How Privileged User Behavior Analytics (PUBA) Can Protect Your Privileged Accounts

Derek A. Smith, Founder, National Cybersecurity Education Center
November 29th, 2017

Privileged User Behavior Analytics (PUBA)

When we examine the cause of most data breaches today, almost all of them involve the perpetrator getting access to and using legitimate login credentials. According to Forrester, approximately 80% of breaches involve compromised privileged accounts.

When this happens, it essentially equates to an “insider attack” and guarding against this type of activity requires the ability to detect when hackers are using your stolen credentials. Unfortunately, traditional methods of using security tools to detect and thwart this threat are falling short. However, a new type of user behavior analytics has been engineered for this specific problem, and it is proving to be highly effective.

This new method I speak of is called Privileged User Behavior Analytics, or PUBA for short. PUBA uses machine learning technology to analyze the behavior of your privileged accounts to create baseline behaviors for your users and those privileged accounts. This baseline allows you to rapidly detect and alert your security team to anomalous behavior, an early indication of compromise or abuse.

How does privileged user behavior analytics differ from user behavior analytics?

Before we get into PUBA, let me explain a little about User Behavior Analytics (UBA).

UBA is when you use your monitoring system to track, collect, and assess your user data.  UBA technologies analyze your historical data logs, to include your network and authentication logs you have collected and stored in your SIEMs and log management systems. This data is then used to identify the normal and malicious behavior traffic patterns of your users. With this analysis, you can develop some actionable items for your security teams to implement to increase the safety of your network.

UBA collects many types of data on your network’s activities, including information about your users’ roles and titles, access, accounts, and permissions. Additionally, it collects information on user activities where those activities are conducted from, generating security alerts based on this activity if required. You are able to take historical data and compare it to current activity, and analyze the data based on factors such as the resources your users used, how long they used it, where they are connecting from. You can schedule automatic updates when changes occur to the data, such as privilege promotions or added permissions.

UBA is a unique and exciting subfield within security. It examines your user account activity to determine if attackers are trying to penetrate your defenses using a low privilege user account and escalating its privileges. This approach is effective because UBA technologies notice when user accounts are operating outside of the normal activities of the account, based on its historical data.

The functions that privileged user behavior analytics performs

So back to PUBA. PUBA technology can assist you to perform three main functions:

  1. It helps you to determine a baseline of your user’s normal activities
  2. It helps you to quickly recognize any deviations from those user’s normal activites
  3. Based on this information, it alerts your security team to take action

The anomalous or negligent behavior might not be malicious, but at least you are aware of it and can investigate further.  PUBA will enable your IT and Security administrators to rapidly discover breaches before they even occur, analyze how your privileged accounts are distributed and examine how they are accessed throughout your organization. This adds an additional layer of security to your defense-in-depth strategy. This way your time can be better spent focusing on finding, managing, and protecting your privileged accounts.

There are at least three uses that I can recommend for PUBA within your organization. They are as follows:

  • Identify compromised service accounts. Your service accounts are constantly under attack from cybercriminals looking to compromise your network. Many of these accounts are not sufficiently monitored, but may have high access rights for use by your operating systems and various applications to perform such activities as automated background tasks. The activity of these accounts must be monitored to confirm that they are not accessing systems they are not authorized to access, or worse, transmitting your critical data to unauthorized recipients.
  • Detect privileged account abuse. Your privileged accounts are the prime targets for Therefore, it is imperative that you monitor the use of these accounts for unusual behavior. Automated, remote, or simultaneous access can be a telltale indicator of insider threat.  Logging in at unusual times, accessing unauthorized accounts and systems, and unsanctioned data transmissions should all raise red flags.
  • Discover shared credentials.Unfortunately, it is a fact that users share their passwords with others, even when it is in violation of your policy. Using PUBA to monitor for simultaneous, remote, or unusual usage of user accounts can help you to discover and deal with credential sharing violations.

How BeyondTrust Can Help

The PowerBroker Privileged Access Management platform offered by BeyondTrust combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to allow you to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondTrust platform capabilities to:

  • Aggregate user and asset data to centrally baseline and track behavior
  • Correlate diverse asset, user, and threat activity to reveal critical risks
  • Identify potential malware threats buried in asset activity data
  • Measure the velocity of asset changes to flag in-progress threats
  • Isolate users and assets exhibiting deviant behavior
  • Generate reports to inform and align security decisions
  • Increase the ROI of deployed security solutions with deep risk analytics

Dependable insider threat detection is essential to safeguard your environment and you must be diligent about using every mechanism at your disposal. PUBA can help with this, but keep in mind that it alone is not the “magic pill” for protecting your user accounts.  It is also important to use baseline protections such as firewalls, intrusion prevention system (IPS), intrusion detections systems (IDS), etc., to form a complete defense-in-depth strategy for your network. Layering on PUBA helps ensure your security is that much tighter and resilient.

If you would like to learn more about BeyondTrust’s threat analytics capabilities, contact us today.

Derek A. Smith, Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently the Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College, responsible to perform complex duties relating to the development and coordination of cyber initiatives at NCI. Formerly, he has worked for a number of IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He has also taught business and IT courses at several universities for over 20 years. Derek has served in the US Navy, Air Force and Army for a total of 24 years. He completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education.