WHITEPAPER

User & Entity Behavior

Analytics Use Cases
Accelerating Threat Detection Earlier
in the Kill Chain
As cyberattacks continue to grow in both number and sophistication, and the stakes grow higher as threat
surfaces expand, organizations are under intense pressure to protect themselves from compromise. Security
leaders face a perpetual challenge to keep up with ever-evolving hacker tactics that easily elude signatures,
rules, and patterns in traditional cyber defense systems. Further complicating the challenge is the need to
protect hybrid environments of on-premises and cloud.

Companies have responded by increasing their security budgets and adopting more advanced defenses. One
component of these defensive maneuvers is the establishment of a big data repository containing aggregated
data from numerous sources across the enterprise and external to it. Among the sources are device logs, user
activity data, device configuration data, identity management systems, threat intelligence feeds, and much
more. Often hidden within this massive data repository are critical indicators of a prospective attacker’s access
and activity.

The burgeoning scale of this all-encompassing data lake with full enterprise visibility has far eclipsed the
ability for humans to hunt through it in any realistic manner. However, it is the perfect source for machine
learning (ML) models that relentlessly analyze the data and look for correlations and anomalies that may be
indicative of malicious activity.

It is within this domain of advanced security analytics that User and Entity Behavior Analytics (UEBA) as part
of your threat detection, investigation and response program has emerged as the most effective approach to
comprehensively manage and monitor identity-based risks and unknown threats across all of an organization’s
environments. UEBA draws from the context of big data and is driven by machine learning models rather than
signatures or rules to deliver invaluable visibility and risk scoring of suspicious activity.

User and Entity Behavior Analytics quickly identifies anomalous activity, thereby maximizing timely incident or
automated risk response. The range of use cases is what makes a UEBA solution extensible and valuable. For
organizations to effectively face their cybersecurity challenges, they must assure the use cases align with their
specific needs and varied requirements today and into the future.

Gurucul provides a comprehensive set of use cases for User and Entity Behavior Analytics including:
Early Ransomware Detection
Phishing Detection
Privileged Access Abuse Prevention
3rd Partner and Supply Chain Threat Monitoring
Data Exfiltration, DLP and IP Protection
Account Compromise, Hijacking and Sharing Detection
Insider Risk and Threat Monitoring
Anomalous Activity Monitoring
Host / Device Compromise Detection
Lateral Movement Detection
Reconnaissance Monitoring
Security Misconfiguration Identification

While it is common to start with one or two use cases for a UEBA deployment, a customer roadmap of future
projects across departments is advised. Today’s Security Operations Center (SOC) analysts may be engaged
mainly with incident reviews, yet tomorrow, the advantages of automated risk response between security
solutions can become a primary requirement.

gurucul.com
Although siloed security solutions may have their own analytics capabilities, there is high value in aggregating
the data in a big data lake to support correlation of information across data sources. As current innovations
expand with widening adoptions, security leaders will deepen their understanding of how advanced security
analytics improve detection and response. This white paper explores a comprehensive and optimal set of use
cases for UEBA.

What Is UEBA and How Does It Work?

User and Entity Behavior Analytics is a cybersecurity solution that uses algorithms and machine learning to
detect anomalies in the behavior of users and non-human entities such as the routers, servers, endpoints, and
other devices in a network. UEBA looks for unusual or suspicious behavior that deviates from a baseline of
normal everyday patterns or usage. For example, if a particular user typically logs into the network from an IP
address in Atlanta, and on a given day that same user credential logs in from both the address in Atlanta and
an IP address in Los Angeles within a two-hour window, the UEBA system would consider this an anomaly.
An alert can be sent to a security administrator, or if automations are in place, that user can be automatically
disconnected from the network pending further investigation of the situation. 

The “entity” part of the solution means it also monitors devices that are part of the network. Machines, like
people, can exhibit unusual behaviors that may indicate an attack is underway. For example, a desktop device
might be observed to be communicating with an unusual IP address that external threat intelligence says is a
malicious site. Prompt detection and alerting of this behavior can lead to quick mitigation such as blocking the
traffic at a firewall to prevent outreach to that IP address.

The heart of Gurucul UEBA is the security analytics engine. User and entity activity data is aggregated
from numerous sources is drawn into the engine from a big data repository, where it has been normalized
and combined into a single data set. Machine learning using customized algorithms (i.e., learning models)
processes the data to search for patterns, correlations, and anomalies. Rapid searches of the results identify
early indicators of an attack. The analytics engine calculates a risk score based on those indicators and
generates an alert to trigger further action based on the calculated risk. Additional types of responses can be
implemented such as generating a case ticket or activating a response using automation tools like security
orchestration and automated response (SOAR).

