UBA Module
General Description
The module provides mechanisms for detecting deviations in the behavior of various types of objects: users, hosts, administrators, information systems, business processes, and more. The universal scoring calculation mechanism allows identifying potential malicious actors, compromised accounts, calculating the cybersecurity index, analyzing operational efficiency and work discipline, and combating fraud. (any illegal or malicious actions by employees or external threat actors using employee credentials that cause financial or reputational damage to the company).
How Scoring Works
Scoring is the process of assigning a quantitative value (a score) to every user or system action. The mechanism operates on the following principle:
-
Data Collection - the system collects and analyzes data on user actions (login logs, application launches, website visits, file operations, etc.)
-
Behavioral Profile Creation - a behavioral profile—a template of typical actions—is built for each entity (user, host, etc.) based on historical data. This includes metrics such as regular working hours, frequently used applications, commonly visited websites, etc.
-
Anomaly Detection - when a user's current action significantly deviates from their baseline profile, the system assigns a specific risk score to that event
-
Aggregation and Analysis - risk scores from various anomalous events are aggregated. All scoring statistics and assigned points for each user are accumulated and available for review in the individual entity profiles, allowing analysts to quickly assess the context and history of suspicious activity
Examples of Deviations
- the VPN connection time is unusual for the user
- the user connected via VPN from an unusual city or country
- the user launched an extremely rarely used program
- the user sent an unusually large volume of emails