identify threats sooner.
Hunting can help your team counter an adversary at almost any stage of an attack by using data
and analysis to follow the digital footprints of the attacker and disrupt the adversarys attack.

However, hunting isnt easy,

which is why automation
is critical.

10

AUTOMATION OF
THE HUNT WITH

UEBA

UEBA can help automate the four essential

steps for hunting defined in Sqrrls Threat
Hunting Loop:

1
CREATE HYPOTHESES
UEBA can provide a starting
point for a hunt by automatically
detecting potential threats based
on adversary Tactics, Techniques,
and Procedures (TTPs) and
assigned risk scores.

2
INVESTIGATE
Linked data automates manual
searches by semantically fusing
datasets and predefining search
pathways. On-demand anomaly
detection capabilities allow a hunter
to quickly hone in on the most
important pieces of data.

3
UNCOVER TTPS
UEBA and linked data enable
analysts to rapidly and visually
reveal the TTPs of adversaries
and reconstruct the attack paths
that those adversaries utilized.

4
INFORM ANALYTICS
Insights uncovered by analysts can
be used by the system to inform
and improve its analytics. Using
techniques such as machine
learning, whitelisting, and behavior
classification, UEBA systems can be
tuned to focus on real threats and
ignore false positives.

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

CASE STUDY:
UNCOVERING
BEACONING WITH
UEBA AND
LINKED DATA

WHAT IT IS
Beaconing is a technique often used by
compromised assets to communicate with
an external command and control (C2) point.
Beacons are network traffic typically sent at
regular intervals and can be used to signal
availability or to receive new instructions. They
may hide in plain sight by using common ports
and protocols such as TCP, ICMP, and HTTP.
Uncommon ports are sometimes
used, too, when trying to evade protective
network measures.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
UEBA and linked data look for behavior
indicative of malicious beacons, while
excluding benign beacons issued by mail
clients, software update agents, or websites
that automatically refresh their content
(e.g., weather sites). Contextual information
such as linking alerts, identity, IP reputation,
and geographic data help analysts assess
potential malicious behaviors.

RESULTS OF SQRRLS BEACONING DETECTOR

At a Fortune 500 healthcare company, Sqrrls
beaconing detector was able to detect a
malware infection on an endpoint by using
UEBA to look for pulse-like behavior emanating
from the host and separating this pattern
from other network traffic. The company
subscribes to various threat intelligence lists,
but the signature-based detection systems
were not sufficient to detect this type of
custom malware. The malware beaconed to
its command and control server using HTTP
in order to blend in with other network traffic
and utilized a Domain Generation Algorithm to
avoid threat intel matches with the external IP
it was beaconing out to.

12

PUTTING IT ALL TOGETHER

UEBA + LINKED DATA + HUNTING

The combination of UEBA with a platform that supports linked data and threat hunting represents a significant improvement in an organizations ability to find
and stop advanced attacks far sooner than ever before. As with any new technology, theres a great deal of hype from vendors about their UEBA solutions.

TO GET THE MAXIMUM BENEFIT, YOU NEED A SOLUTION THAT OFFERS:

Contextual visualization for quickly

understanding behaviors and relationships
across complex networks

Both user and entity behavior analytics

and includes supervised machine learning,
unsupervised machine learning, Bayesian
algorithms, and graph algorithms

Ease of use to accelerate and enhance

security analysts ability to detect and
respond swiftly to a threat

Investigative capabilities and workflows for

validating and analyzing the threat

Scalability to encompass all the data

coming from an increasingly large set
of users and entities

Collaboration tools that allow analysts to

work together and share findings easily

BENEFITS WITH

CYBER THREAT HUNTING

52

74

Say threat hunting found previously undetected

threats on their enterprise

Of those implementing threat hunting have

reduced attack surfaces

59

Enhance speed and accuracy of response

by using threat hunting

SOURCE: Threat Hunting: Open Season on the Adversary, Robert M. Lee, SANS Institute, 2016

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

SQRRL DELIVERS
UNMATCHED
THREAT DETECTION
AND RESPONSE

Sqrrls industry-leading threat detection

and response platform unites
threat hunting, UEBA, and incident
investigation capabilities
in an integrated solution.
With Sqrrls unique platform approach,
security analysts can discover threats
faster and reduce the time and
resources required to investigate them.
BEHAVIOR GRAPH
At the heart of Sqrrl is its Behavior Graph,
a powerful and contextual visualization
for detecting and tracking threats. The
Behavior Graph uses a linked data model to
fuse disparate cybersecurity datasets into
a common ontology and easy-to-consume
format that streamlines the work of security
analysts. The linked data in the Behavior
Graph adds weight and directionality to
the relationships between assets, users,
and devices for more powerful search and
analytics to discover malicious patterns.

