Peggy的實驗空間: 資安｜ What is UEBA? 十分鐘初探 UEBA (User and Entity Behavior Analytics)

2020年12月2日星期三

資安｜ What is UEBA? 十分鐘初探 UEBA (User and Entity Behavior Analytics)

近期接觸到幾個蠻有意思的領域，其中一個是UEBA。就順手把手邊資料稍微整理一下，也提供給有興趣的朋友參考。

What is UEBA?

User and Entity Behavior Analytics( UEBA, 使用者與實體行為分析) 使用行為分析來監測user activities 和 infrastructural entities(ex. routers, servers , enterprise applications, IoT devices and so on.) 。

偵測方式通常是建立一個行為的baseline，接著對異常行為(anomaly behavior)發出Alerts，後續由 InfoSec等會接手進行Investigate。

提到user behavior，就需要知道相關的 assets有哪些。

UEBA 的歷史

曾在Gartner 2016 TOP 10 security projects 中獨立存在，2017年消失後，在2018年再度入榜。這時是與 EPP+EDR，Deception(欺騙) 和 MDR service這幾個一起包進 Detection and Response Project.

在 Gartner 2020-2021 TOP 10 security projects 沒有特地再提UEBA， UEBA 也常已被包含在NextGen SIEM 裡面。

如 2020 SIEM Gartner Magic Quadrant 廠商 LogRhythm, Securonix , Exabeam等，也特意提到他們有包含UEBA。

最常見的 use case 是偵測惡意的insider與滲透進組織的外部 attackers.

UEBA Benefits ( Use cases )

The ability to accurately detect compromised user accounts and malicious insider by identifying abnormal behavior.

Useful as part of a software toolkit for preventing data loss.

The prevention of misuse of privileged account access by ensuring the appropriate use of access rights.

Improved information security efficiency through automation.

Reduced attack surface using advanced behavioral analytics to frequently update IT security staff about potential weak points in the network.

Incident Prioritization: to prevent alert fatigues

When and how frequently a user is active, how much information they access and what sensitive information they attempt to download by identifying logs, network packets and endpoint logs.

和SIEM的主要差異

SIEM: focus on log and event information related to suspicious network behavior.

UEBA: emphasizes user and entity behavior.

UEBA is an extension of SIEM applied to a different aspect of information security.

TOP UEBA Vendor

因為UEBA 也通常已被包含在NextGen SIEM 裡面，先來參考一下 Gartner 2020 TOP 的 SIEM 有哪些。