How to increase risk scoring accuracy in anomaly detection

It's indisputable that user and entity behavior analytics (UEBA) makes a security analyst's job easier. With risk scoring in UEBA, security analysts can prioritize which threat needs to be mitigated first,?and the more accurate your risk scoring is, the more productive your security analysts are going to be. Accurate risk scoring also decreases the chance of false positives. This?can be improved with peer group analysis, seasonality, and user identity mapping while calculating a user's risk score. Let's take a look at these capabilities one at a time.

?

Peer group analysis

?

Peer group analysis is a technique powered by machine learning algorithms?that identifies users and hosts that share similar characteristics and categorizes them as one group. By identifying the context behind a user's behavior and comparing it with the behavior of a relevant peer group, the risk scoring accuracy will increase. Essentially, if the pattern of your deviation is similar to that of your peer group's, then your risk score will not be as negatively affected. However, if your actions don't fit the expected behavior of any relevant peer groups, they will be considered anomalous and your risk score will increase significantly (depending on the severity of the deviation).

?

In the absence of historical data, any user who exhibits behavior deviating from other users is placed in a new peer group.?Similarity scores can be used to determine if a user is added to an existing peer group or not. The risk score of the first member in a new group may?start significantly higher than the rest. If the anomalous action is performed by other members, then over time it becomes a trend rather than an outlier. The risk score of the group members are normalized accordingly.

?

Seasonality

?

An activity is considered seasonal if it occurs with a specific degree of regularity, such as hourly, daily, weekly, or monthly. Your SIEM solution should be able to tag seasonal activities as non-anomalous. If an activity occurs out of its seasonal routine, it should be considered an anomaly.

?

If seasonality is not factored in, you may miss vital clues that denote an attack, or your security analysts may be inundated with false alerts and experience alert fatigue. Taking seasonality into account during anomaly detection will enhance your risk scoring accuracy and reduce false positives. This will give your analysts time to prioritize and respond to genuine threats.

?

User identity mapping

?

It's crucial for your SIEM solution to factor in user identity mapping (UIM) while detecting anomalies?to improve risk scoring accuracy. This is because a user at any given time could be accessing different applications and devices across your network with different usernames or credentials.

?

For example, John has the Windows username?John Watson,?whereas his username on Azure is [email protected], and on SQL Server, it is John.

?

This raises the question: Will your SIEM solution be able to identify that the activities performed using different usernames are actually the actions of a single user, John? If your SIEM solution comes with UIM capabilities, then it will.

?

The UIM capability?links all distinct user registries with a base registry like Active Directory to determine the activity of a single user across multiple domains and correlate these activities to identify anomalies. By mapping all the different user identities to the single user, UIM improves the risk scoring accuracy of users?and helps us discern the bigger picture of the incident.

We've barely scratched the surface of increasing the accuracy of risk scoring using anomaly detection in UEBA. To learn more, check out ManageEngine Expert Talks.?