Privileged User Behavior Analytics (PUBA)

When we examine the cause of most data breaches today, almost all of them involve the perpetrator getting access to and using legitimate login credentials. According to Forrester, approximately 80% of breaches involve compromised privileged accounts.

When this happens, it essentially equates to an “insider attack” and guarding against this type of activity requires the ability to detect when hackers are using your stolen credentials. Unfortunately, traditional methods of using security tools to detect and thwart this threat are falling short. However, a new type of user behavior analytics has been engineered for this specific problem, and it is proving to be highly effective.

This new method I speak of is called Privileged User Behavior Analytics, or PUBA for short. PUBA uses machine learning technology to analyze the behavior of your privileged accounts to create baseline behaviors for your users and those privileged accounts. This baseline allows you to rapidly detect and alert your security team to anomalous behavior, an early indication of compromise or abuse.

How does privileged user behavior analytics differ from user behavior analytics?

Before we get into PUBA, let me explain a little about User Behavior Analytics (UBA).

UBA is when you use your monitoring system to track, collect, and assess your user data. UBA technologies analyze your historical data logs, to include your network and authentication logs you have collected and stored in your SIEMs and log management systems. This data is then used to identify the normal and malicious behavior traffic patterns of your users. With this analysis, you can develop some actionable items for your security teams to implement to increase the safety of your network.

UBA collects many types of data on your network's activities, including information about your users’ roles and titles, access, accounts, and permissions. Additionally, it collects information on user activities where those activities are conducted from, generating security alerts based on this activity if required. You are able to take historical data and compare it to current activity, and analyze the data based on factors such as the resources your users used, how long they used it, where they are connecting from. You can schedule automatic updates when changes occur to the data, such as privilege promotions or added permissions.

UBA is a unique and exciting subfield within security. It examines your user account activity to determine if attackers are trying to penetrate your defenses using a low privilege user account and escalating its privileges. This approach is effective because UBA technologies notice when user accounts are operating outside of the normal activities of the account, based on its historical data.

The functions that privileged user behavior analytics performs

So back to PUBA. PUBA technology can assist you to perform three main functions:

  1. It helps you to determine a baseline of your user’s normal activities
  2. It helps you to quickly recognize any deviations from those user’s normal activites
  3. Based on this information, it alerts your security team to take action

The anomalous or negligent behavior might not be malicious, but at least you are aware of it and can investigate further. PUBA will enable your IT and Security administrators to rapidly discover breaches before they even occur, analyze how your privileged accounts are distributed and examine how they are accessed throughout your organization. This adds an additional layer of security to your defense-in-depth strategy. This way your time can be better spent focusing on finding, managing, and protecting your privileged accounts.

There are at least three uses that I can recommend for PUBA within your organization. They are as follows:

How BeyondTrust Can Help

The PowerBroker Privileged Access Management platform offered by BeyondTrust combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to allow you to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondTrust platform capabilities to:

Dependable insider threat detection is essential to safeguard your environment and you must be diligent about using every mechanism at your disposal. PUBA can help with this, but keep in mind that it alone is not the “magic pill” for protecting your user accounts. It is also important to use baseline protections such as firewalls, intrusion prevention system (IPS), intrusion detections systems (IDS), etc., to form a complete defense-in-depth strategy for your network. Layering on PUBA helps ensure your security is that much tighter and resilient.

If you would like to learn more about BeyondTrust’s threat analytics capabilities, contact us today.