Outlier / Risky
Behavior Detection

Security Data/ Intel

(Firewall, IDS / IPS, AV, TI Feed)

Infrastructure Logs
(Servers, Gateway, DNS)

Prescriptive
Application Audit Logs
Gurucul Real-Time
User/Entity Actions to Prevent
UEBA Risk Score Malicious Behavior

Network Logs
(Netflow, Packet Capture)

Device Attributes &

Config Details

Open Choice
Big Data

gurucul.com
Using proven machine learning techniques, Gurucul UEBA profiles past and current behavior by evaluating
all user and non-person entity activity against a set of normal baselines. Using outlier analysis, the behavior
is further evaluated against dynamically defined peer groups with the goal of providing additional contextual
intelligence. These techniques assist in detecting and eliminating false positives. When the activity of every
user and every entity is put through the analytics engine, a risk score (or confidence score) for each individual
user is calculated. Every additional action a user or entity takes is incorporated into the individual’s risk score,
which is continuously recalculated with the new activity.

Gurucul’s solution framework includes data ingestion available via flat file, database, application
programming interface (API), message or streaming inputs with ready-to-use data connectors for common
enterprise systems and platforms (i.e., human resources, identity and access management, privileged access
management, security information and event management (SIEM), directory services, databases, networks,
vulnerabilities, data loss prevention, threat intelligence, cloud applications/SaaS, authentication, physical
ID badge systems, file storage and endpoints). It also supports an open customer choice for big data with
Hadoop, Cloudera, Hortonworks, ELK Elastic and MapR. Models run on top of a customer choice for big data
to compute and store, to avoid reading and storing data multiple times. In simple terms, use your existing data
lake with advanced security analytics on top.

Gurucul User and Entity Behavior Analytics

Top Use Cases
Early Ransomware Detection
Ask most people, and the perception around ransomware is that it is known for encrypting users’ files,
whether those files are meaningful or not. More importantly, ransomware is an adversary’s tool of the trade, a
weapon to unleash on any alluring resource. Ransomware advanced attacks are mainly targeted at encrypting
high-stake documents and resources like MySQL dB, and it’s not unusual for attackers to gain access via
tactics like phishing or drive-by attacks. NGAV manufacturers have produced software that uses canary files,
whether system-wide actual data files or dedicated decoys. More intelligent anti-ransomware software check
for changes, identify any file header alterations made with AES symmetric encryption, and kill the malicious
process in time. However, this is just a race against time, and who will win that ransomware race?

When questioned, most CISOs still have major issues with detecting and protecting against ransomware. This
is due to the nature of the attack itself. For example, if the attacker decides to pull the AES encryption key via
the same access he or she originally entered, and copy them to the victim host, or whether they intend to pull
the keys once they have reached a particular resource. Both these actions would prove to be a pivotal point
of detection, and in the areas of behavior analytics, both will be identified as unnatural behavior patterns.
Many other factors would also come into play, the user from which the host originated, the irregular use of
protocols, unusual network, and file activity are all indications of abnormal behavior. This also doesn’t include
the traditional actions that the security tools would identify, ones that Gurucul would enrich and correlate
together with the abnormal behavior to increase accuracy and awareness and remediate any actions before
the adversary can even reach the desired resources in which to encrypt.

Phishing Detection
Phishing is a leading social engineering technique that attackers or cyber criminals use to gain access to a
legitimate user’s account credentials. Once an attacker has an employee’s username and password, they can
login to the network directly and assume the same privileges as that user. To prevent an account takeover, it’s
important to stop phishing at the source—in the legitimate users’ inboxes or sooner.

