UEBA: Introduction

Document created by RSA Information Design and Development on Sep 11, 2018Last modified by RSA Information Design and Development on Feb 9, 2020
Version 13Show Document
  • View in full screen mode

RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution that empowers enterprise SOC managers and analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.

Users

All users in your organization can be analyzed using the log and endpoint data for abnormal user activities. The log and endpoint data is retrieved and parsed from the NetWitness Platform Database (NWDB).

Network

Note: Network entities are supported on RSA NetWitness Platform 11.4 and later.

UEBA can be used to analyze malicious outbound traffic masked within a legitimate HTTPS session. It can detect various network abnormalities such as abnormal outbound traffic volume sent to a specific port, domain, organization or SSL Subject. The network (packet) data is retrieved and parsed from the NetWitness Platform Database (NWDB) into the new TLS data source that supports two new entities namely JA3 and SSL Subject. These entities are used to validate the false negatives and true positives and detect abnormal network traffic for JA3 and SSL Subject fingerprints.

  • JA3 - JA3 is a method of creating client side SSL/TLS fingerprints that is equipped to identify the client application initiating the session. The JA3 fingerprints are used to perform JA3-Signature-based analysis and detect abnormal network traffic, such as abnormal number of bytes sent over HTTPS.
  • SSL Subject - The subject field of the certificate identifies the entity associated with the public key stored in the subject public key field, hence the entity for which the certificate was issued.

NetWitness UEBA enables analyst to:

  • Detect
    • malicious and rogue users
    • abnormal network traffic
  • Pinpoint high-risk behaviors
  • Discover attacks
  • Investigate emerging security threats
  • Identify potential attacker's activity

This guide provides information and instructions for using all NetWitness UEBA functionalities and capabilities. It describes the key investigation methodologies, the main system capabilities, common use cases, and step-by-step instructions for the recommended workflow strategies.

How NetWitness UEBA Works

NetWitness UEBA uses analytics to detect anomalies in the log and endpoint or network data to derive behavioral results from them. There are five basic steps to this process, as displayed in the following diagram:

Flow diagram describing how UEBA gathers data and displays results

The following table provides a brief description of each of these steps.

                                      
StepDescriptionMore Information
1. Retrieve Log and Endpoint or Network Data NetWitness UEBA retrieves logs or endpoint or network data from the NetWitness Platform Database (NWDB) and uses the data to create analytic results.See Retrieve Data
2. Create BaselinesBaselines are derived from detailed analysis of normal user or network entity behavior, and are used as a basis for comparison to user or network entity behavior over time. See Create Baselines
3. Detect AnomaliesAn anomaly is a deviation from a user or network entity's normal baseline behavior. NetWitness UEBA performs statistical analysis to compare each new activity to the baseline. User or network entity activities that deviate from expected baseline values are scored accordingly to reflect the severity of the deviation.See Detect Anomalies
4. Generate AlertsAll the anomalies found in step 3 are grouped into hourly batches. Each batch is scored based on the uniqueness of its indicators. If the indicator composition is unique compared to a user or network entity's historic hourly batch compositions, it is likely that this batch will be transformed into an alert. See Generate Indicators and Generate Alerts
5. Prioritize User or Network Entities with Risky BehaviorNetWitness UEBA prioritizes the potential risk from a user or network entity by using a simplified additive scoring formula. Each alert is assigned a severity that increases a user or network entity's score by a predefined number of points. User or Network entity with high scores either have multiple alerts associated with them, or have alerts of high levels of severity associated with them.See Prioritize User or Network Entity with Risky Behavior

Retrieve Data

NetWitness UEBA connects to a Concentrator service to retrieve log and endpoint data for the user entity or network data for the network entities. In case of multiple Concentrators, the NetWitness UEBA server connects to a Broker service. You can use the Broker service that is available on the NetWitness Platform Admin server if you do not have an exclusive Broker in your deployment. During NetWitness UEBA installation, the administrator specifies the IP address of the Broker service. For more information, see the "(Optional) Task 2 - Install NetWitness UEBA" topic in the NetWitness Platform 11.3 Physical Host Installation Guide

Note: In 11.4, and when installed on a virtual machine, UEBA can process up to 20 million network events per day. For more information to resolve these issues, see Troubleshooting UEBA.

