Professional Documents
Culture Documents
Gurucul WP UEBA Use Cases
Gurucul WP UEBA Use Cases
Gurucul WP UEBA Use Cases
Companies have responded by increasing their security budgets and adopting more advanced defenses. One
component of these defensive maneuvers is the establishment of a big data repository containing aggregated
data from numerous sources across the enterprise and external to it. Among the sources are device logs, user
activity data, device configuration data, identity management systems, threat intelligence feeds, and much
more. Often hidden within this massive data repository are critical indicators of a prospective attacker’s access
and activity.
The burgeoning scale of this all-encompassing data lake with full enterprise visibility has far eclipsed the
ability for humans to hunt through it in any realistic manner. However, it is the perfect source for machine
learning (ML) models that relentlessly analyze the data and look for correlations and anomalies that may be
indicative of malicious activity.
It is within this domain of advanced security analytics that User and Entity Behavior Analytics (UEBA) as part
of your threat detection, investigation and response program has emerged as the most effective approach to
comprehensively manage and monitor identity-based risks and unknown threats across all of an organization’s
environments. UEBA draws from the context of big data and is driven by machine learning models rather than
signatures or rules to deliver invaluable visibility and risk scoring of suspicious activity.
User and Entity Behavior Analytics quickly identifies anomalous activity, thereby maximizing timely incident or
automated risk response. The range of use cases is what makes a UEBA solution extensible and valuable. For
organizations to effectively face their cybersecurity challenges, they must assure the use cases align with their
specific needs and varied requirements today and into the future.
Gurucul provides a comprehensive set of use cases for User and Entity Behavior Analytics including:
Early Ransomware Detection
Phishing Detection
Privileged Access Abuse Prevention
3rd Partner and Supply Chain Threat Monitoring
Data Exfiltration, DLP and IP Protection
Account Compromise, Hijacking and Sharing Detection
Insider Risk and Threat Monitoring
Anomalous Activity Monitoring
Host / Device Compromise Detection
Lateral Movement Detection
Reconnaissance Monitoring
Security Misconfiguration Identification
While it is common to start with one or two use cases for a UEBA deployment, a customer roadmap of future
projects across departments is advised. Today’s Security Operations Center (SOC) analysts may be engaged
mainly with incident reviews, yet tomorrow, the advantages of automated risk response between security
solutions can become a primary requirement.
gurucul.com
Although siloed security solutions may have their own analytics capabilities, there is high value in aggregating
the data in a big data lake to support correlation of information across data sources. As current innovations
expand with widening adoptions, security leaders will deepen their understanding of how advanced security
analytics improve detection and response. This white paper explores a comprehensive and optimal set of use
cases for UEBA.
The “entity” part of the solution means it also monitors devices that are part of the network. Machines, like
people, can exhibit unusual behaviors that may indicate an attack is underway. For example, a desktop device
might be observed to be communicating with an unusual IP address that external threat intelligence says is a
malicious site. Prompt detection and alerting of this behavior can lead to quick mitigation such as blocking the
traffic at a firewall to prevent outreach to that IP address.
The heart of Gurucul UEBA is the security analytics engine. User and entity activity data is aggregated
from numerous sources is drawn into the engine from a big data repository, where it has been normalized
and combined into a single data set. Machine learning using customized algorithms (i.e., learning models)
processes the data to search for patterns, correlations, and anomalies. Rapid searches of the results identify
early indicators of an attack. The analytics engine calculates a risk score based on those indicators and
generates an alert to trigger further action based on the calculated risk. Additional types of responses can be
implemented such as generating a case ticket or activating a response using automation tools like security
orchestration and automated response (SOAR).
Outlier / Risky
Behavior Detection
Infrastructure Logs
(Servers, Gateway, DNS)
Prescriptive
Application Audit Logs
Gurucul Real-Time
User/Entity Actions to Prevent
UEBA Risk Score Malicious Behavior
Network Logs
(Netflow, Packet Capture)
Open Choice
Big Data
gurucul.com
Using proven machine learning techniques, Gurucul UEBA profiles past and current behavior by evaluating
all user and non-person entity activity against a set of normal baselines. Using outlier analysis, the behavior
is further evaluated against dynamically defined peer groups with the goal of providing additional contextual
intelligence. These techniques assist in detecting and eliminating false positives. When the activity of every
user and every entity is put through the analytics engine, a risk score (or confidence score) for each individual
user is calculated. Every additional action a user or entity takes is incorporated into the individual’s risk score,
which is continuously recalculated with the new activity.
Gurucul’s solution framework includes data ingestion available via flat file, database, application
programming interface (API), message or streaming inputs with ready-to-use data connectors for common
enterprise systems and platforms (i.e., human resources, identity and access management, privileged access
management, security information and event management (SIEM), directory services, databases, networks,
vulnerabilities, data loss prevention, threat intelligence, cloud applications/SaaS, authentication, physical
ID badge systems, file storage and endpoints). It also supports an open customer choice for big data with
Hadoop, Cloudera, Hortonworks, ELK Elastic and MapR. Models run on top of a customer choice for big data
to compute and store, to avoid reading and storing data multiple times. In simple terms, use your existing data
lake with advanced security analytics on top.
