User and Entity Behaviour Analytics to the rescue, if the attacker is already in the system

Cyber criminals are true super-brains and (unfortunately) often several steps ahead of us. The rapid increase in cyber attacks is clear proof of this. Their practices are becoming more and more advanced. In the meantime, they also frequently use valid access data for accessing confidential data. Existing security solutions at the perimeter are increasingly unable to withstand such attacks. But what can help? Advanced solutions for analysing behaviour patterns to detect anomalies are the next step in the field of IT security - keyword User and Entity Behaviour Analytics (UEBA). Thanks to UEBA, attackers can still be detected once attackers are within the system. Sounds good? Then read on! We tell you how this technology works and how you can use UEBA yourself.

Internal and external interfaces are essential for successful interaction, as is the permanent implementation of new systems and applications. What do the two issues have in common in terms of cyber security? Both lead to new attack vectors and thus inevitably pose a greater risk. The larger the company, the larger the mix of people, processes and technologies. This can be a real challenge to overcome.

Cyber security becomes a government task

The issue has become so critical that more action is also being taken at state level. Since May 2018, the European Data Protection Regulation (GDPR) has been in force, which provides regulatory requirements for reducing precisely such areas of attack. For an optimal implementation of the GDPR principles, it is necessary to specify and ensure various areas of security. These include:

  • Access
  • Assurance
  • Detection
  • Response


To reduce the attack surface in the area of access, you as a company must know what data must be protected, where and how. The aim is to ensure that at the network level, people have only limited access to data (“Need-to-know-principle”).

In the area of assurance, it is important to ensure that the data on the network is encrypted and cannot be accessed. These requirements are often already secured in companies by existing solutions. Where possible, the network is also segmented and access to critical resources is regulated accordingly.

The difficulties, however, can be seen in the area of detection. More and more attacks are carried out with valid login data - whether it occurs when a user opens an unsafe attachment in his or her e-mail or whether an internal employee acts maliciously. In both cases, valid credentials were used to access data.

User and Entity Behaviour Analytics – Where classic solutions fail

The solution in this case is User and Entity Behaviour Analytics - UEBA for short. A system like this analyses the behaviour of each entity and each user. Machine learning algorithms are used to create behaviour patterns for each component. On one hand, historical data is used; on the other hand, one's own behaviour is compared with the behaviour of other entities in the same group. Deviations from standard behaviour are an indicator of an incident and can be detected accordingly.

How you can take advantage of User and Entity Behaviour Analytics

Do you already know about IntroSpect? With IntroSpect, Aruba has created a solution that monitors all users and entities on the network and creates a behaviour pattern based on this. Even the smallest deviations from normal behaviour can pose a risk and are therefore assessed at a risk level. In addition to data packets, the risk level of each entity is enriched and assessed with logs of security appliances, Active Directory and other security-relevant logs. Such a broad basis of data for assessing behaviour is unique on the market. This also sets IntroSpect apart from existing NTA and UEBA solutions.

Aruba IntroSpect sets new standards

This approach means that attackers can be detected once they have entered the internal infrastructure. An internal attacker stands out due to his abnormal behaviour and can be detected by UEBA - either by logging into a system for the first time, various scans or even excessive data transfer. The baselines created for each entity reveal such deviations and have an effect on the risk level.

Aruba IntroSpect UEBA also helps to respond to an incident. This allows you to see which activities were performed for each entity. The information and the behaviour can be analysed cross-system at a central location. This makes it much easier to analyse the incident, as various information from the systems does not have to be pooled.

Specifically, Aruba supports IntroSpect in its response to the interaction with Aruba ClearPass. In the event of an incident, a corresponding entity can be quarantined directly from IntroSpect in ClearPass or a new login can be forced. This fast, automated response to an incident can proactively prevent major damage and proliferation. For a response action like this, the security analyst is guided through the respective playbooks, where (s)he is shown the necessary data and the relevant questions are asked. Through this interaction, over 100 AI algorithms are developed, which constantly increases the quality of the alerts.

UEBA is the future

Defence against advanced cyber attacks is becoming increasingly important. The best prevention measures are useless if anomalies are not detected and repelled in time. 

Fortunately, today there are solutions like Aruba IntroSpect that use UEBA. As cyber security experts, we clearly recommend this new technology. If you would like to know how IntroSpect can also increase your Cyber Defence, please contact us. My colleagues and I will be happy to advise you!


Aruba CISO Guide  UEBA

<< >>

Cyber Defence , Cyber Security , Cyber Risks

Lukas Loder
About the author / Lukas Loder

More articles from Lukas Loder

Related articles
Cyber Security Blog

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media