User and Entity Behavior Analytics, UEBA, is a platform used to spot anomalous actions through users behavior. This platform leverages algorithms and machine learning to continuously learn and evolve based on each behavior Our analytics program includes a wide variety of detections to help provide our analysts with the best visibility. Allowing our analyst to get more insight rather than focusing on alerts made in Security Information and Event Management (SIEMs) or Endpoint Detection and Response (EDRs), having the use of UEBA can fill in the void where visibility is lacking. 

As the security team continues to integrate UEBA within the SOC, it's crucial to understand its functionality and how it operates. All of the information can be reached through Netskope’s user-interface (UI), but for more in-depth information you can check out the online reference information for it here. The benefits of Netskope using UEBA include detecting anomalous insider behavior, identifying unknown data movements, implementing adaptive policies, profiling user risk, and integrating with cloud risk exchange.

UEBA is a tool that enables you to detect anomalies through a user's behavior. This platform is built off of algorithms and machine learning as it begins to study a user's actions which is called a learning period. UEBA will learn the daily interactions the user performs. The Netskope UI allows us to build and create policies depending on what we want to see. We can set certain thresholds and time ranges for an action to occur that can raise an alert. With this, users start with a UCI, or User Confidence Index, of 1000 in which it will either remain constant or lose points. The more anomalous actions occur then the more the UCI will drop which will mark the user as a possible threat. 

UEBA should be used in the detection of anomalous behavior from internal users. The three biggest categories of the UEBA are insider threat, compromised device, and compromised credentials. By using these policies labeled under these scenarios it makes it easier to understand what threat a user could be doing through their actions. When we continue to monitor a user's confidence score we can take policy actions within our own UI on users whose score falls below a certain threshold. We can then begin to alert users, coach them, quarantine their device, etc based on their behavior pattern. You can also build automation to help bring in this detection data that can begin to be alerted on through your ticket queue. 

UEBA can provide insights through advanced detections that can alert on a wide range of cyberattacks. These detections can not only go to users and endpoints but devices that could be connected to the Internet of Things as well. It seeks to recognize suspicious activity through behavior such as a user downloading 20 GB everyday but then starts downloading 4 GB. This will be marked as an anomaly and reported within your UEBA UI. Having the visual of seeing the confidence score of the user can let the analyst know how trustworthy this user is. Do they need coaching? Should they be alerted to this behavior? Asking these questions will allow a SOC team to implement actions and investigate users that continue to have low scores below the company set threshold. 

Having UEBA implemented will help raise recognition of this and provide some basic insight to how it works and what you can do with it within your company. Netskope’s UEBA has the flexibility to enforce policies through designing them within the UI, set thresholds for UCI and alert on those that go below, create real-time policies that can set limits of downloading from apps as well as forcing more RBI, etc. Everything that can advance the UEBA detections, policies, actions can be done within the Netskope UI. Netskope can offer many opportunities to enforce actions such as enforcing a remote browser isolation for a user that's working in a risky/banned country. 

Through Netskope’s UI we can navigate to our UEBA interface to see the statistics of the users throughout the company. We can see the total number of users, users with a poor and moderate score, as well as, setting a user confidence alert. This can help raise alerts on confidence scores that drop below the given threshold. For example if we set the threshold at < 600 then any user that drops below a 600 will raise an alert for the security team to investigate.

You can also look back at the events and user confidence score history up to 90 days. This can show us the changes in score for the user, number of events, apps they’ve interacted with, download/upload, anomalies, etc. It will give us an insight of the patterns we’re seeing from a user as well as what the detection scenario of their most recent alert. There is much flexibility within this platform allowing for a ‘14 day Zoom’ which is shown below.

By using the date to the right above the confidence score graph you can set that date range as far as 90 days back. This can be leveraged to view patterns or identify any concerning activity.Below will be the time frame set 60 days out. You can also edit the date through sliding the bar (under the UCI graph) which can also help focus on any anomalous behavior or concerning patterns to identify the events which caused the UCI drop. 

