UEBA: Introduction

Document created by RSA Information Design and Development on Sep 11, 2018Last modified by RSA Information Design and Development on May 15, 2019
Version 5Show Document
  • View in full screen mode

RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. NetWitness UEBA is used for:

  • Detecting malicious and rogue users
  • Pinpointing high-risk behaviors
  • Discovering attacks
  • Investigating emerging security threats
  • Identify potential attacker activity

NetWitness UEBA leverages existing data in NetWitness Platform logs and empowers enterprise SOC and analysts with the insights and investigative capabilities to mitigate cyber threats.

This guide is designed for Analysts and SOC Managers, and provides information and instructions for using all NetWitness UEBA functions and capabilities. It describes key investigation methodologies, the main system capabilities, common use cases, and step-by-step instructions for recommended workflow strategies.

How NetWitness UEBA Works

NetWitness UEBA uses analytics to detect anomalies in log data and derives behavioral results from them. There are five basic steps to this process, as shown in the following diagram:

Flow diagram describing how UEBA gathers data and displays results

The following table provides a brief description of each of these steps.

StepDescriptionMore Information
1. Retrieve Log Data NetWitness UEBA retrieves log data from the NetWitness Platform Database (NWDB) and uses the data to create analytic results.See Retrieve Log Data
2. Create BaselinesBaselines are derived from detailed analysis of normal user behavior, and are used as a basis for comparison to user behavior over time. See Create Baselines
3. Detect AnomaliesAn anomaly is a deviation from a user's normal baseline behavior. NetWitness UEBA performs a statistical analysis to compare each new activity to the baseline. User activities that deviate from expected baseline values are scored accordingly to reflect the severity of the deviation.See Detect Anomalies
4. Generate AlertsAll the anomalies found in step 3 are grouped into hourly batches. Each batch is scored based on the uniqueness of its indicators. If the indicator composition is unique compared to a user's historic hourly batch compositions, it is likely that this batch will be transformed into an alert. See Generate Alerts
5. Prioritize Users with Risky BehaviorNetWitness UEBA prioritizes the potential risk from a user by using a simplified additive scoring formula. Each alert is assigned a severity that increases a user's score by a predefined number of points. Users with high scores either have multiple alerts associated with them, or have alerts of high levels of severity associated with them.See Prioritize Users with Risky Behavior

Retrieve Log Data

The NetWitness UEBA server connects to the Broker or Concentrator service to retrieve log data from Concentrators. You can use the Broker service that is available on the NetWitness Platform Admin server if you do not have an exclusive Broker in your deployment. During NetWitness UEBA installation, the administrator specifies the IP address of the Broker service.

For more information, see the "(Optional) Task 2 - Install NetWitness UEBA" topic in the NetWitness Platform 11.3 Physical Host Installation Guide.

Create Baselines

NetWitness UEBA uses machine learning to analyze multiple aspects of a user’s actions within a stream of log data and gradually builds a multi-dimensional baseline of typical behavior for each user. For example, the baseline can include information about the hours in which a user typically logs on.

Behavioral baselines are also created on a global level to describe common activities observed throughout the network. If a working hour was abnormal for a user, but is not abnormal for the organization, the false-positive reduction algorithms decreases the impact on the alert score.

Models are updated frequently and are constantly improving as time goes on.

Note: NetWitness UEBA requires 28 days of historical log data to create a proper baseline for all the users in your network. However, RSA recommends that you configure NetWitness UEBA to start baselining your data two months prior to your deployment date <today-60days>. The first 28 days will be used for model training and will not be scored. The remaining 32 days are leveraged to improve and update the model, and are also scored to provide initial value.

Note: For version 11.2 or later, there is limited support for environments with multiple domains. Distinct username values, that are registered under different domains, will be normalized, and then combined into one modeled entity. As a result, different users, who share the same username in different domains, will wrongfully be attributed to a single normalized entity.

Detect Anomalies

After establishing a behavioral baseline for all the users in your environment, each incoming event is compared to the baseline, and is given a score to determine if the new behavior is abnormal, and particularly, if it is a strong deviation from the baseline. For example, if a user's normal working hours are 9:00 AM to 5:00 PM, a new activity at 6:00 PM or 7:00 PM is not a strong deviation, and is probably not scored as an anomaly. However, an authentication at midnight is a strong deviation and is scored as an anomaly.

If anomalies are detected, they are turned into Indicators of Compromise, described as Indicators in the UI. NetWitness UEBA uses indicators to define validated anomalous activity, such as suspicious user logons, brute-force password attacks, unusual user changes and abnormal file access. Indicators either represent anomalies found in a single event or multiple events batched over time.

Generate Alerts

All the anomalies that are found are grouped into username and hourly batches. Each batch is scored based on the uniqueness of the composition of its indicators. If a composition is unique compared to the user's history, it is likely that this batch will be transformed into an alert, and the anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains validated indicators of compromise.