ADVERSARIAL BEHAVIORFOCUSED ANALYTICS

The linked data model allows Sqrrl to use
proprietary graph algorithms, machine
learning, signal processing, and other
capabilities to detect anomalies associated
with specific TTPs. These techniques provide
Sqrrl with a greater level of accuracy in
detection than other solutions. This format
is the foundational context for threat hunting,
incident investigations, and UEBA.
Generating risk scores for various entity types
is how Sqrrl communicates what it finds via
UEBA to an analyst. TTP detectors look across
collections of entitiesinstead of a single
entity or user anomalyand can aggregate
and prioritize risk for both entities and TTPs.
Analysts can use these risk scores as starting
points for threat hunting investigations.
BIG-DATA SCALABILITY
Sqrrls big data foundation allows for secure
petabyte-scale data storage. Built on top of
Hadoop and Accumulo, a scalable database
with best-in-class performance, Sqrrl isnt
limited in how much data it can ingest, or
by a diversity of data types. From just a few
terabytes up through multiple petabytes, Sqrrl
can ingest data going back months or even
years to reconstruct an attack that may have
occurred over long periods of time.
15

COMPREHENSIVE
UEBA CAPABILITIES
WITH SQRRL
GRAPH ALGORITHMS

MACHINE LEARNING
(Both supervised and unsupervised)

BAYESIAN STATISTICS

PEER GROUP ANALYSIS

BEHAVIORAL BASELINING

SIGNAL PROCESSING

TIME-SERIES ANALYSIS

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

CASE STUDY:
DISCOVERING DATA
STAGING AND
EXFILTRATION
WITH UEBA AND
LINKED DATA

WHAT IT IS
Data exfiltration is the process of removing
stolen data from a victim organization. Data
staging is a technique used by an actor to
gather stolen data in one place and prepare it
for exfiltration. Not all data exfiltration requires
staging, but it is a very common tactic among
advanced persistent threat actors and insiders.
HOW UEBA AND LINKED
DATA CAN HELP DETECT IT
UEBA and linked data can detect data
staging by analyzing the relationships and
communication patterns among internal
hosts and combining that with information
on common data preparation techniques.
Similarly, data exfiltration can be detected by
analyzing communications with hosts outside
the organization, especially in the areas where
they differ from baselines of typical behaviors.
When data staging and exfiltration activities
are linked together, these analytics can provide
the clearest indications of actual threats.

RESULTS OF SQRRLS DATA STAGING

AND EXFILTRATION DETECTOR
At a large government agency, Sqrrls data
exfiltration detector discovered an employees
host machine moving a large amount of
data to a cloud storage device on a weekend,
something that the employee had never done
before. The deviation from the behavioral
baseline spiked the risk score of the IP used
to initiate the transfer and the IP of the of the
URL of the storage system, informing analysts
of the malicious behavior. Using both user
behavior as well as entity information like
netflow, UEBA is able to detect anomalous
spikes in data transfer activity both within
and outside the network that breaks from the
expected norm.

17

USER + ENTITY BEHAVIOR ANALYTICS (UEBA)

LEARN MORE

Check out these additional resources for you and your security organization to
learn more about UEBA, linked data, and cyber threat hunting.

Sqrrls UEBA Site Page

eBook on Threat Hunting: What Security Executives Need to Know
Sqrrl Framework for Cyber Threat Hunting White Paper
Webinar on Hunting
Sqrrl Enterprise TestDrive VM
Sqrrl Threat Hunting Platform White Paper

18

ABOUT SQRRL
Sqrrl is the security analytics company that enables organizations to target, hunt, and disrupt advanced cyber threats. Sqrrls industry-leading threat detection and response platform
unites threat hunting, behavioral analytics, and incident investigation capabilities in an integrated solution. Sqrrls unique platform approach enables security analysts to discover
threats faster and reduces the time and resources required to investigate them. Learn more at www.sqrrl.com.
2016 Sqrrl Data, Inc. All rights reserved.