Blog

TF-CSIRT Meeting & 2023 FIRST Regional Symposium Europe in Bilbao UEBA presentation

Last January, Albert Calvo and Nil Ortiz, researchers from the i2CAT Foundation working in the TDA Cybersecurity project, presented UEBA: a prevention framework for enterprise security at the TF-CSIRT Meeting & 2023 FIRST Regional Symposium Europe in Bilbao.

Users behavior
Albert and Nil at the presentation

The cybersecurity industry already has standards for almost every domain. Now it’s time for behavior analytics to get in line. The objective of the prevention matrix presented is to provide a standardized open body of knowledge regarding entity behaviors used for cybersecurity analytics to raise awareness on behaviors associated with cybersecurity threats, document and organize behaviors which can be used in security analytics, recommend risk and threat mitigation measures, assist in risk management strategy development.

During the session, they showcased the framework and demonstrated how security teams could use it to assess the visibility of their users’ behavior and their capabilities against threats. Furthermore, there will be a demonstration of how the C-suite can use the framework to evaluate their return on security investment when performing preventive measures on the users who display risk-associated behaviors.

Users behavior
Albert and Nil an the presentation

The i2CAT Foundation is committed to developing the OpenUEBA – an open-source framework targeted to estimate the user and entity exposition analysis against specific threats allowing the stakeholder to take counterfactual measures before users are affected by threats. In detail, the framework resorts to Artificial Intelligence techniques to learn behavioral patterns from entities with evidence of compromise. Then, the discovered patterns are inferred, computing the behavior likelihood of near entities, allowing the stakeholder to take preventive actions before the incidents related to the behavior materializes.

As stated above, the behavior of users is the weakest point in the kill chain. In future lines, it is planned to advance the tool to anticipate other types of attacks, such as “insider threats”, and to deploy the device in zero-trust and federated environments.

These developments are framed in the TDA Cybersecurity project, developed with the Government of Catalonia and the Cybersecurity Catalan Agency. Recently, the project has been highlighted in the Centre of Innovation for Data Tech and Artificial Intelligence’s White Paper about Artificial Intelligence applied to Cybersecurity illustrative use cases that merge these technologies, which was presented at the IOTSWC.