Create Baselines

NetWitness UEBA uses machine learning to analyze multiple aspects of a user or network entity behavior within a stream of log and endpoint or network data and gradually builds a multi-dimensional baseline of typical behavior for each user or network entity.

Behavioral baselines are also created on a global level to describe common activities observed throughout the network. For example, if a working hour was abnormal for an user entity, but is not abnormal for the organization, the false-positive reduction algorithms decreases the impact on the alert score. Models are updated frequently and are constantly improving as time goes on.

Note: NetWitness UEBA requires 28 days of historical log and endpoint data for users and network data for network entities to create a proper baseline for all the entities in your network. However, RSA recommends that you configure NetWitness UEBA to start baselining your data two months prior to your deployment date <today-60days>. The first 28 days will be used for model training and will not be scored. The remaining 32 days are leveraged to improve and update the model, and are also scored to provide initial value.

Note: For version 11.2 or later, there is limited support for environments with multiple domains. Distinct username values, that are registered under different domains, will be normalized, and then combined into one modeled entity. As a result, different users, who share the same username in different domains, will wrongfully be attributed to a single normalized entity.

Create Baselines for Users

NetWitness UEBA analyzes user actions to build a multi-dimensional baseline that reflects the typical behavior of the user. An example of the baseline can include information about the hours in which a user typically logs on.

Create Baselines for Network

NetWitness UEBA analyzes the network traffic pattern of JA3 or SSL Subject within a stream of network data to create a multi-dimensional baseline. For example, the baseline can be the normal amount of data sent from an application or specific port that is contacted for an application.

Detect Anomalies

The data is parsed hourly, to detect abnormal behavior. After establishing a behavioral baseline for all entities in your environment, each incoming event is compared to the baseline, to determine abnormalities. Based on the deviation the event is scored. The score is high if the deviation is strong and vice-versa. If anomalies are detected, they are turned into Indicators that can be viewed on the UI.

For example, if a user's normal working hours are 9:00 AM to 5:00 PM, a new activity at 6:00 PM or 7:00 PM is not a strong deviation, and is probably not scored as an anomaly. However, an authentication at midnight is a strong deviation and is scored as an anomaly.

For example, in an organization, when a session is authenticated into a website for a SSL handshake, and communicates to five different ports or domains, it is not a strong deviation, and is probably not scored as an anomaly. But if the website communicates to an abnormal port or domain which is different from what is normal, it is a strong deviation. This abnormal behavior of communicating to an abnormal port or domain is scored as an anomaly and triggers an alert.

Generate Indicators

If anomalies are detected, they are turned into Indicators. NetWitness UEBA uses indicators to define validated anomalous activities. Indicators either represent anomalies found in a single event or multiple events batched over time.

User Indicators

User behavior or abnormal user activities such as suspicious user logons, brute-force password attacks, unusual user changes and abnormal file access are anomalous activities. Every anomalous activity is associated to an indicator. For more information, Indicators for Users

Network Indicators

Network behavior or abnormal network traffic that contribute to data exfiltration or phishing, are examples of anomalous activities. Every anomalous activity is associated to an indicator. For more information, see Indicators for Network Entities.

Generate Alerts

All the anomalies that are found are grouped into hourly batches by the user or network entity name. Each batch is scored based on the uniqueness of the composition of its indicators. If a composition is unique compared to the user or network entity's history, it is likely that this batch will be transformed into an alert, and the anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains validated indicators of compromise.

An abnormal activity by itself, even if it happens hundreds of times a day in a large corporate environment, does not necessarily reflect an account compromise. However, an abnormal behavior that occurs with a lot of other abnormal behaviors could indicate that the account is compromised and is an indication that additional analysis is required.

For example, if the following combination of one or more abnormal user or network behavior occurs, an alert is triggered.

Users

  • Authentication from an abnormal computer
  • Multiple authentication attempts identified in a short time frame

  • Multiple files have been deleted by this user from the corporate file share

  • Download or transfer files larger that the allowed limits

Network

  • Abnormal Destination Port for Source Netname
  • Abnormal Organization for Source Netname

  • Abnormal Traffic Volume Sent to Organization

  • Abnormal Traffic Volume Sent to Port

Note: The NetWitness UEBA user interface can initially appear as empty because alerts are not generated until the baselines are established. If there is no historical audit data when NetWitness UEBA is enabled, the system starts generating the baselines from the time it is deployed, and requires 28 full days to elapse before beginning to generate new alerts. If historical audit data is processed when NetWitness UEBA is enabled, alerts appear after the historical data has been processed, usually within two to four days.

