Gain greater visibility into insider threads, uncover anomalous behavior, quickly identify risky users and entities to generate meaningful insights
IBM QRadar SIEM User & Entity Behavior Analytics (UEBA) establishes a baseline of behavior patterns for your employees and critical assets, so you can better detect threats to your organization. It uses existing data in QRadar SIEM to generate new insights around user and entity risk.
By establishing the risk profiles for users and entities inside your network, you can react more quickly to suspicious activity, whether from identity theft, hacking, phishing or malware.
Distinguish normal user behavior from anomalies to stop threats
41% of network infections are caused by phishing.1
More than 50% of phishing attacks use spear phishing techniques.2
There has been a 100% increase per month in threat hijacking attempts, as observed by X-Force® threat detection software.3
For the second year in a row, phishing was the leading infection vector where an attacker impersonates someone and uses existing email conversations for nefarious purposes. Understanding users’ normal behavior and noticing anomalies relating to other entities like devices, servers in the environment fast is critical to stopping infections. You can add users with the user import wizard, and add risk scoring and unified user identities to QRadar SIEM with UEBA. Entities are automatically discovered via incoming logs and events in QRadar and are risk scored.
The user import wizard allows you to import users and user data directly from the UEBA app. The user import wizard helps you to import users from an LDAP server, an active directory server, reference tables and CSV files. You can also create custom attributes with the user import wizard.
Create risk profiles by assigning risk to different security use cases, depending on the severity and reliability of the incident and by using existing event and flow data in your QRadar system. A risk profile might rely on simple rules, such as if a user visits harmful or compromised websites, or include stateful analytics that use machine learning.
Build unified user identities by combining disparate accounts for a QRadar user. By importing data from an active directory, LDAP, reference table or CSV file, the UEBA app can be taught what accounts belong to each user. This also helps you combine risk and traffic data across different usernames in the UEBA app, so you can better monitor user actions and prevent attacks.
QRadar UEBA auto discovers the entities such as ip addresses, hostnames of critical devices, servers in the environment and monitors it against the enabled usecases. Set up the risk score threshold for entities in UEBA and offenses are generated whenever risk score threshold level is hit.
Enrich and deepen your use cases to perform time series profiling and clustering with the machine learning add-on, which augments the UEBA app. Machine learning adds to existing UEBA app visualizations that show learned behavior (models), current behavior and alerts. Machine learning uses historical data in QRadar to create the predictive models and baselines of what is normal for a user.
UEBA rule content is installed after the app is configured and can be edited in the QRadar use case manager app. Rules that measure user risk are added to the UEBA rule data table. UEBA rules and tuning features allow you to determine the parameters that QRadar SIEM will use to keep your company and data protected.
FAQs
Yes. If running on a QRadar SIEM console, the UEBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of a QRadar SIEM app host to access the full benefits of running the UEBA app with the machine learning app enabled.
UEBA integrates directly into QRadar SIEM by using the existing user interface and database. All enterprise-wide security data remains in one central location and analysts can tune rules, generate reports and connect data as part of their SIEM experience.
Since UEBA shares the same underlying database as QRadar SIEM and NDR, any data source that is ingested by QRadar SIEM can be surfaced and leveraged in UEBA.
UEBA is packaged as a collection of 3 apps—an LDAP app that helps ingest and coalesce users' identity information, a UEBA app that helps visualize data and analytics, and a machine learning app that provides a library of machine learning algorithms used to create behavioral models of users' activities.
Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UEBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.
A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UEBA impacts an individual user's risk score.
A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UEBA impacts an individual user's risk score.
Upon installation, machine learning algorithms ingest the previous 4 weeks of data from the QRadar database and can take up to 1 week to build the baseline models of normal user behavior.
The UEBA app is offered to QRadar clients at no additional cost.
As with all QRadar applications and modules, the data is encrypted at rest.
Footnotes
1, 2, 3 IBM X-Force Threat Intelligence Index 2023 Insight, Stephanie Carruthers