LOG-8 – User Behaviors Analytics (UBA)

Estimated reading: 2 minutes 699 views

What is LOG-8 – User Behaviors Analytics (UBA) Control?

User behaviour analytics (UBA) control is about having a process in place to gather insights into the network events that users generate and analyze the events to detect the use of compromised credentials, lateral movement, and other malicious behaviour.

Typically, networks gather information related to users moving between IPs, assets, cloud services, and mobile devices. UBA, on the other hand, focuses on user activity as opposed to static threat indicators. The goal is to use UBA information to detect attacks that haven’t been mapped to threat intelligence and alert on malicious behaviour earlier in an attack.

There are no mandatory methods to use in gathering and analyzing the events.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below because we haven’t used them.

Tools
Fullstory
Amplitude

Available templates

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below because we haven’t used them.

  • N/A: no template recommendation

Control implementation

To implement this control,

Implement a UBA tool to collect and analyze the events. The implementation of the tool should take into account:

  1. Defining use cases such as identifying malicious insiders, compromised users, known security threats, and zero-day vulnerabilities
  2. Defining the data sources, such as events and logs; HR data; corporate emails; social media activity; network flows and packets
  3. Defining the behaviors about which data will be collected, such as work habits, user activities, context, biometrics,
  4. Establishing a baseline
  5. Training your employees on the tool
  6. Constant monitoring and rebuilding of the baseline periodically.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. Screenshots of the UBA tool dashboard
  2. Screenshot of the UBA alert notifications

Evidence example

For the suggested action, an example is provided below:

  1. Screenshots of the UBA tool dashboard.
    The following screenshot shows the UBA tool dashboard.
    Here is the source.
    LOG 8 User Behaviors AnalyticsUBA 01
  2. Screenshot of the UBA alert notifications.
    The following screenshot shows the UBA alert notifications. Here is the source.
    LOG 8 User Behaviors AnalyticsUBA 02

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
OR