用户和实体行为分析(UEBA), 也被称为用户行为分析(UBA), is the process of gathering insight into the network events that users generate every day. Once collected 和 analyzed, it can be used to 检测受损凭证的使用情况, lateral movement, 和 other malicious behavior.
The Gartner Market Guide added ‘Entity’ to 用户行为分析 due to increasing threats from external forces, 而不仅仅是个人用户. 这些外力包括, 但不限于, 路由器, 服务器, 应用程序, 和 other network devices that could possibly be compromising.
总之, these other types of behavior analytics deviate from traditional consumer behavioral analytics to focus on the behavior of systems 和 the user accounts on them.
Today’s networks gather endless amounts of information, especially with users moving seamlessly between IPs, 资产, 云服务, 移动设备. UBA focuses on user activity as opposed to static threat indicators, meaning it can detect attacks that haven’t been mapped to threat intelligence 和 alert on malicious behavior earlier in an attack.
随着网络变得越来越复杂, it’s become easier than ever to successfully infiltrate a corporate network 和 masquerade as an internal employee, 规避外部防御. If an attacker is able to penetrate a network 和 remain there undetected, they can repeatedly steal sensitive data 和 cause monetary damage.
用户行为分析 公开秘密, attacker activities by uncovering patterns in user behavior to identify what’s “normal” behavior, 和 what may be evidence of intruder compromise, 内部威胁, 或者网络上的危险行为.
用户和实体行为分析 enables you to more easily determine whether a potential threat is an outside party pretending to be an employee or an actual employee who presents some kind of risk, 无论是由于疏忽还是恶意.
UEBA connects activity on the network to a specific user as opposed to an IP address or an asset. This means that if a user starts to behave in a way that’s unusual or unlikely, even if it isn’t flagged by traditional perimeter monitoring tools, 你可以很快发现这种行为, 确定它是否异常, 如有必要,展开调查.
例如, stolen credentials are a common attack vector used by penetration testers 和 real-world criminals alike. Whether the criminal obtains credentials via 钓鱼式攻击, 恶意软件, 关键日志, 甚至是第三方数据泄露, all they need is one correct username 和 password combination to work; once they’re able to login they can silently move within a network undetected.
然而, 一旦攻击者进入, they usually start to act in ways unlike a normal user, 比如在资产之间横向移动. The intruder moves from step to step in what’s often called the “attack” or “kill chain,” looking for increasingly interesting targets to raid 和 data to exfiltrate.
The ability to baseline what kind of user behavior is normal on a network 和 what isn’t is critical. User behavior analytics provides you with the data to identify trends 和 easily spot outliers, so you can more easily 和 quickly identify 和 investigate potential threats 和 打破攻击链.
发现趋势并建立联系, first you must have a way to gather key behavioral data in one centralized location, so it can be parsed by analytical tools later. Traditionally, user behavior analytics are added on as a layer to existing security information 和 event management (SIEM) 部署.
用户和实体行为分析 are one part of a multilayered, integrated IT 和 information security strategy to prevent attacks 和 investigate threats. It can be an incredibly powerful tool to detect compromise early, 降低风险, 和 stop an attacker from exfiltrating an organization’s data.
Implementing 用户和实体行为分析 is imperative for any organization to ensure their safety from internal harm. UEBA has grown exponentially in recent years with the expansion of the Internet of Things (IoT) 和 more devices that could potentially take advantage of network vulnerabilities.
Whether you are attempting to locate suspicious 内部威胁 or are monitoring privileged accounts, UEBA provides an updated line of security for IT infrastructure from intrusive attacks.