Tuebora Blog

Are the Who and Why Context Missing from Your Security Investigations?

IAM Data Security Context

The expanding network perimeter and increasingly complex IT infrastructure of modern organizations call for new approaches to security. With threats growing in volume and sophistication, a foundational approach to contemporary cybersecurity is to identify atypical user activities that deviate from a baseline. This article describes the pivotal role of identity data in determining malicious activity based on user behavior. 

The UEBA Approach

User entity and behavior analytics (UEBA) is a type of cybersecurity solution that uses data collection and machine learning to detect anomalies in the behavior of users or devices on a network. Verizon’s 2020 Data Breach Investigations Report found that the use of stolen credentials and phishing were the top two causes of data breaches. It’s clear that organizations have a pressing need to better identify suspicious user activities, whether they arise from malicious insiders or hackers that gain entry to your network.


UEBA solutions work by using machine learning algorithms that establish activity baselines through a set of scored actions. These scored actions set the tone for what is normal user or entity behavior within your network environment. Any time a user or entity performs an action, the UEBA solution compares that action to their profile. If an activity is suspicious, the solution immediately flags it as an incident worth investigating.


The user-centric threats that tools like UEBA can detect are:


  1. Compromised accounts: the best way to identify a compromised account is to analyze the behavior of accounts for the inevitable anomalies such an account will display.
  2. Malicious insider activity: notoriously tricky to detect, the activity of a disgruntled employee might appear normal 99% of the time with only a brief deviation from the baseline in which malicious activity occurs. UEBA can help detect even slight abnormalities that indicate insider threats. 

Identity Data and UEBA

An integrated dataset is the cornerstone of a working UEBA solution because the data informs the machine learning algorithm. The main dataset needs to contain information about users and their interactions with data, applications, and systems. A vital role of any UEBA solution is to accurately detect when the trust given to users upon granting access to information assets on your network is misplaced. 


Leveraging identity data is an extremely useful way to ensure any UEBA solution provides the type of preventative control environment that doesn’t intrude heavily on the average business user’s job. The experience of many enterprises that implemented traditional data loss prevention (DLP) tools is that such tools interfere too much with user activities and workflows. 


Identity data provides a plethora of valuable contextual information about user behavior. This identity and access information (IAM) data becomes incredibly powerful in delivering the type of proactive remediation of security threats that UEBA solutions seek to provide. 


Taking a look at the data residing in standard IAM systems makes it clear why this data is so useful for security context:



  • User role, group, and location, 
  • Whether the account has been documented as authorized or approved for access to a system or sensitive data via approved process,
  • The time a specific user logs on to a system or app on the network.
  • Whether the account has been inactive for a specific period of time and a de-provisioning process step was missed and,
  • Whether an account belongs to a contractor, employee, or supply-chain / business partner.


When integrated into your UEBA system, this IAM data proves invaluable in accurately scoring user account activity. It’s worth remembering that UEBA uses machine learning to understand what baseline user activity looks like. 


The “training period” is the duration of time in which the system learns what the baseline user behavior is. The more IAM data supplied, the better the system can learn and ultimately detect suspicious activity. This training period takes 30-90 days for most organizations. 


Examples of Leveraging Identity Data for Security

Here are some example use cases in which leveraging identity data and integrating it with a solution like UEBA  provides vital security context to understand and flag suspicious activity. 


Time Anomalies


Your IAM data might show that a user from a certain group with a specific role logs into a system on average between 9.30 am and 10.30 am. If that same user then logs in at 6.30 pm, your UEBA tool can flag it as a time anomaly using the identity data gathered during the training phase.


Unexpected Access


A contractor or business partner logs on to a network host that they’ve never accessed before. Identity data displays this user as a contractor or business partner and the UEBA solution flags their activity as abnormal. 


Count Anomalies


IAM data can inform a UEBA tool that a specific user has sufficient access rights to modify, insert, or delete data within an SQL database instance. During the training period, the UEBA tool tries to gauge the normal frequency at which this user executes those types of queries. If the same user suddenly starts executing far more queries than baseline, the system triggers a count anomaly. 


Summing it up, Identity data helps analysts get insight into whether the activities for a specific user account are normal or unusual. 


How Tuebora Helps


Whether you’re using a dedicated UEBA solution or an evolved SIEM that incorporates UEBA technology, it’s clear that identity data provides much of the important security context these tools require to accurately score user account activity and determine possible account takeover or insider threats. 


Tuebora covers each stage of the entire IAM lifecycle from provisioning to the ongoing management of user access to de-provisioning access. Tuebora offers IAM data to enhances the capabilities of third-party security solutions via REST APIs. You can feed the data you need into your system to help understand normal user access behavior and combat threats like data breaches. 

Want to see how Tuebora works? Contact us here for a demo.      



If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Leave a Reply