For example, one abnormal activity by itself, even if it happens hundreds of times a day in a large corporate environment, does not necessarily reflect an account compromise. However, an abnormal behavior that occurs with a lot of other abnormal behaviors could indicate that the account is compromised. These three behaviors occurring together may indicate that additional analysis is required.

  • Authentication from an abnormal computer
  • Multiple authentication attempts identified in a short time frame

  • Multiple files have been deleted by this user from the corporate file share

Note: The NetWitness UEBA user interface can initially appear as empty because alerts are not generated until the baselines are established. If there is no historical audit data when NetWitness UEBA is enabled, the system starts generating the baselines from the time it is deployed, and require 28 full days to elapse before beginning to generate new alerts. If historical audit data is processed when NetWitness UEBA is enabled, alerts appear after the historical data has been processed, usually within two to four days.

Prioritize Users with Risky Behavior

User scores are a primary tool for incident prioritization. The user score is based on a simple additive calculation of the user's alerts. Alerts and analyst feedback are the only factors in the user score calculation, with the impact on the scores determined by their levels of severity.

A unified color code is used for user and alert scores:


Supported Log Sources

NetWitness UEBA natively supports the following data sources:

  • Windows Active Directory
  • Windows Logon and Authentication Activity
  • Windows File Servers
  • NetWitness Endpoint Process
  • NetWitness Endpoint Registry
  • RSA SecurID Token

Recommended Workflows

To use NetWitness UEBA most effectively, there are two workflows; Detection workflow and Forensic workflow, that you can follow.

Detection Workflow

The detection workflow allows you to gain an overview of the health of your environment, and then focus on investigating the top high-risk users and alerts that are displayed in the Overview tab.

The following flowchart illustrates the steps you can follow to begin detecting suspicious behavior in your environment.

Flow diagram of UEBA detection workflow

The following table describes each step in the workflow.

Step DescriptionInstructions
View top five users or top 10 alertsIn the Overview tab, note the users with the riskiest behaviors and the top most critical alerts.Investigate High-Risk Users and Investigate Top Alerts
Investigate details of users and alertsDrill into detailed information about risky user behaviors and critical alerts to try to determine the cause of these actions and how to resolve them. Investigate High-Risk Users and Investigate Events
Determine the result of the investigationAnalyze the summary information provided in the user interface from the previous steps and identify areas to focus on to resolve the issues you found.Identify High-Risk Users and Investigate Events
Take action to resolve the issues foundTarget specific user behaviors and events to address, and use the results of this investigation to improve and sharpen future investigations.Take Action on High-Risk Users

Forensic Workflow

The forensic workflow is recommended when you have gained an understanding of the typical user behaviors and anomalies in your environment, and helps you focus on specific forensic information that is based on a user behavior, or a specific timeframe in which suspicious events occurred.

Using forensics information, analysts may determine the actions and behaviors that the attacker is likely to attempt using the following questions:

  • What fundamental techniques and behaviors are common across all intrusions?
  • What evidence do these techniques leave behind?
  • What do attackers do?
  • What are normal behaviors of my accounts and entities?
  • Which are my sensitive machines and where are they located?

The following flowchart illustrates how to perform your investigation on forensic information that is based on a specific user behavior, or a specific timeframe in which suspicious events occurred.

Flow diagram of Forensic workflow.

The following table describes each step in the workflow.

Step DescriptionInstructions
Gain knowledge of expected behaviors and anomalies in your environmentEstablish a baseline of normal behaviors, expected anomalies, and unexpected anomalies, so that you can focus on anomalies that are significant for your environment.Retrieve Log Data, Detect Anomalies, and Generate Alerts.
Investigate an user with top score for a specific behaviorSelect a user with a high score for a specific behavior and gather detailed information.Investigate High-Risk Users and Investigate Events.
Investigate alerts that occur in a specific timeframeDetermine a timeframe of interest, and in the Alerts tab, select that timeframe to see detailed information about alerts that occurred during that time period.Investigate Events
Determine the result of the investigationBased on your knowledge of expected user behavior, focus on the indicators that are displayed during the specified time period and determine if the anomalies that were discovered need to be resolved.Investigate Events and Identify High-Risk Users
Take action to resolve the issues foundTarget specific user behaviors and events to address, and use the results of this investigation to improve and sharpen future investigations.Take Action on High-Risk Users

Access NetWitness UEBA

Note: To access the NetWitness UEBA service and Users tab, you must be assigned to either the UEBA_Analyst role or Administrators role. For information about how to assign these roles, see the "How Role-Based Access Control Works" topic in the System Security and User Maintenance Guide. You must also ensure that you have proper NetWitness UEBA licensing configured. For information about NetWitness UEBA licensing, see the "User and Entity Behavior Analytics License" topic in the Licensing Management Guide.

To access NetWitness UEBA, log into NetWitness Platform and go to INVESTIGATE > Users. The Users view, which contains all the NetWitness UEBA features, is displayed.

Users view, Overview tab

You are here
Table of Contents > Introduction