User behavior analytics (UBA) was launched more than five years ago here at Rapid7. This past week, I sat down with Sam Adams, our VP of Product, to learn more about how UBA works and how it’s evolved over the years to become a core part of threat detection and response strategies today.
Here’s what Sam had to say:
Q: Sam, what’s the difference between user behavior analytics and a rule-based approach?
A: Let’s start with an analogy: You’re a fisherman out on a mission to specifically catch tuna. You throw out a net, and when you bring it in, the net scooped up a bunch of other fish, too. Either you have to sort through them, or a whole bunch of fish will be harmed.
This can be what it’s like to sort through alerts that come in from security tools with static rule sets. Because they’re designed to look for specific events, they can also catch users or assets that are actually innocent but require you to sort through and sift out.
While rules are easy to write, they’re not the most accurate way to detect real threats today—or an efficient use of your team’s time. This is where user behavior analytics comes in.
Q: How does user behavior analytics work?
A: As soon as UBA is integrated within your environment, it begins a short learning period and quickly starts to understand what is normal versus abnormal in your environment. This learning period helps fine-tune detections and block out the noise. UBA gathers all the users and assets and monitors them to understand what they do, what they talk to, and so on, to better understand if an event is actually an issue or just a normal occurrence.
Then, any good UBA solution will allow you to manually add things to the baseline that weren’t discovered during the training period. For example, you can indicate that while a certain event may seem abnormal, it shouldn’t be flagged because it is actually typical and just happens infrequently. By adding exceptions like these to the behavior engine, you’ll be able to tune out what little noise remains so that whenever UBA does fire off an alert, you know with high confidence that it’s something worth investigating.
Q: Why is user behavior analytics important in today’s threat landscape?
A: When you start looking at behaviors, you’re not just looking to detect users and machines in the environment, but also how each of them normally behaves so that you can more accurately detect when anomalies occur. Rules, on the other hand, don’t take into account who the actors are; they can only understand that certain events equal certain alerts. There is no consideration for how many users or machines there are in the environment and whether this particular time that a rule fires is the thousandth time or the first.
UBA allows you to get much more sophisticated with detecting threats and reduces—or altogether eliminates—false positives.
Q: How has user behavior analytics evolved over time?
A: At its inception, UBA was math applied to data, which simply produces a different kind of noise. Today, it’s about understanding what combination of behaviors is likely to represent an attack, and then creating mechanisms for the UBA engine to adapt to each customer’s unique environment.
It’s important to note, though, that a lot of UBA vendors today still simply run analytics on data. Rapid7, on the other hand, truly applies an attacker methodology to our behavior models based on the deep threat intel our teams are able to gather. Our recently published Q3 Threat Report is a great example of what we’re collecting on attacker tactics, techniques, and procedures.
Q: What should a good user behavior analytics solution offer?
A: First, a good UBA solution should be able to build an accurate model of all the entities in your environment—both users and machines to which it can attribute behaviors. Real-time attribution of events to actors is a really hard problem to solve, requiring the collection of a very diverse set of data, which is why many vendors have yet to crack the code. Many traditional SIEM solutions claim they have UBA, but SIEM engines aren’t built to do real-time attribution. This is because users and assets constantly move around in a modern network architecture, leading to an engine that cannot accurately map events to entities.
Rapid7’s InsightIDR solution utilizes a proprietary attribution engine with models that are purpose-built to detect behaviors indicative of true threats, while sorting out users who may be doing unusual tasks but are not actually compromised or performing malicious actions.
Next, the UBA engine should have a group of models that are created to detect attacker behaviors, not just anomalous behaviors. Because your users will do strange things all the time, detections need to be more sophisticated. Attacker behaviors are a specific set of events that attackers trigger as they move across your environment.
Last, UBA needs the ability to tune the behavior analytics engine. Ideally, tuning should happen automatically, but with the option to tweak it manually once it’s fully operational. This allows you to sort out unique events to your organization to make the engine even more accurate.
Q: How has Rapid7 adjusted its approach to maintain industry-leading standards?
A: Rapid7 UBA is one of the few UBA engines that truly applies an attacker methodology to behavior models. Combining our unique expertise in threat detection with behavior analytics, we’ve developed highly accurate UBA models that can catch real attacks in your environment.
At Rapid7, we are uniquely positioned to understand the attacker mindset. We get valuable feedback from our Metasploit team, the analysts of our Managed Detection and Response (MDR) team and our penetration testers to understand which attacks are highly effective and what new techniques are emerging. When you marry this with our threat intel gathering, which includes running a fleet of honeypots around the world, we have a lot of visibility into how attackers operate and what new attacks our customers are going to need to detect.
Since InsightIDR is a SaaS service, we can actually see how our UBA models and alerts are firing across a diverse set of customers. That continuous feedback loop makes our behavior engine highly tunable and of a higher fidelity.
Q: Are there any widely held beliefs about user behavior analytics that you’d like to debunk?
A: The big one is believing that just math alone can solve the problem. Many vendors think that if they have a multitude of mathematical and machine learning techniques, that alone is enough to detect attackers. While you may occasionally catch one, it can easily lead to drowning in false positives, which makes it hard for teams to know which alerts are real and which are not.
The second is that you can build UBA without a true attribution engine and the ability to track users and assets across a modern network. This is why I am skeptical when a traditional SIEM claims to have UBA; they just don’t have the foundational elements needed to build a functional UBA engine, making the result often simply more noise.
Q: How should organizations see user behavior analytics as part of their broader threat detection strategy?
A: The ability of UBA engines to track unusual behavior across your entire environment can be a principal tool for detecting attacks and a valuable source of information during impact assessments and investigations.
Whether used as a core detection engine or as a way of augmenting other alerts, UBA’s ability to quickly adapt to new attacker techniques in a way that isn’t high-noise is incredibly valuable to security teams both large and small.