gurucul.com

Gurucul really stood out
because the analytics
engine was the most
powerful. The machine
learning algorithms are
the strongest. We saw
results very, very quickly.
- William Scandrett
CISO, Allina Health
UEBA analyzes the activity behind the incoming messages
of the phishing campaign to identify unusual behavior
indicative of malicious email. UEBA looks for attributes
like unusual sender email domains, inbound email from
similar senders to large numbers of internal users, unusual
character sequence based on text mining, and pretrained
detection on trusted subject lines. Alerts on these activities,
along with automated responses that isolate suspicious
messages, can help curtail phishing in an organization.
Privileged Access Abuse Prevention
This use case identifies high privileged access (HPA)
abuse by leveraging the combination of accounts,
access, and activity data. Typically, accounts and access
data are ingested from Identity Access Management
(IAM), Privileged Access Management (PAM), and/or
directory services platforms to identify HPA accounts and
discover any non-HPA accounts granted high privileged
entitlements. Additionally, the activity data is ingested from
enterprise level audit or log sources or obtained directly
from the target data sources.
Once HPA accounts are identified, UEBA can detect
suspicious behavior and misuse such as using HPA to
assign special or elevated privileges to the user’s own
account followed by an activity, or transactions outside
the window of password value checkout and check in
timeframe. This also includes access to resources and
transactions outside normal behavior profiles, abnormal
access to classified or sensitive documents, and multiple
concurrent sessions from the same account using different
IPs, devices, locations, etc.
3rd Partner and Supply Chain Threat
Monitoring
Through understanding of 3rd party access controls,
privileged access policies, and network traffic analysis
UEBA can detect suspicious behavior and misuse. This
includes using 3rd party access to assign special or
elevated privileges to the user’s own account followed by
an activity, or transactions outside the window of password
value checkout and check in timeframe. It can also find
unusual connections and traffic from dormant and rarely
used or even 3rd parties that are no longer even active
partners. UEBA is the most effective way to detect the
initial compromise by a 3rd party or supply chain partner.
In addition, our full complement of identity, network, cloud,
and endpoint analytics can go further to determine active
threats and even misconfigurations such as cloud access.
gurucul.com
Data Exfiltration, DLP and IP Protection
UEBA identifies data exfiltration attempts and protects intellectual property by ingesting data sources such
as data loss prevention (DLP) and data classification to learn important data locations, access, and application
activity.
A primary benefit of UEBA machine learning is the generation of risk-scored DLP alerts that help to reduce
alert fatigue and prioritize “find-fix” resources. Analysis by UEBA includes on-premises and cloud applications
for a 360-degree view of data access and activity. This approach helps customers prioritize DLP alert
investigations as well as identify and monitor even the low severity DLP alerts associated with departing
users or high-risk users.
Unsupervised machine learning models develop baselines pertaining to typical data access patterns, making it
possible to identify activity for anomalous events. Moreover, UEBA solutions traditionally provide out-of-the-
box machine learning models which can identify known patterns such as sensitive documents downloaded
and copied to USB, large amounts of source code checked out from source code repositories, file uploads to
cloud storage, emails to personal accounts, access to competitor and/or job websites, etc.
Organizations have also extended UEBA alerts beyond SOC analysts to project managers, given their depth of
context and relevance regarding employees, data, and projects.

Account Compromise, Hijacking and Sharing Detection

One of the Top 10 OWASP (Open Web Application Security Project) vulnerabilities is related to the ‘Broken
Authentication and Session Management’ scenario. Here, attackers exploit vulnerabilities through attacks
such as Pass-the-Hash (PtH), Pass-the-Token (PtT), Brute Force, and Remote Execution to gain access to user
credentials (passwords or hash).
Such attacks can be detected using the underlying machine learning algorithms tuned to inspect various
parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes, and network
packets to identify any deviation from the normal behavior of a particular account and the corresponding
transactions. This facilitates detection of any potential account compromise or hijacking scenarios based on
the anomalous behavior patterns such as abnormal access to high-risk or sensitive objects, abnormal number
of activities, excessive requests in a short time frame, activity from terminated or dormant user accounts, PtH
attacks, and session replay attacks.
Anomalies identified via clustering machine learning models and outlier analysis inconsistent with a user or
peers’ normal behaviors are given risk scores based on advanced security analytics to drive alerts, actions, and
case tickets.

Insider Risk and Threat Monitoring

Advanced UEBA insider risk and threat monitoring leverages research drawn from extensive insider threat
databases of real-world incidents to develop, test, and refine machine learning behavior models. Baseline
profiles are created using attributes from HR records, events, access repository, log management solutions,
and more. Identifying high-risk profiles with abnormal behaviors in conjunction with data risk monitoring,
machine learning and statistical analysis reveals anomalies in data that humans could not otherwise recognize
or detect. As a force multiplier, ML far surpasses human capabilities and software engineering for managing
large volumes and varieties of data.
True machine learning also finds high-order interactions and patterns in data for complex problems such as
insider threats, compromised accounts, and data exfiltration. It does this by leveraging useful and predictive
cues that are too noisy and highly dimensional for human experts and traditional software to detect.

gurucul.com
A 360-degree dashboard provides visibility of an identity’s accounts, access, and activity for on-premises and
cloud hybrid environments. Both access and activity are risk scored for anomalous events with results visible
to employee managers and SOC analysts.

