User Behavior Analytics (UBA)

Introduction

A massive 85% of Data breaches today involve a “human element”, whether through mistakes, oversights, or falling victim to deception. Using a weak password, clicking on malicious links, or mishandling sensitive information are the most common and effective entry points for cyberattacks.

Minimizing such errors and proactive response to data attacks are critical factors in preventing cyber breaches.

To minimize such risks, organizations rely on auditing and monitoring. By doing this, an organization gains visibility into user actions which helps in accountability and transparency of operations.

However, sheer overlooking and monitoring of user activities are not enough to spot suspicious behavior-they need to be scrutinized and analyzed more deeply.

This is where Risk intelligence comes in. One of the key tools under Risk intelligence which can tackle this challenge is User Behavior Analytics (UBA).

UBA is a proactive security approach that detects threats and alerts administrators in real time. It uses the data recorded in audit tab (which includes user and account activities along with the device name, time and date of event, account title, account address, activity type, username) and leverages data analytics and machine learning to analyze the behavior of users and creates a baseline model of standard user behavior.

Whenever an event occurs outside of this model, UBA flags that as an anomaly and based on the severity of the anomaly, users and administrators will be alerted. It will enable them to take quick action towards a potential threat.

For example- It will record the login time of a user A for a certain period and then create a standard range of time between which the user usually logins. Now, if a login attempt is made outside of the standard range, it will be flagged as an anomaly and based on the severity assigned for the activity - security head, administrator and the designated personnel will be notified.

Functions of UBA:

• Threat Detection: Any threat to a system (like misuse of accounts, privilege escalation, access to unauthorized accounts etc.) can be detected in time and damage can be minimized.

• Identify compromised users: Users with regular anomaly events suggest potential account compromise. You can periodically export reports of users with a large number of anomalies and monitor their activities closely so as to confirm if these accounts are indeed compromised.

• Timely alerts to authorities: Whenever an anomaly with high or critical severity is detected, alerts are sent to the designated authorities like Administrators allowing them to contain the threat before it escalates.

To access UBA:

Navigate to Admin >> Under Risk Intelligence>> User Behavior Analysis

There are four tabs under UBA. Each tab is explained in the upcoming section.

1.Risk Intelligence with Behavior Analytics

2.Custom Reports

3.Real-time Notifications

4.Rules and Settings

1.Risk Intelligence with Behavior Analytics

Unified PAM analyzes data recorded in the audit tab to detect deviations (termed as Anomaly in PAM) from the normal behavioral pattern of the user. Intelligent insights from the analysis can be used to proactively detect insider threats, data exfiltration, or security breaches.

The insights can be classified into two ways:

1.Dynamic Risk Insights:

It evaluates a user’s behavior with the baseline behavior of its peers and flags the deviation as an anomaly.

2.User-Specific Risk Insights:

It evaluates a user’s behavior with the historical baseline behavior of the same user and flags the deviation as an anomaly.

Both these insights are further classified into two ways -

• Account Based insights- These insights will analyze account activities

• User Based insights- These insights will analyze user activities

Understanding Risk levels:

Risk level is the assigned risk value to the factors that may contribute to an anomaly. These can be applied to Audit categories (such as Time, Device, User, Activity Type) and to the privileged activities.

• Low risk levels are assigned to activities or categories which pose minimum security threats. Even if an anomaly is detected for these activities or categories, it does not require immediate attention.

Example: If the sharing of assets is the norm of an organization, then they can set “Device” category as low risk level.

• Medium risk level is assigned to the categories or activity types which are not highly privileged but can lead to a security breach if left unnoticed.

Example: Accessing systems outside of working hours is a suspicious practice while it can be due to a scheduled event or some urgent project work, therefore the event needs to be reviewed, thus the “Time” category can reasonably be set to medium risk level.

• High risk levels are assigned to highly privileged activities and critical categories, which are key to the organization's security and compliance. Anomalies in this category need instant action.

Example: A failed two factor authentication can mean a forced entry or password compromised. To ensure the safety of the account, it's advised to set “2FA failed” activity type as high risk level.

UBA assigns default risk-levels to certain audit categories (Time, User, Device, Activity Type), and privileged activity types. Depending on your organization’s security policies, you can assign risk levels to the critical audit categories and to the privileged activity types. You can modify the risk levels for audit categories through Custom Reports.

Four of the audit categories have been assigned default risk-levels:

	Category	Risk level
1	Time	Medium
2	User	High
3	Device	Medium
4	Activity Type	High

You can change the risk weightage of these factors (audit categories and activity type) as per your organization's priorities.

For Example- A company with strict compliance policies may set Activity type, User categories and “Account access request raised” activity type as high risk.