Prioritize User or Network Entity with Risky Behavior

The entities scores are a primary tool for incident prioritization. The entities score is based on a simple additive calculation of an entity's alerts. Alerts and analyst feedback are the only factors in the entities score calculation, with the impact on the scores determined by their levels of severity. A unified color code is used for entities and alert scores:

                                 
SeverityColorScore
CriticalRed+20
HighOrange+15
MediumYellow+10
LowGreen+1

Supported Sources

Log Sources

NetWitness UEBA natively supports the following data sources:

  • Windows Active Directory in Version 11.2
  • Windows Logon and Authentication Activity in Version 11.2
  • Windows File Servers in Version 11.2
  • Windows Remote Management in Version 11.3.2
  • NetWitness Endpoint Process in Version 11.3
  • NetWitness Endpoint Registry in Version 11.3
  • RSASecurID Token in Version 11.3.1
  • RedHat Linux in Version 11.3.1

Network Sources

  • TLS in Version 11.4

Recommended Workflows

To use NetWitness UEBA more effectively, there are two workflows; Detection workflow and Forensic workflow, that you can follow.

Detection Workflow

The detection workflow allows you to gain an overview of the health of your environment, and then focus on investigating the top high-risk users, entities and alerts that are displayed in the Overview tab.

The following flowchart illustrates the steps you can follow to begin detecting suspicious behavior in your environment.

Flow diagram of UEBA detection workflow

The following table describes each step in the workflow.

                                 
Step DescriptionInstructions
View top ten users, or entities, or top 10 alerts,In the Overview tab, note the users and network entity with the riskiest behaviors and the top most critical alerts.Investigate High-Risk User or Network Entity and Investigate Top Alerts
Investigate details of users, entities, and alertsDrill into detailed information about risky user or entity behaviors and critical alerts to try to determine the cause of these actions and how to resolve them. Investigate High-Risk User or Network Entity and Investigate Events
Determine the result of the investigationAnalyze the summary information provided in the user interface from the previous steps and identify areas to focus on to resolve the issues you found.Identify High-Risk User or Network Entity and Investigate Events
Take action to resolve the issues foundTarget specific user or entity behaviors and events to address, and use the results of this investigation to improve and sharpen future investigations.Take Action on High-Risk User or Network Entity

Forensic Workflow

The forensic workflow is recommended when you have gained an understanding of the typical user or entity behaviors and anomalies in your environment, and helps you focus on specific forensic information that is based on a user or entity behavior, or a specific timeframe in which suspicious events occurred.

Using forensics information, analysts may determine the actions and behaviors that the attacker is likely to attempt using the following questions:

  • What fundamental techniques and behaviors are common across all intrusions?
  • What evidence do these techniques leave behind?
  • What do attackers do?
  • What are normal behaviors of my accounts and entities?
  • Which are my sensitive machines and where are they located?

The following flowchart illustrates how to perform your investigation on forensic information that is based on a specific user or entity behavior, or a specific timeframe in which suspicious events occurred.

Flow diagram of Forensic workflow.

The following table describes each step in the workflow.

                                      
Step DescriptionInstructions
Gain knowledge of expected behaviors and anomalies in your environmentEstablish a baseline of normal behaviors, expected anomalies, and unexpected anomalies, so that you can focus on anomalies that are significant for your environment.Retrieve Data , Detect Anomalies, and Generate Alerts .
Investigate an user or network entity with top score for a specific behaviorSelect a user or network entity with a high score for a specific behavior and gather detailed information.Investigate High-Risk User or Network Entity and Investigate Events.
Investigate alerts that occur in a specific timeframeDetermine a timeframe of interest, and in the Alerts tab, select that timeframe to see detailed information about alerts that occurred during that time period.Investigate Events
Determine the result of the investigationBased on your knowledge of expected user or network entity behavior, focus on the indicators that are displayed during the specified time period and determine if the anomalies that were discovered need to be resolved.Investigate Events and Identify High-Risk User or Network Entity
Take action to resolve the issues foundTarget specific user or network entity behaviors and events to address, and use the results of this investigation to improve and sharpen future investigations.Take Action on High-Risk User or Network Entity
You are here
Table of Contents > Introduction

Attachments

    Outcomes