Nico Popp: The Evolution of User and Entity Behavior Analytics (UEBA)

nico popp symantec UEBA evolutioon behavior analytics

Behavior analytics is already a major component of next-generation endpoint security solutions and cybersecurity in general. With the number of potential endpoints expanding under the bring-your-own devices corporate revolution, solutions must be able to recognize malicious activity as quickly as possible. But what place does it have in endpoint protection now? To find out more about the evolution of this security technology and where it might be heading in the near-future, we spoke to Nico Popp, the Senior Vice President of Information Protection of Symantec. Here’s our conversation, edited slightly for readability:

Solutions Review: How did behavioral analytics first begin?

Nico Popp: Generation one of behavior analytics was designed to help consumers: E-commerce companies seeking to give a better shopping experience to their end users collected information about what users were doing on their websites and used behavior analytics to turn the data into good business results. Those results included recommendations to buy certain products. Every time someone visits a website and clicks on a page, he/she generates a log entry which is full of valuable information.

The problem was companies were producing giant mountains of logs, hits on pages, etc—they didn’t know what to do with all that data, and they weren’t getting value out of the logs. Some business leaders realized they could get a competitive advantage if they used that data to give their customers a better experience. That’s where analytics came into play. Companies like Amazon and Netflix began using analytics behind the scenes to make smarter recommendations to customers.

Bottom line is: companies had a mountain of data from which they wanted to get value.

Many years later, companies faced the same problem in cybersecurity. They were collecting information but were not putting the data to good use. Using tactics that had proven successful in other industries, cyber leaders used behavior analytics to make sense of the large amount of data they were collecting about what people were doing inside their companies—which included identifying behavioral patterns—so that they could detect behaviors that were abnormal and potentially an indication someone was trying to cause harm.

SR: How do user and entity behavior (UEBA) analytics differ from traditional behavior analytics?

NP: User and Entity Behavior Analytics (UEBA) is essentially the same as behavior analytics, but encompasses more than the traditional behavior analytics capabilities. UEBA technologies detect when a user’s or entity’s (i.e. a laptop) behavior is abnormal compared to themselves, their peers, and the overall business unit. UEBA detects the behavior, qualifies if the behavior is business-justified or unusual, and either prioritizes the threat for investigators to act on immediately, or if it’s business justified white-labels the behavior so that it’s not flagged again.

UEBA technologies can detect the main types of insider threats including malicious insiders seeking to do harm, non-malicious insiders who innocently click on links they shouldn’t click on, and insiders who have had their credentials compromised by external bad actors.

SR: Where is behavioral analytics now as opposed to those early days? What innovations do you consider the most significant in the technology’s evolution?

NP: In the early days, behavior analytics had its challenges, especially when deciphering what’s considered abnormal behavior vs. abnormal [but] okay [behavior] vs. abnormal bad [behavior].

For example, three times in three days “Jane” in Accounting sent a document containing private client information to her home email address. Behavior analytics technologies would detect the behavior as abnormal. However, let’s say Jane’s manager gave her permission to send that information to her home email address because she was going to be working from home for a few weeks. The early behavior analytics tools would have generated the alert, adding yet another alert to investigators’ gigantic pile. Investigators would then waste their time chasing a false positive. Today’s behavior analytics have evolved so that they engage contextual information from the business to understand if the behavior was business-justified or not.

The biggest transformation we are seeing now with UEBA is that it is being integrated with already existing technologies to optimize their value. For example, data loss prevention (DLP) technologies are high on cyber leaders’ priority lists due to the upcoming GDPR mandate, transition to the cloud, and the internet-connected everything. However, while DLP technologies were effective at keeping valuable data inside a company, they were producing a flood of alerts, overwhelming analysts who already had limited manpower and time. By integrating DLP with UEBA, analysts receive a prioritized list of only the alerts that matter most so that they know exactly which incidents they need to investigate each day. UEBA also helps reduce false positives and noise so analysts do not waste their time chasing fires that don’t exist.

SR: How are behavioral analytics being integrated into traditional, pre-existing cybersecurity technologies?

NP: In addition to data loss prevention, UEBA can be integrated with many other cyber tools, a couple which include multi-factor authentication and cloud access security broker (CASB) solutions. UEBA and multi-factor authentication work well together in stopping stolen credential threats.

Let’s say a bad actor steals an employee’s credentials and tries logging into a corporate database that contains highly valuable information and isn’t one the real employee normally accesses during that time of day. UEBA and multi-factor authentication would work together to detect the unusual behavior and block the user from accessing the database unless he verified his identity through another mechanism such as a push notification with a biometric—i.e. thumb scan—request sent to his phone. When the real employee responds, “no, he did not attempt to access that database,” the user’s account would shut down preventing the criminal from gaining access. UEBA would also go a step further and prioritize the alert for investigators.

With a CASB integration, UEBA becomes increasingly important. With BYO devices having direct-connect to cloud apps and data repositories, simply using user credentials opens organizations up to new threat vectors. Knowing who is connecting to your cloud apps and understanding behavior is a must for data protection and compliance reasons. UEBA provides unique benefits by providing a risk level for the users accessing cloud apps; understanding if the user authenticated with multi-factor authentication, accessed the app from a secure location and if they are acting within the ‘norm’ of a remote employee, and blocking the user if they are risky, can greatly strengthen an organization’s security posture.

SR: What types of insider threats do behavioral analytics detect?

NP: UEBA detects malicious insiders (employees and third-party vendors) who are trying to harm the company, non-malicious insiders who click on suspicious links or open suspicious attachments without realizing the risk they are posing to the company, repeat offenders who continuously practice poor security hygiene even after going through training, and compromised credentials.

SR: What do you think is the future of the technology?

NP: Today’s UEBA incorporates supervised and unsupervised machine learning so it learns as it goes. It ingests, analyzes, and ranks information to understand behavioral patterns and creates a baseline for what’s considered normal behavior. It also watches how analysts use the technology to understand context and make future recommendations. The UEBA of the future will be even smarter. Continued advancement and further incorporation of both methods of machine learning will make it even faster to understand context and make intelligent recommendations.

Thanks again to Nico Popp for taking the time to speak with us! You can check out Bay Dynamics’ infographic to learn more about the types of insider attacks UEBA detects.

Follow me

Ben Canner

Editor, Cybersecurity at Solutions Review
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Follow me

Leave a Reply

Your email address will not be published. Required fields are marked *