Today\u2019s cyberattackers are masters of disguise \u2014 working hard to make their malicious activities look like normal processes. They use legitimate tools, communicate with command-and-control servers through public services, and mask the launch of malicious code as regular user actions. This kind of activity is almost invisible to traditional security solutions; however, certain anomalies can be uncovered by analyzing the behavior of specific users, service accounts, or other entities. This is the core concept behind a threat detection method called UEBA, short for \u201cuser and entity behavior analytics\u201d. And this is exactly what we\u2019ve implemented in the latest version of our SIEM system \u2014 Kaspersky Unified Monitoring and Analysis Platform.<\/p>\n
By definition<\/a>, UEBA is a cybersecurity technology that identifies threats by analyzing the behavior of users, devices, applications, and other objects in an information system. While in principle this technology can be used with any security solution, we believe it\u2019s most effective when integrated in an SIEM platform. By using machine learning to establish a normal baseline for a user or object\u2019s behavior (whether it\u2019s a computer, service, or another entity), an SIEM system equipped with UEBA detection rules can analyze deviations from typical behavior. This allows for the timely detection of APTs, targeted attacks, and insider threats.<\/p>\n This is why we\u2019ve equipped our SIEM system with an UEBA rule package \u2014 designed specifically to detect anomalies in authentication processes, network activity, and the execution of processes on Windows-based workstations and servers. This makes our system smarter at finding novel attacks that are difficult to spot with regular correlation rules, signatures, or indicators of compromise. Every rule in the UEBA package is based on profiling the behavior of users and objects. The rules fall into two main categories:<\/p>\n\n