UEBA Analytics: ব্যবহারকারীদের স্বাভাবিক আচরণের প্রোফাইল তৈরি করে ইনসাইডার থ্রেট এবং অস্বাভাবিক অ্যাক্টিভিটি ডিটেকশন!

Gartner-এর সংজ্ঞা অনুযায়ী UEBA হলো "a security software using analytics to detect compromised accounts, insider threats, and other risks by establishing a baseline of normal behavior for users and entities, then identifying deviations from that baseline."

প্রাথমিক phase-এ এটি কেবল UBA (User Behavior Analytics) ছিল। পরে Gartner "Entity" যোগ করে — কারণ আজকের network-এ কেবল human user নয়, service account, application, IoT device, API key — সবগুলোই behavioral profiling-এর target।

UEBA-এর evolution তিন generation-এ-

• Gen 1 (২০১২-২০১৫): rule-based, simple statistical model।
• Gen 2 (২০১৫-২০২০): machine learning integration — clustering, anomaly detection model।
• Gen 3 (২০২০-বর্তমান): deep learning, graph analytics, contextual ML, generative AI augmentation।

Baseline Profile Construction

প্রতিটি user/entity-এর জন্য historical activity থেকে baseline তৈরি-

• Login Time: typical work hour (যেমন ৯টা-৫টা)।
• Login Location: usual office, home, country।
• Application Usage: কোন app, কত frequency।
• Data Access Pattern: কোন folder, কত volume।
• Network Behavior: typical destination, port।
• Authentication Method: usual MFA pattern।
• Privilege Use: kibe কখন admin action।

Baseline period সাধারণত ৩০-৯০ দিন। Continuous re-training যাতে role change বা legitimate behavior shift accommodate।

Anomaly Detection

Baseline থেকে deviation-

• Threshold-based: simple — যেমন login attempt rate, data download volume।
• Statistical: standard deviation, percentile (z-score, IQR)।
• Machine Learning: isolation forest, autoencoder, LSTM (time-series)।
• Peer Group Analysis: user-এর role-aligned peer-দের সাথে comparison।

Risk Scoring

প্রতিটি user-এর জন্য dynamic risk score। Score factor-

• recent anomaly severity।
• chained anomaly (multiple within short window)।
• threat intelligence enrichment।
• privilege level।

High-risk score → SOC alert, automated response (account lock, additional MFA)।

Investigation Visualization

User timeline, peer comparison, anomaly drill-down — analyst-এর জন্য rich investigation interface।

UEBA-এর primary use case insider threat — যা CERT Insider Threat Center-এর গবেষণা অনুযায়ী organization-এর সবচেয়ে costly threat-এর একটি।

Malicious Insider

Departing employee data exfiltrate, disgruntled employee sabotage। Indicator-

• typical work hour-এর বাইরে data access।
• repository থেকে large download (Git, SharePoint, network drive)।
• personal email-এ data forward।
• USB drive insert।
• VPN access from unusual location।

Twitter (২০২০) এবং AT&T-এর insider breach UEBA-এর textbook case।

Negligent Insider

Phishing victim, accidentally leak। Detection-

• credential leak detection।
• unusual file share।
• shadow IT activity (unauthorized cloud service)।

Compromised Account (External Attacker)

Stolen credential ব্যবহার করে attacker। Indicator-

• impossible travel (mins-এ Dhaka থেকে Moscow login)।
• new device।
• unusual application access (legitimate user যা কখনো ব্যবহার করেননি)।
• access pattern shift।

Login pattern-এ anomaly-

• Impossible Travel: 30 minute-এ Dhaka থেকে New York login।
• New Geolocation: প্রথমবার কোনো country থেকে।
• Failed-then-Successful Pattern: পরপর ৫০ fail, পরে success।
• Tor/VPN/Anonymizer Use।
• Concurrent Session: একই account-এ দু'টি ভিন্ন country-তে simultaneous active session।

Lateral Movement Detection

Internal-

• service account human-like activity।
• host A থেকে কখনো connect না হওয়া host B-তে connection।
• unusual port/protocol।
• Kerberos ticket request spike।

Data Exfiltration Detection

• DLP-complementary।
• volume spike to cloud storage।
• email-এ large attachment to external।
• print spike।
• screenshot tool unusual run।

Privileged Account Abuse

• domain admin login from non-Tier-0 workstation।
• service account interactive login।
• privilege escalation event spike।

Unsupervised Learning

Anomaly detection-এর dominant paradigm —

• Isolation Forest: random partitioning দিয়ে outlier identify।
• One-Class SVM: normal data-এর boundary learn।
• DBSCAN: density-based clustering, outlier as noise।
• K-Means + Mahalanobis Distance: cluster centroid থেকে distance।
• Autoencoder: neural network যা input reconstruct করতে শেখে, reconstruction error anomaly indicator।

Supervised Learning

Limited use, কারণ labeled data scarce। তবু-

• Random Forest, XGBoost: known malicious vs benign event classification।
• Logistic Regression: simple risk score।

Time-Series Model

• LSTM, Transformer: sequence-aware anomaly।
• Hidden Markov Model: state transition anomaly।

