Detecting Anomalies with User Behavior Analytics
Key Points
- The speaker demonstrates how finding an irregular item among many similar ones (like a needle in a haystack) is hard without visual cues, highlighting the need for effective pattern‑recognition tools.
- User Behavior Analytics (UBA) is introduced as the technology that aggregates diverse security logs and distills them to spotlight anomalous users or activities.
- UBA works by feeding massive amounts of telemetry into a “funnel” powered by machine learning that creates baseline behavior profiles for users and their peers.
- The system flags deviations by analyzing metrics such as volume (e.g., sudden spikes in data downloads), frequency (e.g., increased login attempts), and location (e.g., unexpected geographic access).
- By comparing current actions against established baselines, UBA quickly identifies high‑risk behavior that would otherwise be hidden in raw log data.
Sections
- Spotting Anomalies with User Behavior Analytics - The speaker illustrates how reducing complex log data to visual cues in UBA easily reveals outlier users who deviate from normal patterns.
- User Behavior Anomaly Profiling - The speaker explains using fixed and dynamic profiling combined with machine learning to spot anomalous actions—like rapid account creation and deletion—and to triage large user populations for risky or suspicious behavior.
Full Transcript
# Detecting Anomalies with User Behavior Analytics **Source:** [https://www.youtube.com/watch?v=j29XwVsMW-s](https://www.youtube.com/watch?v=j29XwVsMW-s) **Duration:** 00:05:48 ## Summary - The speaker demonstrates how finding an irregular item among many similar ones (like a needle in a haystack) is hard without visual cues, highlighting the need for effective pattern‑recognition tools. - User Behavior Analytics (UBA) is introduced as the technology that aggregates diverse security logs and distills them to spotlight anomalous users or activities. - UBA works by feeding massive amounts of telemetry into a “funnel” powered by machine learning that creates baseline behavior profiles for users and their peers. - The system flags deviations by analyzing metrics such as volume (e.g., sudden spikes in data downloads), frequency (e.g., increased login attempts), and location (e.g., unexpected geographic access). - By comparing current actions against established baselines, UBA quickly identifies high‑risk behavior that would otherwise be hidden in raw log data. ## Sections - [00:00:00](https://www.youtube.com/watch?v=j29XwVsMW-s&t=0s) **Spotting Anomalies with User Behavior Analytics** - The speaker illustrates how reducing complex log data to visual cues in UBA easily reveals outlier users who deviate from normal patterns. - [00:03:06](https://www.youtube.com/watch?v=j29XwVsMW-s&t=186s) **User Behavior Anomaly Profiling** - The speaker explains using fixed and dynamic profiling combined with machine learning to spot anomalous actions—like rapid account creation and deletion—and to triage large user populations for risky or suspicious behavior. ## Full Transcript
Here's a quiz for you: can you see which one of these is different?
Look for the one that deviates from the pattern.
Ready?
Here we go...
two... one.
Did you see it?
Well, maybe you did.
And maybe it's more obvious to you now because we're highlighting it.
But if we hadn't, that might be like looking for a needle in a haystack.
Well, let's take another example-- that's not I/T related --that's just generally looking for a pattern.
What if we put up a screen like this and I say, "Take a look at all of these log records."
And here you can see that we've got the source listed-- the log source.
We've got the type of alert it is.
We've got source address, destination, IP address.
We've got timestamps, all of this information, a wealth of information.
Now, tell me which one of these is the bad record?
Who's the bad user that we've just caught in this?
Not so obvious, right?
What if I said "We'll take this information and distill it down to this?" Now, it's really obvious.
This guy Dan, it turns out, you can see him highlighted there in red.
You can see his trend for risk has increased over time.
Now it's obvious who this user is and that they've been doing stuff that deviates from the norm.
What is this kind of technology?
We call it user behavior analytics (UBA).
And user behavior analytics is all about looking for anomalies.
It's baselining information, like we could look at Dan and his peers, and then looking for how he deviates from that.
So let's take a look-- how does the technology work?
Well, in fact, the way it works is, we end up with a lot of different log records.
So I have different sources of security telemetry.
It could be individual systems, it could be databases, it could be network equipment, things like that.
So I'm going to take all of this information that I have.
It's a massive amount and I need to find the needle that's in that huge haystack.
Well, how do I do that?
I'm going to take this information and feed it down into what is, in essence, a huge funnel.
This funnel we call, again, user behavior analytics.
And it uses machine learning techniques in order to look for the patterns and the anomalies.
What kinds of things does it use to make that determination?
Well, it's looking at things like volume.
A particular user maybe was downloading 50 records a day, and then suddenly they start loading, downloading 50,000 records a day.
That would be a deviation from the norm and might be a suspicious activity.
Other things that could happen would be related to frequency.
So they used to download or log into a system, maybe as an example.
They'd log into a system two or three times a day and then suddenly they start logging in 50 times a day.
That would possibly signal that something weird is going on here.
Some other things might be location.
Let's say this user normally works out of the Chicago office and we suddenly see all their activity is coming in from the Beijing office.
Well, unless we know that that user is over there, then that could indicate a problem.
Other things that we could use, as I mentioned previously, is peer groups.
So I could do this in a fixed way and define this user is part of this group, and here are all the other users that essentially do the same job.
And I want to profile them and see what do they do, and is this person deviating from that?
We can also do dynamic profiling where a user, basically,
we look at all of their data and see what other users they generally match and then look for their deviations from this.
It's all about anomaly detection.
Another thing we might look for is a particularly anomalous sequence.
Maybe a system administrator logs into a system, creates a new account, then logs into that account, does a few things, and then deletes the account.
And then keeps doing that again and again.
That might be suspicious.
Why are you creating accounts and then instantly, almost instantly, deleting?
It doesn't make a whole lot of sense.
So that might be an indication of a problem.
Well, what I'm going to do is take rules like this and use the machine learning techniques to look for patterns.
And I'm going to use that across my user base.
And I'm going to look at all of the users that are here and figure out which ones are good users and which ones are suspicious or risky users.
Because if I have a 100 users, a 1,000...
10,000...
100,000 users-- it's going to be really hard to figure out which ones of them are doing the wrong things.
And if I don't have a way to triage down to the riskiest users, then I really don't know where to start.
I can't examine the activities of a 1,000 users or 100,000 users every single day.
But if I had a display, like this UBA display, this user behavior analytics display that I mentioned previously,
it's telling me, "Here's the top five or the top ten riskiest users." Then I could go look at those and see what's going on.
Now I can also take these same techniques that I've applied to users with the UBA and apply it to entities.
In other words, let's look at our network routers, switches, servers,
other things that are not humans, and we call that user entity behavior analytics (UEBA).
So it's human users as well as other entities in our network and in our environment.
And we can look for them and baseline them and look for their anomalies.
We use this kind of technology in conjunction with a SIEM-- security information event management system
--in order to triage and figure out where do I need to put my focus.
If I can do that, then I'll know where I need to do investigations and avoid the false positives.
Focus in on the actual users that are creating the real threat in the environment.
Thanks for watching.
Please remember to like this video and subscribe to this channel so we can continue to bring you content that matters to you.