Fast-Tracking Incident Detection with User and Entity Behavior Analytics (UEBA)

By Kumar Vikramjeet, Cyber Threat Hunter

Information overload — and false positives — are major challenges in the typical incident response organization. Thanks to the plethora of different security platforms, applications, and tools, security teams with limited resources must sift through an ever-growing mountain of alerts, some of which may include irrelevant data. Not only does this slow down the decision-making process, but it could also delay our response to incidents.

User and Entity Behavior Analytics (UEBA) is a cybersecurity process that helps detect anomalous events by employing machine learning (ML) and data statistics. Implementing UEBA in your threat hunting process can help reduce the overwhelming volume of security alerts and events by using scoped detection strategies and highlighting anomalous events potentially related to a cyberattack.

In this blog, I’ll share how the threat hunting team at Adobe is working to fast-track incident detection by developing an in-house UEBA framework, as well as highlight key details about the framework and how it can be adapted in your enterprise security ecosystem.

Developing a UEBA framework

At Adobe, we chose to develop our UEBA framework in-house to fit within our security ecosystem, including our existing security information and event management (SIEM) and endpoint detection and response (EDR) platforms. Doing this has enabled us to prioritize the use cases that are most important to Adobe’s threat-hunting efforts — designed and developed by our internal team of threat hunters and security analysts according to prioritized threat models — rather than rely on a third-party vendor to make changes to their tool to meet our specific needs.

A typical UEBA framework is comprised of six (6) steps:

Use Cases

In UEBA, detection strategies or rules are implemented as use cases, which capture log events that are likely to indicate suspicious or malicious activities at a certain threat level. Anomalous events coincide with abrupt changes in user or entity behavior, reducing the volume of data and distracting noise into smaller, more targeted data sets for analysis.

Data

Once we’ve defined the use case, we then select and groom a smaller data set pertaining to the use case. In certain cases, we merge use cases to avoid data and computational redundancy. Our existing SIEM platform acts as the main data source for UEBA, and we store the curated use case data sets (and later, the detected anomalies) in our database.

At Adobe, we’ve focused our efforts on five (5) major types of logs: network, application, cloud, host, and authentication, each of which contains multiple data sources. For example, cloud log files might contain AWS as well as Azure data. Depending on your organization’s threat landscape, you may choose to analyze more or fewer logs, or focus on entirely different ones.

Analytics

In the analytics stage, we apply machine learning (ML) or data statistics to detect anomalies according to a pre-defined configuration. To do this, we train our open-source anomaly generator, called One Stop Anomaly Shop (OSAS). In our implementation, use cases are represented by a pipeline where each stage is an execution unit. Pipeline stages are akin to data science stages, including data grooming, anomaly detection, anomaly analysis, and training.

Correlation

After generating anomalies for all pipelines, we correlate them across various log types. A series of suspicious or malicious events generated across various pipelines related to the same user or entity might indicate an intruder. To be deemed a successful intrusion, an actor must traverse applications and platforms while leaving footprints in various logs; these footprints are detected as anomalies. To be considered a correlation, the anomalies from different uses cases (pipelines) are clustered together by user or entity.

Enrichment

The goal of the enrichment step is to reduce the clustered anomalies by correlating data from other sources, which increases the confidence in benign anomalies. When correlated with anomalies, data sources such as LDAP or IP access data can help filter out trusted and typical user and entity activities.

Detection

In the last stage, we score the cluster of anomalies by severity, age, and triggered use cases (pipelines) and store them in the database. These factors filter out the set to become a more focused, smaller set that is ready for manual triaging by a security analyst.

Conclusion

By employing anomaly detection and correlation, UEBA can help reduce operational alerts and boost accuracy and timely detection of potential threats to high-value targets and assets. When integrated with a CI/CD platform, UEBA pipelines containing data fetch, anomaly detection, clustering, enrichment, and detection, can be automated, executing at predefined intervals.

At Adobe, we see our UEBA framework complementing our existing intrusion and threat detection systems while also providing an innovative process to bridge the gap between traditional security tools. Leveraging machine learning, UEBA helps us fast-track incident detection, thereby helping to ensure the security of Adobe’s enterprise infrastructure and data. As the threat landscape continues to evolve and new security tools arise to address those threats, we see our UEBA framework as an integral part of the evolution of threat detection at Adobe.