RSA NetWitness User and Entity Behavior Analytics (UEBA) is an advanced analytics solution that empowers enterprise SOC managers and analysts to discover, investigate, and monitor risky behaviors across entities namely Users and Network (packets) in your environment.
NetWitness UEBA enables analyst to:
- malicious and rogue users
- abnormal network traffic
- Identify high-risk behaviors
- Discover attacks
- Investigate emerging security threats
Identify potential attacker's activity
This guide provides information and instructions for using the NetWitness UEBA functionalities and capabilities. It describes the key investigation methodologies, the main system capabilities, common use cases, and step-by-step instructions for the recommended workflow strategies.
UEBA helps to analyze all users in your organization using logs and endpoint data for user activities, which is retrieved and parsed from the NetWitness Database (NWDB).
Note: Network entities are supported on RSA NetWitness Platform 11.4 and later.
UEBA helps to analyze malicious outbound traffic masked within a legitimate HTTPS session. It can detect various network abnormalities, such as abnormal outbound traffic volume sent to a specific port, domain, organization or SSL Subject. The network (packet) data is retrieved and parsed from the NWDB into the new TLS data source, which supports two new entities: JA3 and SSL Subject. These entities validate the false negatives and true positives, and detect abnormal network traffic for JA3 and SSL Subject fingerprints.
- JA3 - JA3 is a method of creating client-side SSL/TLS fingerprints to identify the client application initiating the session. The JA3 fingerprints perform JA3-signature-based analysis and detect abnormal network traffic, such as abnormal number of bytes sent over HTTPS.
- SSL Subject - The subject field of the certificate identifies the entity associated with the public key stored in the subject public key field, which is the entity for which the certificate was issued.
How NetWitness UEBA Works How NetWitness UEBA Works
NetWitness UEBA uses analytics to detect anomalies in the log and endpoint or network data to derive behavioral results from them. The following diagram displays the basic workflow:
The following table provides a brief description of each step.
|1. Retrieve Log and Endpoint or Network Data||NetWitness UEBA retrieves logs or endpoint or network data from the NWDB and uses the data to create analytic results.||See Retrieve Data|
|2. Create Baselines||Baselines are derived from detailed analysis of normal user or network entity behavior, and are used as a basis for comparison to user or network entity behavior over time.||See Create Baselines|
|3. Detect Anomalies||An anomaly is a deviation of a user or network entity from the normal baseline behavior. NetWitness UEBA performs statistical analysis to compare each new activity to the baseline. User or network entity activities that deviate from expected baseline values are scored accordingly to reflect the severity of the deviation.||See Detect Anomalies|
|4. Generate Alerts||All the anomalies found in step 3 are grouped into hourly batches. Each batch is scored based on the uniqueness of its indicators. If the indicator composition is unique compared to a user or network entity's historic hourly batch compositions, it is likely that this batch is transformed into an alert.||See Generate Indicators and Generate Alerts|
|5. Prioritize User or Network Entities with Risky Behavior||NetWitness UEBA prioritizes the potential risk from a user or network entity by using a simplified additive scoring formula. Each alert is assigned a severity that increases a user or network entity's score by a predefined number of points. User or network entity with high scores either have multiple alerts, or alerts of high levels of severity associated with them.||See Prioritize User or Network Entity with Risky Behavior|
Retrieve Data Retrieve Data
NetWitness UEBA connects to a Concentrator service to retrieve log and endpoint data for the user entity or network data for the network entities. In case of multiple Concentrators, the NetWitness UEBA server connects to a Broker service. You can use the Broker service that is available on the NetWitness Platform Admin server if you do not have an exclusive Broker in your deployment. During NetWitness UEBA installation, the administrator specifies the IP address of the Broker service. For more information, see the "(Optional) Task 2 - Install NetWitness UEBA" topic in the NetWitness Platform 11.5 Physical Host Installation Guide
Note: In 11.4 and later, and when installed on a virtual machine, UEBA can process up to 20 million network events per day. For more information to resolve these issues, see the 'Troubleshooting UEBA Configurations' topic in the UEBA Configuration Guide.
Create Baselines Create Baselines
NetWitness UEBA uses machine learning to analyze multiple aspects of a user or network entity behavior within a stream of log and endpoint or network data and gradually builds a multi-dimensional baseline of typical behavior for each user or network entity.