When questioned, most CISOs still have major issues with detecting and protecting against ransomware. This
is due to the nature of the attack itself. For example, if the attacker decides to pull the AES encryption key via
the same access he or she originally entered, and copy them to the victim host, or whether they intend to pull
the keys once they have reached a particular resource. Both these actions would prove to be a pivotal point
of detection, and in the areas of behavior analytics, both will be identified as unnatural behavior patterns.
Many other factors would also come into play, the user from which the host originated, the irregular use of
protocols, unusual network, and file activity are all indications of abnormal behavior. This also doesn’t include
the traditional actions that the security tools would identify, ones that Gurucul would enrich and correlate
together with the abnormal behavior to increase accuracy and awareness and remediate any actions before
the adversary can even reach the desired resources in which to encrypt.
Phishing Detection
Phishing is a leading social engineering technique that attackers or cyber criminals use to gain access to a
legitimate user’s account credentials. Once an attacker has an employee’s username and password, they can
login to the network directly and assume the same privileges as that user. To prevent an account takeover, it’s
important to stop phishing at the source—in the legitimate users’ inboxes or sooner.
gurucul.com
UEBA analyzes the activity behind the incoming messages
of the phishing campaign to identify unusual behavior
indicative of malicious email. UEBA looks for attributes
like unusual sender email domains, inbound email from
similar senders to large numbers of internal users, unusual
character sequence based on text mining, and pretrained
detection on trusted subject lines. Alerts on these activities,
along with automated responses that isolate suspicious
messages, can help curtail phishing in an organization.
gurucul.com
A 360-degree dashboard provides visibility of an identity’s accounts, access, and activity for on-premises and
cloud hybrid environments. Both access and activity are risk scored for anomalous events with results visible
to employee managers and SOC analysts.
Reconnaissance Monitoring
Reconnaissance is the preliminary step of a
cyberattack in which the attacker attempts to learn as
much as possible about an organization’s computing
environment and its defenses. To gain information
without actively engaging with the network, an
attacker uses reconnaissance measures to interact
with the network’s open ports, running services, etc.
For example, an attacker may use port scanning to
determine what services are visible and where an
attack can be conducted. As part of port scanning,
data is retrieved from opened ports and analyzed.
By analyzing entity behavior, UEBA can recognize
and alert on a variety of reconnaissance activities,
including port scans, ping sweeps and fingerprinting;
DB table and structure discovery through web server
logs; discovery of directories and pages exposed
to the Internet; discovery of exposed cloud assets
including storage buckets, instances, and databases;
and much more.
Empowered Security Capabilities and Quality – The mature capabilities of Gurucul UEBA provide robust
and optimal advanced security analytics across a range of on-premises and hybrid environments, risk-
scoring the gray areas of unknown threats and minimizing false positives. The result is improving the
focus of “find-fix” resources, optimizing the time of security analysts, creating efficiency in the SOC, and
making operations and people more productive.
Extended and Optimized, Discovery, Monitoring, and Visibility – This includes the baseline ability to
view the full context of a user’s access and activities, both legitimate and anomalous. Gurucul UEBA
also includes analytics for hybrid environments, providing a combined 360-degree view for identity and
risk-scored behavior anomalies. It’s all driven by machine learning as part of a newly recognized state-of-
the-art UEBA standard along with its empowered ability in interface with Identity & Access Analytics for
increased efficiencies.
Improved Productivity and Cost Savings – By having holistic visibility across all an organization’s
environments, users, and devices, the SOC team’s efficiencies are maximized, delivering cost savings. In
addition, as enterprises continue to migrate to cloud applications, the ability to expand platforms without
adoption of additional solutions helps to minimize costs.
Conclusion
The depth and range of use cases fundamentally defines the areas of expertise and functionality for UEBA
vendors. This factor represents an important qualification when choosing a solution partner. Having a broad
selection of use cases provides organizations with the assurance that their advanced security analytics
requirements will be addressed comprehensively today and into the future. Assuring a vendor can support
these use cases across on-premises, cloud and in hybrid environments, as well as being vendor agnostic,
provides the strongest assurance that objectives are achieved. Big data provides rich context that drives
machine learning models. A key to its success is the democracy of data from solution silos and open APIs for
data collection and leveraging risk scores for automated response. Behavior analytics centers on identity with
a 360-degree view of accounts, access, and activity for users, entities, and peers to detect anomalous behavior
and outliers. Both big data and identity are horizontal planes that slice through solution silos and organization
charts. This perspective with defined uses cases makes for a successful journey.
About Gurucul
Gurucul is a global cyber security company that is changing the way organizations protect their most valuable
assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s
real-time Cloud-Native Security Analytics and Operations Platform provides customers with Next Generation
SIEM, XDR, UEBA, and Identity Analytics in a single unified platform. It combines machine learning behavior
profiling with predictive risk-scoring algorithms to predict, prevent, and detect breaches. Gurucul technology is
used by Global 1000 companies and government agencies to fight cybercrimes, IP theft, insider threat and
account compromise as well as for log aggregation, compliance and risk-based security orchestration and
automation for real-time extended detection and response. The company is based in Los Angeles. To learn more,
visit gurucul.com and follow us on LinkedIn and Twitter.
Gurucul | 222 North Pacific Coast Highway, Suite 1322 | El Segundo, CA 90245 | 213-259-8472 | sales@gurucul.com | www.gurucul.com