This is a very crucial step as it influences how severity is assessed, so make sure to select the most critical factors and assign suitable risk levels to them.

Severity of Anomalies:

When an anomaly occurs, its severity is derived by combining three factors:

1. The risk level associated with the factors which show deviation.

2. Nature of the anomaly: Whether the anomaly is caused by-

   • A deviation from the normal pattern

   • An unauthorized or abnormal activity

3. The extent of deviation from the normal pattern.

For example:

Three categories are responsible for an anomaly- Time, Activity type, Device. Let's assume that performing activity outside of working hours is assigned a medium risk level, and the Account access request raised activity type is assigned high risk level, and performing an action from an unknown device is also assigned as high risk level. Then the total severity of the anomaly is decided by the combined weightage of these risk factors and the extent of deviation of each of these factors with the normal pattern.

Severity is categorized in four levels:

1. Low Severity:

   Anomalies with less deviation or low risk factors. These events usually don’t require attention as they don’t pose a serious threat.

2. Medium Severity:

   Represent the anomalies with medium deviation from the normal pattern or a combination of low and medium risk factors. These anomalies may require a security review.

3. High Severity:

   Represent the anomalies with large deviation or multiple high-risk categories; High risk level anomalies suggest suspicious behavior or unauthorized access.

4. Critical Severity:

   Represent the anomalies with extreme deviations, multiple high-risk factors. Critical risk level means malicious intent, and it needs immediate attention to prevent potential breaches.

Whenever an anomaly occurs, the responsible categories are highlighted with a warning sign to indicate deviation from the baseline behavioral value. The warning sign is color coded based on severity. The factor posing the highest risk has been highlighted in red, followed by orange and yellow for moderate and low risk.

Time based deviation:

An anomaly is flagged when a user operates outside of the working or authorized hours.

This is a customized report which displays time-based anomalies.

Device based deviation:

When a user performs actions from an unknown or less commonly used device, UBA flags that action as anomaly.

User based deviation:

UBA will flag an anomaly when a user behaves differently than the historical baseline behavior.

Activity Type deviation:

An anomaly is flagged when a user attempts to perform an unauthorized activity or activity which the user normally does not do.

These reports are customized reports for that specific audit category, there can be instances where more than one parameter shows deviation, in that case, all those parameters will be highlighted with a warning sign and the one with the highest risk will be colored in red and moderate and low risk parameter will be colored in orange and yellow color respectively.

Risk Insights Dashboard

Let’s try to understand the interface of Risk insights and the important features available in them.

We will take Account Risk Analytics as an example. The interface for which is shown below-

On the top of the dashboard, we have some numbers. Let’s try to understand what the number represents-

• Total Anomalies- This number denotes the total number of anomalies detected.

• Users Involved- This number denotes the total number of users responsible for anomalies.

• Weekly Shift in high-risk events- This number denotes the change in High-risk events.

• Weekly Shift in Critical events -This number denotes the change in Critical-risk events.

• Off-hours activities- This number denotes the anomalies detected in off-hours.

• Recurrent off-hour activities- This number denotes the number of repeated activities in off-hours.

Anomaly Distribution:

This pie chart depicts the category (Users, device, time, etc.) which is responsible for the greatest number of anomalies, and their corresponding risk levels.

The outer part of the pie chart is used to represent the audit category responsible for the anomaly, and the color represents the risk level of the anomaly.

Clicking on an audit category for a particular risk level will redirect you to a new interface which provides in-depth analysis about all the anomalies associated with that category.

You can select the resolved anomalies and click on “Resolve Anomaly” to remove them from the list.

High-risk Users:

This graph gives an overview of the users who are most involved in events that are classified as anomalies. It also classifies these anomalies based on their risk level.

Each bar represents the number of anomalies associated with that user, and the color corresponding to the bar denotes the risk level of anomalies.

By clicking on a particular risk level bar for a user, UBA redirects you to another interface which provides in-depth analysis of all the anomalies at that selected risk level.

You can select the resolved anomalies and click on “Resolve Anomaly” to remove them from the list.

Anomaly Heatmap:

This heatmap gives an overview of the number of anomalous events over time - weekly, or monthly.

Each day is represented with a number which represents the anomalies detected on that day.

By clicking on that number, UBA redirects you to a new interface which will show the in-depth analysis of anomalies detected that day. You can select the days with a high number of anomalies and find more details about the events that have triggered them.

As with other dashboards, resolved anomalies can be removed by selecting them and clicking “Resolve Anomaly”.

Anomaly Insights:

This section will provide a detailed log of all the anomalies detected along with the following columns.

• Account Name: Name of the account

• Account Address: Target system or resource being accessed.

