Rules based UBA use cases are great to identify known anomalous behavior but what if the indicator of an employee going rogue or turning malicious is much more subtle? That’s where the machine learning app can help identify anomalous behavior by raising the visibility of user behaviors against their past behavior model, as well as the activity of their peers.
Let’s take a look at the activities of an employee in the marketing department.
Now let’s say this employee was planning on quitting the company in a couple of weeks and was joining a rival firm. But the said employee wanted to take with them certain marketing plans and briefs to use as reference when they start their new job. In order to copy some of these files, they may do it in the following way:
If you notice above, the user does not change their routine drastically but yet certain subtle activity changes can be an indicator of malicious behavior by the user who has legitimate access and know how to your important assets and data sources.
By enabling the machine learning app in QRadar UBA, you can now identify users that deviate from the norm based on previous activity as well as activity of their peers.
Detecting Users’ deviation from themselves
A User’s behavior is modeled in 18 different categories of user activities like authentication, network access, firewalls accept/denies, application activity, port or network scans, denial of service type events, malware or other malicious software activity, etc. Based on deviation from the baseline established by the model, the user risk score is increased appropriately.
Detecting change in user’s activity vs. frequency
Leveraging machine learning algorithms such as Latent Dirichlet allocation and Kullback–Leibler divergence, the app creates an activity and frequency distribution model over time for each user. By detecting deviation from normal activity vs frequency of the user, the model can identify risky behavior and add a senseValue to the user’s overall risk score.
Anomalous deviation from Peer Groups
Peer group analytics give yet another lens into a user’s activities and helps identify anomalous or malicious activity when the user deviates from a peer group of employees with similar roles and responsibilities. It identifies and clusters users who exhibit similar behavior into peer groups of users. It then detects when a user deviates from his or her peer group to sense any anomalous activity.
With all three of the above algorithms, the settings can be changed to ensure addition of a multiple of the sensValue based on the number of standard deviations away from the normal.
For more information on UBA installation, settings and documentation, please visit the support page for QRadar UBA.
Authors: Milan Patel and Rohan Ramesh