RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. NetWitness UEBA is used for:
- Detecting malicious and rogue users
- Pinpointing high-risk behaviors
- Discovering attacks
- Investigating emerging security threats
NetWitness UEBA leverages existing data in NetWitness Platform logs and empowers enterprise SOC and analysts with the insights and investigative capabilities to mitigate cyber threats.
This guide is designed for Analysts and SOC Managers, and provides information and instructions for using all NetWitness UEBA functions and capabilities. It describes key investigation methodologies, the main system capabilities, common use cases, and step-by-step instructions for recommended workflow strategies.
How NetWitness UEBA Works
NetWitness UEBA uses analytics to detect anomalies in log data and derives behavioral results from them. There are five basic steps to this process, as shown in the following diagram:
The following table provides a brief description of each of these steps.
The NetWitness UEBA server connects to the Broker or Concentrator service to retrieve log data from Concentrators. You can use the Broker service that is available on the NetWitness Platform Admin server if you do not have an exclusive Broker in your deployment. During NetWitness UEBA installation, the administrator specifies the IP address of the Broker service.
For more information, see the "(Optional) Task 2 - Install NetWitness UEBA" topic in the NetWitness Platform 11.2 Physical Host Installation Guide.
NetWitness UEBA uses machine learning to analyze multiple aspects of a user’s actions within a stream of log data and gradually builds a multi-dimensional baseline of typical behavior for each user. For example, the baseline can include information about the hours in which a user typically logs on.
Behavioral baselines are also created on a global level to describe common activities observed throughout the network. If a working hour was abnormal for a user, but is not abnormal for the organization, the false-positive reduction algorithms decreases the impact on the alert score.
Models are updated frequently and are constantly improving as time goes on.
After establishing a behavioral baseline for all the users in your environment, each incoming event is compared to the baseline, and is given a score to determine if the new behavior is abnormal, and particularly, if it is a strong deviation from the baseline. For example, if a user's normal working hours are 9:00 AM to 5:00 PM, a new activity at 6:00 PM or 7:00 PM is not a strong deviation, and is probably not scored as an anomaly. However, an authentication at midnight is a strong deviation and is scored as an anomaly.
If anomalies are detected, they are turned into Indicators of Compromise, described as Indicators in the UI. NetWitness UEBA uses indicators to define validated anomalous activity, such as suspicious user logons, brute-force password attacks, unusual user changes and abnormal file access. Indicators either represent anomalies found in a single event or multiple events batched over time.
All the anomalies that are found are grouped into username and hourly batches. Each batch is scored based on the uniqueness of the composition of its indicators. If a composition is unique compared to the user's history, it is likely that this batch will be transformed into an alert, and the anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains validated indicators of compromise.
For example, one abnormal activity by itself, even if it happens hundreds of times a day in a large corporate environment, does not necessarily reflect an account compromise. However, an abnormal behavior that occurs with a lot of other abnormal behaviors could indicate that the account is compromised. These three behaviors occurring together may indicate that additional analysis is required.
- Authentication from an abnormal computer
Multiple authentication attempts identified in a short time frame
Multiple files have been deleted by this user from the corporate file share
User scores are a primary tool for incident prioritization. The user score is based on a simple additive calculation of the user's alerts. Alerts and analyst feedback are the only factors in the user score calculation, with the impact on the scores determined by their levels of severity.
A unified color code is used for user and alert scores:
NetWitness UEBA natively supports the following Windows log sources:
- Windows Active Directory
- Windows Logon and Authentication Activity
- Windows File Servers
To use NetWitness UEBA most effectively, there are two workflows; Detection workflow and Forensic workflow, that you can follow.
The detection workflow allows you to gain an overview of the health of your environment, and then focus on investigating the top high-risk users and alerts that are displayed in the Overview tab.
The following flowchart illustrates the steps you can follow to begin detecting suspicious behavior in your environment.
The following table describes each step in the workflow.
The forensic workflow is recommended when you have gained an understanding of the typical user behaviors and anomalies in your environment, and helps you focus on specific forensic information that is based on a user behavior, or a specific timeframe in which suspicious events occurred.
Using Forensics information, the analysts may determine the actions and behaviors that the attacker is likely to attempt using the following questions:
- What fundamental techniques and behaviors are common across all intrusions?
- What evidence do these techniques leave behind?
- What do attackers do?
- What are normal behaviors of my accounts and entities?
Which are my sensitive machines and where are they located?
The following flowchart illustrates how to perform your investigation on forensic information that is based on a specific user behavior, or a specific timeframe in which suspicious events occurred.
The following table describes each step in the workflow.
Access NetWitness UEBA
To access NetWitness UEBA, log into NetWitness Platform and go to Investigate > Users. The Users view, which contains all the NetWitness UEBA features, is displayed.