Graph-Based Analytics

User-entity relationship graph-এ structural anomaly। উদাহরণ: যদি একটি user হঠাৎ এমন server-এ access করছে যেখানে তার peer-রা কখনো করেননি, graph anomaly detection।

Microsoft-এর Defender for Identity এবং Cisco Stealthwatch graph-based UEBA-এর leader।

Deep Learning এবং Generative AI

২০২৩-পরবর্তী সময়ে large language model UEBA-তে integrate হচ্ছে-

• alert summarization।
• natural language investigation query।
• attack narrative generation।
• false positive reduction (LLM context-aware judgment)।

Standalone UEBA Vendor

• Exabeam: comprehensive timeline এবং risk scoring।
• Securonix: cloud-native, behavioral analytics এবং SIEM combined।
• Gurucul: ML-driven, identity-centric।

SIEM-Integrated UEBA

• Splunk UBA: Splunk Enterprise-এর সাথে।
• Microsoft Sentinel UEBA: Entra ID, Defender ecosystem-এর সাথে deep integration।
• IBM QRadar UBA।
• Chronicle (Google)।
• Elastic Security: Machine Learning job।

Specialty Vendor

• Microsoft Defender for Identity (formerly Azure ATP): on-prem AD এবং hybrid identity behavior।
• Varonis: data-centric UEBA।
• DTEX Systems: insider risk focus।
• Code42 Incydr: data exfiltration focus।

Phase 1 — Use Case Prioritization

Organization-এর top risk identify — privileged account abuse, data exfiltration, account takeover, insider threat। Specific use case-এ initial focus।

Phase 2 — Data Source Integration

Required data source —

• Identity: Active Directory, Entra ID, Okta।
• Authentication: VPN, SSO log।
• Endpoint: EDR data।
• Network: NetFlow, Zeek, proxy log।
• Application: SaaS audit log (Office 365, Salesforce, GitHub)।
• DLP: data movement log।
• Cloud: AWS CloudTrail, Azure Activity Log।
• HR System: role, manager, employment status।

Phase 3 — Baseline Training

Initial baseline period (30-90 days)। Tuning — false positive reduction।

Phase 4 — Alert Tuning এবং Workflow Integration

SIEM/SOAR integration। Alert threshold adjustment। Analyst feedback loop।

Phase 5 — Continuous Improvement

Baseline retraining, model performance evaluation, new use case addition।

Snowden-Style Insider

NSA contractor Edward Snowden-এর data exfiltration UEBA detection-এর textbook case হত — privileged user-এর unusual data access volume, off-hours activity, sensitive document collection।

Tesla (২০২৩)

Two former employee 100 GB confidential data exfiltrate করেছিলেন। UEBA-based anomaly detection (data download spike, off-hours pattern) এই ধরনের incident detect করতে পারত।

Capital One (২০১৯)

Former AWS employee Capital One-এর misconfigured S3 bucket থেকে data exfiltrate করেছিল। Cloud-native UEBA এই access pattern catch করত — unusual user agent, IP, request pattern।

UEBA-এর deep employee monitoring privacy এবং labor law-এর সাথে tension তৈরি করে।

• GDPR-এ employee monitoring legal basis লাগে।
• US-এ state-by-state law।
• বাংলাদেশে Personal Data Protection Act-এর draft।
• Workers' council এবং trade union approval European country-তে।

Best practice-

• Transparency: employee-দের জানানো কী monitor হচ্ছে।
• Proportionality: business-relevant data কেবল।
• Data Minimization: necessary data only।
• Access Control: UEBA data কেবল authorized investigator।
• Retention Limit: defined period।

False Positive

UEBA-এর সবচেয়ে বড় challenge। Legitimate behavior shift (role change, project urgency, business travel) anomaly trigger করতে পারে। Heavy tuning এবং context enrichment essential।

Data Quality

Garbage in, garbage out। Incomplete log, inconsistent timestamp — model degrade।

Alert Fatigue

ML model অনেক alert generate করতে পারে। Prioritization এবং risk scoring critical।

Model Drift

Behavior changes over time। Model regularly retrain না হলে accuracy drop।

Explainability

Black-box ML alert — analyst justify করতে পারেন না কেন alert। Explainable AI (SHAP, LIME) এবং feature importance display essential।

Adversarial ML

Attacker UEBA model-কে evade করতে slow, low-and-slow attack চালান — যাতে activity baseline-এর মধ্যে থাকে।

Effective UEBA program-এর recommendation-

Strategic Foundation:

• top use case identify।
• data source readiness assessment।
• privacy/legal review।

Tool Selection:

• existing SIEM-এর native UEBA evaluate।
• standalone vendor PoC।
• TCO comparison।

Implementation:

• pilot deployment in single business unit।
• 30-90 day baseline period।
• progressive rollout।

Operationalization:

• dedicated UEBA analyst role।
• SOC integration।
• SOAR playbook।

Continuous Tuning:

• weekly false positive review।
• monthly model retrain।
• quarterly use case review।

Workforce Communication:

• transparent policy।
• training।
• grievance channel।

Integration with Other Capability:

• DLP।
• IAM (just-in-time access)।
• Privileged Access Management।
• Identity Governance and Administration (IGA)।

Insider Risk Program:

• HR collaboration।
• legal counsel involvement।
• counseling resource for at-risk employee।