RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution that empowers enterprise SOC managers and analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network in your environment.
All users in your organization can be analyzed using the log and endpoint data for abnormal user activities. The log and endpoint data is retrieved and parsed from the NetWitness Platform Database (NWDB).
UEBA can be used to analyze malicious outbound traffic masked within a legitimate HTTPS session. It can detect various network abnormalities such as abnormal outbound traffic volume sent to a specific port, domain, organization or SSL Subject. The network (packet) data is retrieved and parsed from the NetWitness Platform Database (NWDB) into the new TLS data source that supports two new entities namely JA3 and SSL Subject. These entities are used to validate the false negatives and true positives and detect abnormal network traffic for JA3 and SSL Subject fingerprints.
- JA3 - JA3 is a method of creating client side SSL/TLS fingerprints that is equipped to identify the client application initiating the session. The JA3 fingerprints are used to perform JA3-Signature-based analysis and detect abnormal network traffic, such as abnormal number of bytes sent over HTTPS.
- SSL Subject - The subject field of the certificate identifies the entity associated with the public key stored in the subject public key field, hence the entity for which the certificate was issued.
NetWitness UEBA enables analyst to:
- malicious and rogue users
- abnormal network traffic
- Pinpoint high-risk behaviors
- Discover attacks
- Investigate emerging security threats
Identify potential attacker's activity
This guide provides information and instructions for using all NetWitness UEBA functionalities and capabilities. It describes the key investigation methodologies, the main system capabilities, common use cases, and step-by-step instructions for the recommended workflow strategies.
How NetWitness UEBA Works
NetWitness UEBA uses analytics to detect anomalies in the log and endpoint or network data to derive behavioral results from them. There are five basic steps to this process, as displayed in the following diagram:
The following table provides a brief description of each of these steps.
NetWitness UEBA connects to a Concentrator service to retrieve log and endpoint data for the user entity or network data for the network entities. In case of multiple Concentrators, the NetWitness UEBA server connects to a Broker service. You can use the Broker service that is available on the NetWitness Platform Admin server if you do not have an exclusive Broker in your deployment. During NetWitness UEBA installation, the administrator specifies the IP address of the Broker service. For more information, see the "(Optional) Task 2 - Install NetWitness UEBA" topic in the NetWitness Platform 11.3 Physical Host Installation Guide
NetWitness UEBA uses machine learning to analyze multiple aspects of a user or network entity behavior within a stream of log and endpoint or network data and gradually builds a multi-dimensional baseline of typical behavior for each user or network entity.
Behavioral baselines are also created on a global level to describe common activities observed throughout the network. For example, if a working hour was abnormal for an user entity, but is not abnormal for the organization, the false-positive reduction algorithms decreases the impact on the alert score. Models are updated frequently and are constantly improving as time goes on.
NetWitness UEBA analyzes user actions to build a multi-dimensional baseline that reflects the typical behavior of the user. An example of the baseline can include information about the hours in which a user typically logs on.
NetWitness UEBA analyzes the network traffic pattern of JA3 or SSL Subject within a stream of network data to create a multi-dimensional baseline. For example, the baseline can be the normal amount of data sent from an application or specific port that is contacted for an application.
The data is parsed hourly, to detect abnormal behavior. After establishing a behavioral baseline for all entities in your environment, each incoming event is compared to the baseline, to determine abnormalities. Based on the deviation the event is scored. The score is high if the deviation is strong and vice-versa. If anomalies are detected, they are turned into Indicators that can be viewed on the UI.
For example, if a user's normal working hours are 9:00 AM to 5:00 PM, a new activity at 6:00 PM or 7:00 PM is not a strong deviation, and is probably not scored as an anomaly. However, an authentication at midnight is a strong deviation and is scored as an anomaly.
For example, in an organization, when a session is authenticated into a website for a SSL handshake, and communicates to five different ports or domains, it is not a strong deviation, and is probably not scored as an anomaly. But if the website communicates to an abnormal port or domain which is different from what is normal, it is a strong deviation. This abnormal behavior of communicating to an abnormal port or domain is scored as an anomaly and triggers an alert.
If anomalies are detected, they are turned into Indicators. NetWitness UEBA uses indicators to define validated anomalous activities. Indicators either represent anomalies found in a single event or multiple events batched over time.
User behavior or abnormal user activities such as suspicious user logons, brute-force password attacks, unusual user changes and abnormal file access are anomalous activities. Every anomalous activity is associated to an indicator. For more information, Indicators for Users
Network behavior or abnormal network traffic that contribute to data exfiltration or phishing, are examples of anomalous activities. Every anomalous activity is associated to an indicator. For more information, see Indicators for Network Entities.
All the anomalies that are found are grouped into hourly batches by the user or network entity name. Each batch is scored based on the uniqueness of the composition of its indicators. If a composition is unique compared to the user or network entity's history, it is likely that this batch will be transformed into an alert, and the anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains validated indicators of compromise.
An abnormal activity by itself, even if it happens hundreds of times a day in a large corporate environment, does not necessarily reflect an account compromise. However, an abnormal behavior that occurs with a lot of other abnormal behaviors could indicate that the account is compromised and is an indication that additional analysis is required.
For example, if the following combination of one or more abnormal user or network behavior occurs, an alert is triggered.
- Authentication from an abnormal computer
Multiple authentication attempts identified in a short time frame
Multiple files have been deleted by this user from the corporate file share
- Download or transfer files larger that the allowed limits
- Abnormal Destination Port for Source Netname
Abnormal Organization for Source Netname
Abnormal Traffic Volume Sent to Organization
Abnormal Traffic Volume Sent to Port
The entities scores are a primary tool for incident prioritization. The entities score is based on a simple additive calculation of an entity's alerts. Alerts and analyst feedback are the only factors in the entities score calculation, with the impact on the scores determined by their levels of severity. A unified color code is used for entities and alert scores:
NetWitness UEBA natively supports the following data sources:
- Windows Active Directory in Version 11.2
- Windows Logon and Authentication Activity in Version 11.2
- Windows File Servers in Version 11.2
- Windows Remote Management in Version 11.3.2
- NetWitness Endpoint Process in Version 11.3
- NetWitness Endpoint Registry in Version 11.3
- RSASecurID Token in Version 11.3.1
- RedHat Linux in Version 11.3.1
- TLS in Version 11.4
To use NetWitness UEBA more effectively, there are two workflows; Detection workflow and Forensic workflow, that you can follow.
The detection workflow allows you to gain an overview of the health of your environment, and then focus on investigating the top high-risk users, entities and alerts that are displayed in the Overview tab.
The following flowchart illustrates the steps you can follow to begin detecting suspicious behavior in your environment.
The following table describes each step in the workflow.
The forensic workflow is recommended when you have gained an understanding of the typical user or entity behaviors and anomalies in your environment, and helps you focus on specific forensic information that is based on a user or entity behavior, or a specific timeframe in which suspicious events occurred.
Using forensics information, analysts may determine the actions and behaviors that the attacker is likely to attempt using the following questions:
- What fundamental techniques and behaviors are common across all intrusions?
- What evidence do these techniques leave behind?
- What do attackers do?
- What are normal behaviors of my accounts and entities?
Which are my sensitive machines and where are they located?
The following flowchart illustrates how to perform your investigation on forensic information that is based on a specific user or entity behavior, or a specific timeframe in which suspicious events occurred.
The following table describes each step in the workflow.