In the policies section in Netskope’s UI we can get a good understanding of the scenarios we have set-up as well as filtering by the policy type, severity, or any tags that you may create that go along with the detection. With the scenarios of compromised credentials, insider threat, and compromised device. We can navigate through different sub-categories to filter policies more effectively and tag detections more effectively to quickly identify the scenario of the situation.

Within the same policy page we can create our own policies of actions that we would want to alert off of. Having the ability to set your own threshold, application, and users can help gain insight to these restricted activities. This allows for full advantage of Netskope especially determining how the data is caught through the ‘Scan Type’. It helps categorize the policies with corrective tagging as well as determining the score based on the severity of the policy. This gives the availability to freely create policies that fit into your scope and what you’re trying to identify as anomalous behavior. 

We can allow the admin to edit and create these policies for a sequence that is designed to spot irregularities. We can allow these detection to be thorough for the information that can be entered and how the sequence must work to be triggered off of. We have the option to turn on ‘rigid’ as this allows the sequence to happen in a top to bottom order. Or off that allows any one of the actions to trigger the policy. We can set the time interval in seconds as well as the number of repetitions that are needed to be done in order to set off this alert. This can only be performed if the policy doesn’t have a machine learning profile assigned to it.

UEBA Operationalization at Netskope

Dynamic Actions based on Aggregate Risk Scores

Netskope offers an interesting solution to solving this use case with the Netskope Cloud Exchange (also referred to as Netskope CE). It is a free offering from Netskope and can be installed and run in a Linux Docker environment by each customer on their own. You can read more about Netskope Cloud Exchange in our online documentation here. One of the Cloud Exchange modules is called User Risk Exchange (URE), it has a variety of modules which interact with different security platforms like Netskope, Mimecast, Okta, Crowdstrike, Azure AD and many more. User risk data can be polled from these sources and aggregated within Netskope Cloud Exchange. Now since the risk scores are present within Cloud Exchange, the admin can perform actions based on the aggregate scores polled in from multiple sources. For example, if a user’s aggregate risk score falls below 251, the organisation may treat the particular user as a risky user and decide to add additional security controls for the user until their scores improve. So a business rule can be created in the URE module and map a particular action where if the aggregate score of a user falls below 251, they could be moved to a different locked-down group in Okta. The locked-down group would have additional strict security controls and policies which are enabled for the highly risky user. Once their score improves, the cloud exchange action can move them from the locked-down group to a regular group where the extra security measures are removed. Adding a flow chart below for reference.

Example Custom UEBA Alerts

In this section, we’ll provide you with a couple of custom UEBA Alerts which the Netskope CustomerZero team had created based on our requirements.

API Data Protection Policies:

For API Data Protection type of policies, one of the examples which we would like to highlight is using UEBA Alerts to identify suspicious activities from users who will be leaving the organization soon. You could create a group for employees who will be departing your organization and create specific UEBA policies for suspicious activities. One example would be to check for activities based on an upload and share. The user could be uploading files from their work laptop to their Google Drive and then may be sharing it with their personal account. Another example would be to check for activities based on download and delete. The user could be downloading files from the corporate Google Drive account to their personal device and deleting the files from the corporate Google Drive after downloading so that others do not have access to the same. Such activities can be monitored with a UEBA policy which is specific to API Data Protection activities.

Real-time Protection Policies:

Similarly, we could create customer UEBA policies for Real-time application events as well. The Real-time compliments the API Data Protection in such a way that, if a particular application cannot be monitored by API, the admin can depend on Netskope’s Real-time policies and events for the UEBA activities and alerts. The admin can create UEBA Alerts based Real-time events. One example is to create a UEBA policy for users who are leaving the organisation soon, to look for uploads and shares from all of their corporate cloud storage applications. The admin can create a policy in such a way that all the corporate cloud storage instances are monitored by UEBA for potential suspicious activity. This can monitor if the user is trying to upload files to one of their Corp cloud storage accounts and try to share it with their personal account. The policy can also be edited to only look for activities in a cloud app rather than having it instance specific.

Additional Resources

For more general information about Netskope’s UEBA, check out: https://docs.netskope.com/en/netskope-help/data-security/behavior-analytics/behavior-analytics-user-confidence-index/