Behavioral baselines are also created on a global level to describe common activities observed throughout the network. For example, if a working hour is abnormal for a user entity, but is not abnormal for the organization, the false-positive reduction algorithms decrease the impact on the alert score. Models are updated frequently and are constantly improving as time goes on.
Note: NetWitness UEBA requires 28 days of historical log and endpoint data for users and network data for network entities to create a proper baseline for all entities in your network. However, RSA recommends that you configure NetWitness UEBA to start baselining your data two months before the deployment date <today-60days>. The first 28 days are used for model training and are not scored. The remaining 32 days are leveraged to improve and update the model, and are also scored to provide initial value.
Note: For version 11.2 or later, there is limited support for environments with multiple domains. Distinct username values that are registered under different domains are normalized, and combined into one modeled entity. As a result, different users, who share the same username in different domains, will incorrectly be attributed to a single normalized entity.
Create Baselines for UsersCreate Baselines for Users
NetWitness UEBA analyzes user actions to build a multi-dimensional baseline that reflects the typical behavior of the user. For example, the baseline can include information about the hours in which a user typically logs on.
Create Baselines for NetworkCreate Baselines for Network
NetWitness UEBA analyzes the network traffic pattern of JA3 or SSL Subject within a stream of network data to create a multi-dimensional baseline. For example, the baseline can be the allowed limit of data sent from an application or specific port that is connected to an application.
Detect AnomaliesDetect Anomalies
The data is parsed hourly, to detect abnormal behavior. After establishing a behavioral baseline for all entities in your environment, each incoming event is compared to the baseline, to determine abnormalities. Based on the deviation the event is scored. The score is high if the deviation is strong and vice-versa. If anomalies are detected, they are turned into indicators that can be viewed on the user interface (UI).
For example, if a user's normal working hours are 9:00 AM to 5:00 PM, a new activity at 6:00 PM or 7:00 PM is not a strong deviation, and is probably not scored as an anomaly. However, an authentication at midnight is a strong deviation and is scored as an anomaly.
For example, in an organization, when a session is authenticated into a website for a SSL handshake, and communicates to five different ports or domains, it is not a strong deviation, and is probably not scored as an anomaly. But if the website communicates to an abnormal port or domain, it is a strong deviation. This indicates an abnormal behavior and is scored as an anomaly and triggers an alert.
Generate Indicators Generate Indicators
If anomalies are detected, they are turned into indicators. NetWitness UEBA uses indicators to define validated anomalous activities. Indicators represent anomalies found in either a single event or multiple events batched over time.
User IndicatorsUser Indicators
User behavior or abnormal user activities, such as suspicious user logons, brute-force password attacks, unusual user changes, and abnormal file access are anomalous activities. Every anomalous activity is associated to an indicator. For more information, see Indicators for Users
Network IndicatorsNetwork Indicators
Network behavior or abnormal network traffic that contribute to data exfiltration or phishing, are examples of anomalous activities. Every anomalous activity is associated to an indicator. For more information, see Indicators for Network Entities.
Generate Alerts Generate Alerts
All anomalies that are found are grouped into hourly batches by the user or network entity name. Each batch is scored based on the uniqueness of the composition of its indicators. If a composition is unique compared to the user or network entity's history, it is likely that this batch is transformed into an alert, and the anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains valid indicators of compromise.
An abnormal activity by itself, even if it happens hundreds of times a day in a large corporate environment, does not necessarily reflect an account compromise. However, an abnormal behavior that occurs with a lot of other abnormal behaviors can indicate that the account is compromised and is an indication that additional analysis is required.
For example, if the following combination of one or more abnormal user or network behaviors occur, an alert is triggered.
- Authentication from an abnormal computer.
Multiple authentication attempts identified in a short time frame.
Multiple files are deleted by this user from the corporate file share.
- Download or transfer files larger that the allowed limits.
- Abnormal destination port for source netname.
Abnormal organization for source netname.
Abnormal traffic volume sent to organization.
Abnormal traffic volume sent to port.