• Activity Type: The activity being performed

• Performed By: Name of the user

• Performed From: Name of the device from where the activity was performed

• Performed At: Date and time of the event

• Day: Day of the event

• Severity: The risk level associated with the event

• Reason: Reason for the event

Each anomaly has occurred due to a deviation from the baseline behavioral pattern.

Every detected anomaly will be highlighted with a warning sign, which is colored to denote the severity of the category.

Multiple factors can be responsible for an anomaly, and the major factors will be highlighted with a warning sign against them. The warning sign is color coded based on severity. The factor posing the highest risk has been highlighted in red, followed by orange and yellow for moderate and low risk.

You can access pre-defined risk level under Actions>>Pre-defined Risk level

You can also choose to export the Anomaly insights report in the form of PDF, CSV, XLSX file, or create a scheduled task to periodically export the report.

To export the anomaly report:

Click on Export, Select the file type (PDF, CSV, XLSX).

After some time, the file will be generated. Click on Download to download the file.

To export the anomaly report periodically:

Click on Schedule Export; you will be redirected to a different interface.

Select the Report Format, specify the interval, provide the date and time of export, and select the users who should receive notifications.

Click on Save to configure the periodic export of anomaly insight report.

2.Custom Reports:

UBA leverages machine learning to read audit data (user & account activity logs) and establish a baseline of normal behavior. It generates a report which displays deviations from the normal behavioral pattern, identifies users who seem most risky, and shows trends in anomalous behavior. Securden generates this report by assigning a default risk level for each risk category (Time, Activity type, User, Device).

By modifying the pre-defined risk level assigned to each aspect of the audit activity – you can generate custom anomaly reports.

3.Real-time Notifications:

Securden’s UBA allows real-time notifications to be sent to the designated personnel, in order to prevent a potential breach.

You can create multiple notification profiles according to your needs.

Each notification profile can be configured to notify specific users. You can select the events for which you want to receive notifications and then specify the internal/external users to whom notifications are sent.

4.Rules & Settings:

This tab lets you assign pre-set information related to your organization for optimal performance of UBA and allows you to assign risk weightage to the various privileged activities.

Rules and Settings:

Under this tab, you can customize the learning period- which is crucial for accuracy of anomaly detection, define working hours and days of your organization- for generating a baseline model of standard date and time, define commonly used IPs- to help detect anomalies with unknown IPs.

Set Learning Period:

Provide the number of days from the past, which will be used by UBA to analyze and create a baseline behavior. Based on the pattern created, it will detect anomalies.

Define Rule on Working Hours:

Provide the standard working hours that users in your organization follow. This helps detect anomalies related to activities occurring outside of business hours.

Define Rule on Working Days:

Provide the standard working days that the user in your organization follows. This helps detect anomalies related to activities occurring outside of normal working days.

Define Rule on IP Addresses:

Provide the commonly used IP address in your organization. This helps detect anomalies related to activities occurring on new and uncommon IP addresses.

Define Rule for Manual Approval:

Securden allows you to decide whether to approve an anomalous automatic access request or to enforce manual approval for such requests.

Define Rule for MFA Enforcement:

Securden allows you to enforce MFA in case of an event detected as an anomaly and thus provides an additional layer of protection against a probable threat.

Risk Weightage:

Every activity in Unified PAM is assigned a risk weightage, and these risk levels are used for analysis.

You can change the weightage linked to each activity type. Select the activity >> Click on Modify Weightage >> Select the risk weightage you want to assign from the drop down.

This feature is very crucial for prioritizing high risk activity types, ensuring that they receive immediate attention.

When assigning risk levels to activity types, make sure to assign High risk levels to sensitive and critical activities. If too many activities are marked as high risk, then it will clutter the anomaly section with unnecessary and less relevant anomalies. This will decrease the effectiveness of UBA, and you might not get the desired reports.

Therefore, while assigning risk level to activity type, carefully select the sensitive activities as High risk to ensure that anomaly insights remain clear, concise and relevant.

Custom Reports

Securden generates the anomaly analytics report by assigning a default risk value for each risk category (Time, Activity type, User, Device).

The default risk value for pre-defined risk categories is as follows:

Category	Risk level
Time	Medium
Activity Type	High
User	Medium
Device	High

The standard reports generated by Securden may not suit all the organization's needs.

To help you with that, UBA allows you to create Custom Reports, where you can customize the risk values for your desired risk categories and apply filters to include or exclude specific risk factors. By tailoring these parameters, you will be able to generate reports where anomaly detection and their risk assessment align with security requirements of your organization.

How UBA works:

• Data Collection: UBA collects data from the audit logs such as account title, device name, time and date, activity type.

• Baseline Modelling: UBA leverages data analytics and machine learning to build behavioral baseline model for every user, device, activity type by analyzing past behavior.