Anomalous Activity Monitoring

UEBA detects and monitors anomalous activity by people or devices through the use of ML algorithms tuned
to inspect various parameters like timestamp, location, IP address, device, transaction patterns, high-risk event
codes, and network packets. This method can identify any deviation from the normal behavior that may be
indicative of a threat.
For example, a database administrator may create a script that runs several commands with security
implications at 2 AM each day. This user is an innovator, working to improve the enterprise’s productivity.
However, machine learning models will see these sensitive commands during non-business hours as an
anomaly and score the risk accordingly. A supervisor can provide feedback to the learning models to note that
the behavior is benign and to not flag it again. Nevertheless, the database administrator could be put on a
watch list for a while to ensure that their behavior is totally appropriate.
Watch lists come pre-defined within UEBA for common high-risk groups such as new hires, departing
workers, terminated workers, and other high-risk users. UEBA also supports explicitly adding or removing
identities within watch lists. In highly sensitive environments such as government agencies, devices of foreign
origin can be put on a watch list to ensure there is no nefarious back-door communications activity.
Watch lists and other suspicious users or entities can be monitored through dashboard drop-down menus to
analyze risk scores, anomalies, access, activity, and timelines.

Host / Device Compromise Detection

It is well known that one of the widely used tactics to execute cyberattacks is to compromise trusted hosts
connected to an organization’s network infrastructure. In addition to monitoring anomalous user behavior
with UEBA, it is critical for organizations to monitor closely all the endpoints (devices and hosts) connected
to the network. UEBA builds an anomaly timeline for an entity based on the high-risk anomalous events and
activities performed from the respective device or host. An organization can detect advanced persistent threat
(APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection.
UEBA correlates a wide range of parameters associated with an entity, including endpoint security alerts,
vulnerability scan results (Common Vulnerability Scoring System, or CVSS), risk levels of users and accounts
used, targets accessed, packet level inspection of the requested payloads, and more. This correlation
facilitates detection of any anomalous activities or events to determine predictive risk scores.

Lateral Movement Detection

Lateral movement is a technique used by an attacker whereby, after gaining initial access to a network,
they attempt to move within the network to find better vantage points to download additional malware,
communicate to external servers, and eventually find the location of sensitive data. To gain initial access, the
attacker often uses legitimate user credentials that have been stolen through social engineering (phishing)
or other techniques. Then, lateral movement on the network usually requires that the attacker obtain
increased user privileges and use various tools to determine where they are on the network and what security
deterrents are in place around them. The tools are often used to conduct activities such as port scanning or
learning about proxy connections—activities that an average legitimate user of a network would not be doing.
A sophisticated attacker may use “dwell time” to their advantage, meaning their activities are slow and hidden
to avoid detection before malicious activity occurs, sometimes weeks or months after the initial breach of the
network.
gurucul.com
Even though the attacker impersonates a legitimate
user on the network, their activities and behavior are
anomalous compared to the real user’s activity. UEBA
detects these anomalies, sends an alert, and adjusts
the risk score for that identity accordingly, which
helps detect residual activity by that compromised
account.

Reconnaissance Monitoring
Reconnaissance is the preliminary step of a
cyberattack in which the attacker attempts to learn as
much as possible about an organization’s computing
environment and its defenses. To gain information
without actively engaging with the network, an
attacker uses reconnaissance measures to interact
with the network’s open ports, running services, etc.
For example, an attacker may use port scanning to
determine what services are visible and where an
attack can be conducted. As part of port scanning,
data is retrieved from opened ports and analyzed.
By analyzing entity behavior, UEBA can recognize
and alert on a variety of reconnaissance activities,
including port scans, ping sweeps and fingerprinting;
DB table and structure discovery through web server
logs; discovery of directories and pages exposed
to the Internet; discovery of exposed cloud assets
including storage buckets, instances, and databases;
and much more.

Security Misconfiguration Identification

By showing unusual or abnormal activity, including
unexpected access to networks, endpoints and
servers, and applications, UEBA can expose where
expected security controls are not working or have
not been configured correctly. This can include
improperly set up access privileges, restricted
access to specific networks or network segments,
and even unexpected or unauthorized application
usage, to name a few examples. UEBA can also
identify unexpected communication channels and
activity to external parties, such as VPN tunnels left
open for a previous supply chain partner that can be
exploited for nefarious purposes.  Security controls
that are inaccurately configured or left insecure put
a company’s systems and data at risk. This is such a
common problem that it is listed on the OWASP Top
Ten list of Web Application Security Risks.
gurucul.com
Gurucul Industry-Specific UEBA Use Cases
Gurucul also offers several industry-specific pre-packaged analytics. These sets of models are focused on
addressing the challenges and threats unique to each industry vertical. This helps reduce any customization
or implementation effort to build industry-specific models from scratch. These models are developed in
partnership with the Gurucul Labs team, technology and channel partners, and customers, taking into
consideration telemetry from specialized systems, fraud / threat scenarios, and standards.
Some of the key industry solutions include:

Healthcare Use Cases Banking / Financial Use Cases

Protect Patient Privacy Account Takeover & Login Fraud
Discover, Monitor and Identify Risky Transaction Fraud
Medical Devices
Credit Card Fraud
Implement Governance Reporting and
Payment Fraud
HIPAA Audit Controls
Mobile Fraud
Detect Healthcare Fraud, Waste, and
Abuse (FWA) Insider Fraud
Manage and Cleanup EMR Access Call Center Monitoring
Foreign Exchange

Government Use Cases Hi-Tech / Manufacturing Use Cases

Insider Abuse Data Exfiltration
Contractors Overbilling IP Protection
Reporting Income Discrepancies
IoT Analytics / Device Compromise
Vendor Favoritism
Software Licensing Fraud
State-sponsored Cyber Attacks
Vendor / Partner Account Compromise

Retail Use Cases Insurance Use Cases

Point of Sale Fraud PII / PHI Data Exfiltration
Credit Card Skimming Privileged Access Misuse
Online Payment Fraud
HSA Account Takeover
Supply-Chain Fraud
Claims Fraud
Call Center Fraud
 Benefits
Having a broad selection of UEBA use cases provides customers with the assurance that their advanced
security analytics requirements will be addressed. The overall benefits include:

Empowered Security Capabilities and Quality – The mature capabilities of Gurucul UEBA provide robust
and optimal advanced security analytics across a range of on-premises and hybrid environments, risk-
scoring the gray areas of unknown threats and minimizing false positives. The result is improving the
focus of “find-fix” resources, optimizing the time of security analysts, creating efficiency in the SOC, and
making operations and people more productive.

Extended and Optimized, Discovery, Monitoring, and Visibility – This includes the baseline ability to
view the full context of a user’s access and activities, both legitimate and anomalous. Gurucul UEBA
also includes analytics for hybrid environments, providing a combined 360-degree view for identity and
risk-scored behavior anomalies. It’s all driven by machine learning as part of a newly recognized state-of-
the-art UEBA standard along with its empowered ability in interface with Identity & Access Analytics for
increased efficiencies.

Improved Productivity and Cost Savings – By having holistic visibility across all an organization’s
environments, users, and devices, the SOC team’s efficiencies are maximized, delivering cost savings. In
addition, as enterprises continue to migrate to cloud applications, the ability to expand platforms without
adoption of additional solutions helps to minimize costs.

Conclusion
The depth and range of use cases fundamentally defines the areas of expertise and functionality for UEBA
vendors. This factor represents an important qualification when choosing a solution partner. Having a broad
selection of use cases provides organizations with the assurance that their advanced security analytics
requirements will be addressed comprehensively today and into the future. Assuring a vendor can support
these use cases across on-premises, cloud and in hybrid environments, as well as being vendor agnostic,
provides the strongest assurance that objectives are achieved. Big data provides rich context that drives
machine learning models. A key to its success is the democracy of data from solution silos and open APIs for
data collection and leveraging risk scores for automated response. Behavior analytics centers on identity with
a 360-degree view of accounts, access, and activity for users, entities, and peers to detect anomalous behavior
and outliers. Both big data and identity are horizontal planes that slice through solution silos and organization
charts. This perspective with defined uses cases makes for a successful journey.

About Gurucul
Gurucul is a global cyber security company that is changing the way organizations protect their most valuable
assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s
real-time Cloud-Native Security Analytics and Operations Platform provides customers with Next Generation
SIEM, XDR, UEBA, and Identity Analytics in a single unified platform. It combines machine learning behavior
profiling with predictive risk-scoring algorithms to predict, prevent, and detect breaches. Gurucul technology is
used by Global 1000 companies and government agencies to fight cybercrimes, IP theft, insider threat and
account compromise as well as for log aggregation, compliance and risk-based security orchestration and
automation for real-time extended detection and response. The company is based in Los Angeles. To learn more,
visit gurucul.com and follow us on LinkedIn and Twitter.

Gurucul | 222 North Pacific Coast Highway, Suite 1322 | El Segundo, CA 90245 | 213-259-8472 | sales@gurucul.com | www.gurucul.com

@ 2022 Gurucul. All rights reserved.