Information overload — and false positives — are major challenges in the everyday incident response organization. Due to the plethora of various security platforms, applications, and tools, security teams with limited resources must sift through an ever-growing mountain of alerts, a few of which can include irrelevant data. Not only does this decelerate the decision-making process, however it could also delay our response to incidents.

User and Entity Behavior Analytics (UEBA) is a cybersecurity process that helps detect anomalous events by employing machine learning (ML) and data statistics. Implementing UEBA in your threat hunting process may also help reduce the overwhelming volume of security alerts and events by utilizing scoped detection strategies and highlighting anomalous events potentially related to a cyberattack.

On this blog, I’ll share how the threat hunting team at Adobe is working to fast-track incident detection by developing an in-house UEBA framework, in addition to highlight key details in regards to the framework and the way it may possibly be adapted in your enterprise security ecosystem.

At Adobe, we selected to develop our UEBA framework in-house to suit inside our security ecosystem, including our existing security information and event management (SIEM) and endpoint detection and response (EDR) platforms. Doing this has enabled us to prioritize the use cases which can be most vital to Adobe’s threat-hunting efforts — designed and developed by our internal team of threat hunters and security analysts based on prioritized threat models — reasonably than depend on a third-party vendor to make changes to their tool to satisfy our specific needs.

A typical UEBA framework is comprised of six (6) steps:

In UEBA, detection strategies or rules are implemented as use cases, which capture log events which can be more likely to indicate suspicious or malicious activities at a certain threat level. Anomalous events coincide with abrupt changes in user or entity behavior, reducing the quantity of information and distracting noise into smaller, more targeted data sets for evaluation.

Once we’ve defined the use case, we then select and groom a smaller data set pertaining to the use case. In certain cases, we merge use cases to avoid data and computational redundancy. Our existing SIEM platform acts because the primary data source for UEBA, and we store the curated use case data sets (and later, the detected anomalies) in our database.

At Adobe, we’ve focused our efforts on five (5) major forms of logs: network, application, cloud, host, and authentication, each of which accommodates multiple data sources. For instance, cloud log files might contain AWS in addition to Azure data. Depending in your organization’s threat landscape, you might select to research more or fewer logs, or concentrate on entirely different ones.

Within the analytics stage, we apply machine learning (ML) or data statistics to detect anomalies based on a pre-defined configuration. To do that, we train our open-source anomaly generator, called One Stop Anomaly Shop (OSAS). In our implementation, use cases are represented by a pipeline where each stage is an execution unit. Pipeline stages are akin to data science stages, including data grooming, anomaly detection, anomaly evaluation, and training.

After generating anomalies for all pipelines, we correlate them across various log types. A series of suspicious or malicious events generated across various pipelines related to the identical user or entity might indicate an intruder. To be deemed a successful intrusion, an actor must traverse applications and platforms while leaving footprints in various logs; these footprints are detected as anomalies. To be considered a correlation, the anomalies from different uses cases (pipelines) are clustered together by user or entity.

The goal of the enrichment step is to scale back the clustered anomalies by correlating data from other sources, which increases the arrogance in benign anomalies. When correlated with anomalies, data sources reminiscent of LDAP or IP access data may also help filter out trusted and typical user and entity activities.

Within the last stage, we rating the cluster of anomalies by severity, age, and triggered use cases (pipelines) and store them within the database. These aspects filter out the set to turn into a more focused, smaller set that is prepared for manual triaging by a security analyst.

By employing anomaly detection and correlation, UEBA may also help reduce operational alerts and boost accuracy and timely detection of potential threats to high-value targets and assets. When integrated with a CI/CD platform, UEBA pipelines containing data fetch, anomaly detection, clustering, enrichment, and detection, might be automated, executing at predefined intervals.

At Adobe, we see our UEBA framework complementing our existing intrusion and threat detection systems while also providing an revolutionary process to bridge the gap between traditional security tools. Leveraging machine learning, UEBA helps us fast-track incident detection, thereby helping to make sure the security of Adobe’s enterprise infrastructure and data. Because the threat landscape continues to evolve and latest security tools arise to deal with those threats, we see our UEBA framework as an integral a part of the evolution of threat detection at Adobe.