analysis of ueba

Posted by trammel at 2020-03-09

Ueba is a new thing, rarely mentioned before 2014, but its development speed is very fast. From the perspective of international manufacturers, some leading ueba manufacturers have been trying to subvert the original market pattern by virtue of their advantages in detection capability, and such products will surely bring far-reaching impact. But at home, it seems that it has not attracted enough attention, and we often hear that some ueba is to do user portraits to solve business risks, and the most important technology of ueba is machine learning and so on. After listening a lot, I can't help but want to talk about the ueba I saw and understood. After all, I haven't actually made such a product. It's hard to avoid mistakes, but I also hope to give you some information for reference.

The value of ueba

Ueba has some mature products: exabeam, gurucul, interchange, niara, securonix, Splunk, etc.

From the perspective of these products, the problems to be solved for customers are relatively consistent, including:

There is no doubt that although these threats do not include the business risk control related rolling wool, brushing, etc. (as for why there is no business risk involved, it is another big technical topic, which is not involved here), they are the most concerned risks of the enterprise. In terms of final products, ueba manufacturers do provide ideal solutions through technology inheritance and innovation, so it is not surprising that they can grow rapidly in the international market. For example, exabeam was founded in 2013, and has completed rounds B of tens of millions of US dollars of financing, including Cisco. I wonder if it will eventually become another powerful engine of Cisco's revenue? Let's take exabeam as an example to understand the main technical points of ueba.

Ueba and machine learning

Ueba belongs to data-driven security analysis products to a certain extent, so many people will naturally think that machine learning is the core technology of ueba, and manufacturers are willing to cater to such imagination from marketing promotion. It is undeniable that all ueba products use machine learning (including supervised learning and unsupervised learning) to a certain extent, but if this is the key to the success of ueba, it is simply lost. UEBA It can be successfully deployed and used to effectively improve the level of security operation. One of the preconditions is to collect more data. Across the traditional Siem / SOC products, ueba products consider more data sources in the design. In addition to EDR data, ad data and business application data that it system may provide, it also includes many non it data: ERP (related enterprises? ), organizational structure, job responsibilities, travel, etc. Having more data is one of the conditions for its success. The same ueba manufacturers also see that simple data-driven cannot complete a complete product, such as exabeam, so they advocate and establish a hybrid system of data-driven + expert driven. In the view of exabeam, simple data-driven has the following problems:

Therefore, it designs a more reasonable technical architecture, as shown in the following figure (source: exabeam):

In such a hybrid system, exception discovery does not only rely on machine learning, but also on statistical and feature-based methods. Some content that can output clear results through machine learning will also be reflected in this stage, such as DGA domain name discovery, etc.; statistical methods will appear more frequently, such as the first time a user account accesses a folder, the first time a user accesses a document Abnormal quantity, etc. However, these exceptions will not generate alarms directly to customers, but become the raw materials used by machine learning: features. On the basis of these features, machine learning (including Bayesian method) is used to quickly determine the corresponding risk value of different features combination, and the event that the risk value is greater than a certain range will become an event that needs users' attention. This method, in the middle of data and machine learning, has an abnormal discovery process and intermediate products. Using the knowledge of expert field, it simplifies the work of machine learning, improves the system flexibility, and then can quickly deploy and complete the learning process.

For example, when a user account accesses a folder for the first time, it needs to look at other features at the same time to determine whether it is a high-risk event: whether this user belongs to different categories (a part of machine learning should also be hidden here) generally exists in this situation; the probability of accessing a new folder in the user organization is a high probability event, etc.

Such a system, which combines the power of expert knowledge, data and machine learning magic, can provide corresponding risk discovery capabilities for different user environments, and support flexible and rapid user deployment. Ueba should be a mature product when it comes to this step, and machine learning has also been successfully applied in it, which is no longer an exploration and attempt.


Ueba is a unified data collection point, which originally belongs to Siem. What kind of collision will these two products have? Different manufacturers have different ways. Splunk acquired ueba products through acquisition, and closely cooperated with the existing enterprise security app to form a complete scheme. Exabeam attempted to cover the original Siem product market by differentiating more functional products, such as log management and event response. From either perspective, it is consistent that ueba focuses on solving the pain points of customers' major concerns, and makes it a subversive force by using leading and practical technology combination solutions. Maybe in a short time, the traditional Siem will be thrown into the corner by the security operators, and ueba will become a new favorite. In other words, in the end, ueba will combine the practical function of Siem, abandon the unrealistic expectation given to Siem, and become a new generation of Siem in the real sense. All is waiting for the development of history. You and I may have the chance to become the cogwheels in this process.

At last, I have a feeling that ueba and threat intelligence are two relatively new fields. You all look at the similar starting line at home and abroad, but gradually, we fall behind. Now in my opinion, there is a gap of at least one year. What are the reasons? Culture, investment, industrial environment, people? This may be a more interesting topic than ueba products.

Recommend reading more

//The history of big data platform development I have experienced (3): the Internet era. Part I:

Android custom view various postures 1 activity display view rootimpl details activity

Machine learning & Chapter 1 note

Social bonus reading notes Title: social bonus (Revised and upgraded version) author: Xu Zhibin press: notes before the text of CITIC press: Introduction 1 abstract social

Fushui reading 6135 comments 4 likes 25

Today's exam, a kind of unspeakable feelings rose gradually for reading lost confidence. I don't know why, is the growth of people always accompanied by the constant coming and going of friends

Yu Qingnian reads 26 comments, 0 likes 0