• Anomaly Detection: The current activities will be compared against the baseline model, and if any deviation is found then the event will be reported as an anomaly.

• Assigning Risk level: Every anomaly is mapped against an audit category like (activity type, device) and based on the deviation of anomaly and pre-defined risk value, the severity of the anomaly is derived.

• Alerting and Reporting: High risk anomalies can be programmed to alert Administrators and security teams in real time to prevent any potential threat.

Use Cases of Custom Report:

By default, UBA has assigned default risk levels to four audit categories (Time, User, Device, Activity Type) and privileged activity types. These risk levels are used to derive the severity of the anomaly, which decides if immediate attention and reporting to authorities is required. This is a huge parameter in the functioning of UBA, and it cannot work properly based on the default risk level assigned to the four audit categories.

1. Prioritize Critical Categories:

   To make the report better aligned with an organization’s need, Custom report allows you to select the categories which reflect your organization’s priorities. By customizing custom reports, you can prioritize the columns of your importance to detect anomalies.

   This allows the organizations to fine tune anomaly detection according to their security requirements. For example: A company with strict compliance requirements may allocate higher risk levels to “User” and “Activity Type” category to flag any unauthorized access attempts.

2. Fine tune report with filters:

   Filtering allows inclusion and exclusion of specific users, devices, account addresses, activity type, account title to reduce false positives and prevent cluttering of predictable anomalies.

   UBA provides three filter options- Equals, Contains, Does not contain. Using these, you can define whether you want anomalies that exactly match a value, partially match the value, or exclude it.

   For example, support teams working all around the clock access their systems outside of the working hours of an organization, and this activity is detected as an anomaly by UBA. So, it’s better to filter out users of such teams to prevent predictable anomalies to clutter up your report.

3. Generate Specialized Reports:

   Custom Reports allow you to generate personalized reports for specific users, accounts or for specific activity types too. This enables you to monitor privileged accounts, high risk users, vendor accounts, specific activity types which are very critical for your organization.

   For example:

   • You can generate a personalized report for all the external or vendor accounts which often pose higher risk than other accounts.

   • You can generate a report containing all the events related to password by creating a filter where “Activity Type” contains “password”.

4. Actionable Insights

   By tailoring audit categories and filters, you ensure that the insights are meaningful and relevant to your use. This eliminates irrelevant anomalies, and you get the critical ones, which leads to quick and effective responses preventing potential security threats from escalating.

Steps to generate Custom Report:

1. Report Name:

   Provide a name to the Report under Report Name. This ensures all the reports are organized and easily accessible.

2. Event Type:

   Select the event type for which you want UBA to generate anomaly insights.

   You can choose between Activity event if you want anomalies related to Account activity type or choose User event if you want anomalies related to User activity type.

3. User-Specific Report:

   By default, the behavior analysis is generated by comparing audit activities of a user with all peers, but you can choose to have a user-specific analysis.

   Select the check box “Enable User Specific Anomaly Detection” for user-specific report.

   This means a separate analysis will be carried out for activities of each user - flagging deviations in their behavior.

4. Define Risk Levels

   Securden generates the anomaly analytics report by assigning a default risk value for each risk category (Time, Activity type, User, Device). You can modify the pre-defined risk level assigned to the audit categories and choose to create more such risk levels by selecting different audit categories.

   Select one or more audit categories such as Time, Device, User, Activity Type, Account address, Account Name etc. and allocate a risk weightage for each category. After this the system will detect anomalies based on these newly defined audit categories.

5. Tune Report with Filters

   Filters allow greater flexibility by allowing inclusion and exclusion of specific values. This helps in reducing unnecessary and unintentional anomalies, making the anomaly report more accurate.

   For example, support teams working all around the clock access their systems outside of the working hours of an organization, and this activity is detected as an anomaly by UBA. So, it’s better to filter out users of such teams to prevent predictable anomalies to clutter up your report.

   Similarly, third party vendors usually access Unified PAM with a different IP address, so those IP addresses can be excluded from the report.

6. Set Filter Criteria

   In case of multiple filters, UBA allows you to combine them using AND/OR logic, to tailor the reports to your needs. If you have added multiple filters, you can specify the combination in which they will take effect. For example, you can have a combination of Filter A & Filter B (Which are numbered 1, and 2) to be applied by setting the criteria as ‘(1 AND 2)’. If there are multiple filters you can granularly define which ones will take effect.

   For example, with 4 different filters you could have the following combination: (1 AND 2) OR (3 AND 4).

Note

If the filter criteria are not mentioned, all the filters will be applied by default. (For example: 1 AND 2 AND 3)

Click Save to configure the custom report.

By leveraging custom reports, organizations get anomaly insights more tailored to their security and compliance needs, which improves early threat detection and timely remedial action.