Note: The NetWitness UEBA User Interface can initially appear as empty because alerts are not generated until the baselines are established. If there is no historical audit data when NetWitness UEBA is enabled, the system starts generating the baselines from the time it is deployed, and requires 28 full days to elapse before generating new alerts. If historical audit data is processed when NetWitness UEBA is enabled, alerts appear after the historical data is processed, usually within two to four days.
Prioritize User or Network Entity with Risky BehaviorPrioritize User or Network Entity with Risky Behavior
The entities scores are a primary tool for incident prioritization. The entities score is based on a simple additive calculation of an entity's alerts. Alerts and analyst feedback are the only factors in the entities score calculation, with the impact on the scores determined by their levels of severity. A unified color code is used for entities and alert scores:
Supported SourcesSupported Sources
Log SourcesLog Sources
NetWitness UEBA natively supports the following data sources:
- Windows Active Directory in Version 11.2
- Windows Logon and Authentication Activity in Version 11.2
- Windows File Servers in Version 11.2
- Windows Remote Management in Version 11.3.2
- NetWitness Endpoint Process in Version 11.3
- NetWitness Endpoint Registry in Version 11.3
- RSASecurID Token in Version 11.3.1
- RedHat Linux in Version 11.3.1
- VPN Logs in Version 11.5
- Azure Active Directory Logs in Version 11.5
Network SourcesNetwork Sources
- TLS in Version 11.4
Recommended WorkflowsRecommended Workflows
To use NetWitness UEBA more effectively, there are two workflows - Detection and Forensic workflow.
Detection WorkflowDetection Workflow
The detection workflow gives you an overview of the health of your environment, and then focuses on investigating the top high-risk users, entities, and alerts that are displayed in the Overview tab.
The following flowchart illustrates the steps to follow for detecting suspicious behavior in your environment.
The following table describes each step in the workflow.
|View top ten users, or entities, or top 10 alerts,||In the Overview tab, note the users and network entity with the risky behaviors and the top most critical alerts.||Investigate High-Risk User or Network Entity and Investigate Top Alerts|
|Investigate details of users, entities, and alerts||Drill-down into detailed information about risky user or entity behaviors and critical alerts to determine the cause of these actions and how to resolve them.||Investigate High-Risk User or Network Entity and Investigate Events|
|Determine the result of the investigation||Analyze the summary information provided in the UI from the previous steps and identify focus areas on to resolve the issues.||Identify High-Risk User or Network Entity and Investigate Events|
|Take action to resolve the issues found||Target specific user or entity behaviors and events to address, and use results of this investigation to improve and sharpen future investigations.||Take Action on High-Risk User or Network Entity|
Forensic WorkflowForensic Workflow
The forensic workflow is recommended when you have an understanding of the typical user or entity behaviors and anomalies in your environment, and helps you focus on specific forensic information that is based on a user or entity behavior, or a specific time frame in which suspicious events occurred.
Using forensics information, analysts may determine actions and behaviors that the attacker is likely to attempt using the following questions:
- What fundamental techniques and behaviors are common across all intrusions?
- What evidence do these techniques leave behind?
- What do attackers do?
- What are normal behaviors of my accounts and entities?
Which are my sensitive machines and where are they located?
The following flowchart illustrates how to perform investigation on forensic information that is based on a specific user or entity behavior, or a specific time frame in which suspicious events occurred.
The following table describes each step in the workflow.
|Gain knowledge of expected behaviors and anomalies in your environment||Establish a baseline of normal behaviors, expected anomalies, and unexpected anomalies, to focus on anomalies that are significant for your environment.||Retrieve Data , Detect Anomalies, and Generate Alerts .|
|Investigate a user or network entity with top score for a specific behavior||Select a user or network entity with a high score for a specific behavior and gather detailed information.||Investigate High-Risk User or Network Entity and Investigate Events.|
|Investigate alerts that occur in a specific time frame||Determine a time frame of interest, and in the Alerts tab, select that time frame to see detailed information about alerts that occurred during that period.||Investigate Events|
|Determine the result of the investigation||Based on your knowledge of expected user or network entity behavior, focus on the indicators that are displayed during the specified time period and determine if the anomalies that were discovered need to be resolved.||Investigate Events and Identify High-Risk Entities|
|Take action to resolve the issues found||Target specific user or network entity behaviors and events to address, and use the results of this investigation to improve and sharpen future investigations.||Take Action on High-Risk User or Network Entity|