• (888) 534-1640 | sales@ndm.net

    • User Behavior Analytics (UBA)

    Gain greater visibility into insider threats, uncover anomalous behavior, quickly identify risky users and generate meaningful insights

    Detect compromised credentials, lateral movement and other malicious behavior

    The IBM Security® QRadar® SIEM User Behavior Analytics (UBA) app establishes a baseline of behavior patterns for your employees, so you can better detect threats to your organization. It uses existing data in QRadar SIEM to generate new insights around users and risk.

    By establishing the risk profiles for users inside your network, you can react more quickly to suspicious activity, whether from identity theft, hacking, phishing or malware.

    Documentation

    Explore additional documentation about how the QRadar SIEM UBA app helps you protect valuable data and assets from insider threats.

    UBA protects against phishing and more

    Distinguish normal user behavior from anomalies to stop threats

    41% of network infections are caused by phishing

    More than 50% of phishing attacks use spear phishing techniques

    There has been a 100% increase per month in threat hijacking attempts, as observed by X-Force® threat detection software

    How it works

    For the second year in a row, phishing was the leading infection vector where an attacker impersonates someone and uses existing email conversations for nefarious purposes. Understanding users’ normal behavior and noticing anomalies fast is critical to stopping infections. You can add users to the UBA app with the user import wizard, and add risk scoring and unified user identities to QRadar SIEM with the UBA app.

    User import wizard

    The user import wizard allows you to import users and user data directly from the UBA app.The user import wizard helps you to import users from an LDAP server, an active directory server, reference tables and CSV files. You can also create custom attributes with the user import wizard.

    Risk scoring

    Create risk profiles by assigning risk to different security use cases, depending on the severity and reliability of the incident and by using existing event and flow data in your QRadar® system. A risk profile might rely on simple rules such as if a user visits harmful or compromised websites, or include stateful analytics that use machine learning.

    Unified user identities

    Build unified user identities by combining disparate accounts for a QRadar user. By importing data from an active directory, LDAP, reference table or CSV file, the UBA app can be taught what accounts belong to each user. This also helps you combine risk and traffic across the different usernames in the UBA app, so you can better monitor user actions and prevent attacks.

    What’s included

    Machine learning add-on

    Enrich and deepen your use cases to perform time series profiling and clustering with the machine learning add-on, which augments the UBA app. Machine learning adds to existing UBA app visualizations that show learned behavior (models), current behavior and alerts. Machine learning uses historical data in QRadar to create the predictive models and baselines of what is normal for a user.

    Rules and tuning

    UBA rule content is installed after the app is configured and can be edited in the QRadar use case manager app. Rules that measure user risk are added to the UBA rule data table. UBA rules and tuning features allow you to determine the parameters that QRadar SIEM will use to keep your company and data protected.

    “And it really just takes one employee to click a link, give their credentials or open up an attachment that could lead to a total compromise.”

    Stephanie “Snow” Carruthers
    Chief People Hacker
    IBM Security® X-Force® Red

    Frequently asked questions

    Are there prerequisites to installing User Behavior Analytics (UBA)?

    Yes. If running on a QRadar SIEM console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of a QRadar SIEM app host to access the full benefits of running the UBA app with the machine learning app enabled.

    How do I get my organization's data into UBA?

    UBA integrates directly into QRadar SIEM by using the existing user interface and database. All enterprise-wide security data remains in one central location and analysts can tune rules, generate reports and connect data as part of their SIEM experience.

    Does UBA integrate with my other tools?

    Since UBA shares the same underlying database as QRadar SIEM and NDR, any data source that is ingested by QRadar SIEM can be surfaced and leveraged in UBA.

    What is the UBA architecture?

    UBA is packaged as a collection of 3 apps—an LDAP app that helps ingest and coalesce users’ identity information, a UBA app that helps visualize data and analytics, and a machine learning app that provides a library of machine learning algorithms used to create behavioral models of users’ activities.

    Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.

    A risk score is the numeric measure of the potential harmfulness of a user’s activity. Each anomalous behavior that is detected by UBA impacts an individual user’s risk score.

    What is anomaly detection?

    Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.

    What is a risk score?

    A risk score is the numeric measure of the potential harmfulness of a user’s activity. Each anomalous behavior that is detected by UBA impacts an individual user’s risk score.

    How long does it take for the machine learning models to train?

    Upon installation, machine learning algorithms ingest the previous 4 weeks of data from the QRadar database and can take up to 1 week to build the baseline models of normal user behavior.

    Can UBA be deployed in QRadar SaaS (QRadar on cloud)?

    The UBA app can be deployed in IBM Security® QRadar® SaaS, software or cloud deployments.

    How much does the UBA app cost?

    The UBA app is offered to QRadar clients at no additional cost.

    Where can I go for help with UBA?

    IBM Support has dedicated resources who can help with high priority issues. The UBA app includes a help and support section for using the LDAP, UBA and machine learning analytics apps.

    How does IBM protect user information in UBA?

    As with all QRadar applications and modules, the data is encrypted at rest.

    If you would like more information on IBM QRadar, contact us today!

    • NDM Technologies © 1994 - Present | Website Developed & Managed by C. CREATIVE, LLC