IBM QRadar SIEM User Behavior Analytics (UBA) establishes a baseline of behavior patterns for your employees, so you can better detect threats to your organization. It uses existing data in QRadar SIEM to generate new insights around users and risk.
By establishing the risk profiles for users inside your network, you can react more quickly to suspicious activity, whether from identity theft, hacking, phishing or malware.
Detecting Insider Threats with UBA
Distinguish normal user behavior from anomalies to stop threats
41% of network infections are caused by phishing.1
More than 50% of phishing attacks use spear phishing techniques.2
There has been a 100% increase per month in threat hijacking attempts, as observed by X-Force® threat detection software.3
For the second year in a row, phishing was the leading infection vector where an attacker impersonates someone and uses existing email conversations for nefarious purposes. Understanding users’ normal behavior and noticing anomalies fast is critical to stopping infections. You can add users with the user import wizard, and add risk scoring and unified user identities to QRadar SIEM with UBA.
The user import wizard allows you to import users and user data directly from the UBA app. The user import wizard helps you to import users from an LDAP server, an active directory server, reference tables and CSV files. You can also create custom attributes with the user import wizard.
Create risk profiles by assigning risk to different security use cases, depending on the severity and reliability of the incident and by using existing event and flow data in your QRadar system. A risk profile might rely on simple rules, such as if a user visits harmful or compromised websites, or include stateful analytics that use machine learning.
Build unified user identities by combining disparate accounts for a QRadar user. By importing data from an active directory, LDAP, reference table or CSV file, the UBA app can be taught what accounts belong to each user. This also helps you combine risk and traffic data across different usernames in the UBA app, so you can better monitor user actions and prevent attacks.
Enrich and deepen your use cases to perform time series profiling and clustering with the machine learning add-on, which augments the UBA app. Machine learning adds to existing UBA app visualizations that show learned behavior (models), current behavior and alerts. Machine learning uses historical data in QRadar to create the predictive models and baselines of what is normal for a user.
UBA rule content is installed after the app is configured and can be edited in the QRadar use case manager app. Rules that measure user risk are added to the UBA rule data table. UBA rules and tuning features allow you to determine the parameters that QRadar SIEM will use to keep your company and data protected.
Yes. If running on a QRadar SIEM console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of a QRadar SIEM app host to access the full benefits of running the UBA app with the machine learning app enabled.
UBA integrates directly into QRadar SIEM by using the existing user interface and database. All enterprise-wide security data remains in one central location and analysts can tune rules, generate reports and connect data as part of their SIEM experience.
Since UBA shares the same underlying database as QRadar SIEM and NDR, any data source that is ingested by QRadar SIEM can be surfaced and leveraged in UBA.
UBA is packaged as a collection of 3 apps—an LDAP app that helps ingest and coalesce users' identity information, a UBA app that helps visualize data and analytics, and a machine learning app that provides a library of machine learning algorithms used to create behavioral models of users' activities.
Anomaly detection is a technique used to identify unusual patterns that do not conform to normal behavior and differ significantly from most of the data. UBA builds a baseline of normal behavior from a user’s and similar users’ (peers) events and then uses that baseline to detect anomalous behavior.
A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UBA impacts an individual user's risk score.
A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UBA impacts an individual user's risk score.
Upon installation, machine learning algorithms ingest the previous 4 weeks of data from the QRadar database and can take up to 1 week to build the baseline models of normal user behavior.
The UBA app can be deployed in IBM Security® QRadar® SaaS, software or cloud deployments.
The UBA app is offered to QRadar clients at no additional cost.
As with all QRadar applications and modules, the data is encrypted at rest.
1, 2, 3 IBM X-Force Threat Intelligence Index 2023 Insight, Stephanie Carruthers