UEBA, the anomaly detection capability of a SIEM solution, is used to identify both insider threats and external attacks. UEBA uses historical data to establish a baseline of normal behavior for every user and entity. It then monitors the users and entities in real time to determine if they follow the same pattern of behavior or if they deviate from it. Any deviation from the baseline of normalcy will be considered an anomaly, and depending upon the degree of deviation, a risk score will be determined.
Powered by machine learning algorithms, UEBA looks for anomalies with respect to time, count, and pattern deviations. If you wish to learn about UEBA in detail, you can refer to this blog: Unraveling the behavioral blueprint of users and entities with UEBA. In this blog, we're going to go one step deeper and learn about how you can enhance the risk scoring capability in UEBA, specifically with peer group analysis.
Before we dive into peer group analysis, let's remind ourselves of what a risk score is and why it's important. A risk score is a value assigned by your SIEM solution. Different SIEM solutions score risks in different ways, but one popular way is to assign a risk score from zero to 100 depending on activities performed by the users and entities and how abnormal they are. The more abnormal the behavior or activity, the greater the risk score will be. This aspect of UEBA makes it easier for security analysts to prioritize which threat needs to be mitigated first. This means that the more accurate your risk scoring, the less chance of false positives, and even lesser the chance of a successful attack.
Your risk scoring accuracy can be improved by considering seasonality factors and peer grouping while calculating a user's risk score.
If an activity occurs with a specific degree of regularity, such as hourly, daily, weekly, or monthly, it's considered seasonal. If this seasonal activity occurs out of routine, then it should be considered an anomaly, and your UEBA solution should be able to detect it. For instance, a database that is typically only accessed at the end of the month being accessed mid-month would be considered an anomaly. You can learn more about the importance of seasonality in anomaly detection here.
Peer group analysis is a technique powered by machine learning algorithms, where statistical models are employed to identify users and hosts that share similar characteristics and categorize them as one group. The idea behind peer grouping is that, by identifying the context behind a user's behavior and comparing it with the behavior of a relevant peer group, the risk scoring efficiency and accuracy will increase. Essentially, if the pattern of your deviation is similar to that of your peer group's, then your risk score will not be negatively affected. However, if your actions don't fit the expected behavior of any relevant peer groups, it'll be considered anomalous and your risk score will increase significantly (depending on the severity of the deviation).
If there is no historical data for a peer group showing anomalous data, then a new group is created and you will be the first member in it. The risk score of the first member in a new group is going to have a much higher score initially when compared to the rest. If this action is performed by other members, then it becomes a trendsetter rather than an outlier, and your risk score normalizes accordingly.
There are two different types of peer groups: static and dynamic.
Using the static method, data about users is obtained from databases such as Active Directory to create a peer group. Essentially, the grouping is based on attributes such as a user's department, designation, location, or their reporting manager. For example, all the employees who work in the finance department or all the employees who report to the same manager could constitute one peer group.
You can create multiple peer groups for a user this way. This is essential because if a user is a part of only one group, then the risk assessment and scoring might not be accurate. Each user may fall into more than one group: For instance, a designer in a marketing team will fall under the "Marketing" group as a whole, and also under a smaller, specific group called "Visual designers." They might also be grouped based on location, say "California." So, in this case, to accurately calculate the employee's risk, you'd have to look into the context (pattern of behavior) of all three groups. Also, if changes such as an employee changing roles or teams are not updated in Active Directory, the risk scoring accuracy decreases.
To ease risk assessment and enhance scoring accuracy, UEBA should also be capable of performing dynamic peer grouping.
Using the dynamic method, UEBA builds peer groups based on behavioral data collected over time. With the dynamic mode of analysis, it's easier to compare the behavior of a user with that of their peers. It does this by checking if the behavior exhibited by a user for the first time is the expected behavior of that of their peers or if it's an aberration. If it's found to be anomalous, the risk score increases accordingly. Unlike the static method, dynamic peer groups are created and analyzed based on patterns of similar behavior rather than grouping based on broad categories such as location.
However, for risk calculation based on dynamic grouping, care should be given in considering the size of the peer group as well as the frequency of the activity or behavior, which can be observed from historical data. This is because the smaller the peer group, the more alerts you can expect. With a larger group, it becomes easier to understand the context; accordingly, there are fewer alerts, so the results are more accurate. Similarly, if an action performed by a user is akin to that performed by their peers, then the risk scoring will not be negatively impacted and vice versa.
While it may seem like the dynamic method of peer grouping is better than the static method, a UEBA-integrated SIEM solution that is capable of building peer groups based on both methods is the most effective option for precise risk assessment and scoring.
Peer grouping helps make risk assessment and scoring more accurate. To better understand how, let's take a look at a few examples.
To dig deeper into peer group analysis, read this blog. Alternatively, you can schedule a personalized demo of ManageEngine Log360, a unified SIEM solution with integrated DLP and CASB capabilities, at your own convenience and talk to product experts. Thanks for reading, folks!
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.