As I speak to our clients who are using the IBM Security QRadar User Behavior Analytics (UBA) app in conjunction with their QRadar deployments, I find a large number are very happy with their experience and the insights they are getting out of the app.
So, for the last 3 quarters, whenever I have detailed discussions with clients around their UBA usage, vision of what the app could do for them, and where and how can we grow its capabilities, I always blocked off a few minutes to discuss their deployment process and what they would recommend other UBA clients do.
As I've talked with more and more of these customers, they all have several things in common with how they approached their UBA deployment. I compiled the learnings of these conversations into the below list of steps that would help new clients of UBA to properly deploy, initiate and mature their UBA deployments.
1. Start with a Well-Tuned QRadar Deployment
One thing I found these clients successful with their UBA deployments do is start with the proper setup and tuning of their QRadar deployment. Even before they get to UBA, they fix any performance issues in QRadar and ensure the queries and searches are executing and responding in expected times.
Next, they look at all the logs and flow feeds coming into QRadar to ensure it is parsing properly: is the right data tagged in the right fields? Are the logs are carrying the users’ identities in the <username> field? Is there any corruption or outright failure to capture the users’ identities? If need be, these clients will configure the custom properties to identify and capture user identities in the logs.
They also tune down chatty logs, like the NGFW logs. And most importantly, they take the time to properly setup the network hierarchy.
2. Take Proper Inventory of Identity Sources
Once they have the QRadar deployment tuned and performing properly, they move to their UBA deployment.
In this phase, they actually start with taking a proper inventory of their identity sources and importing those identities to coalesce them in the UBA app. Starting with the Active Directory, but continuing on with other sources of identity like IAM, VPN directory, vaults, and, of course, Mainframe identities. For more on importing identities from sources other than Active Directory, please visit my blog at https://ibm.co/39wEStj
3. Set Up Use Cases
Once the identities are all imported and coalesced, it’s time to move to setting up use cases. But before we go there, one word of caution; when you coalesce identities to a primary ID (Humanoid), please ensure that you only focus on the fields that have a unique value associated with a user (and ensure you pick all such fields).
Now we are ready to articulate, list, setup, tune and enable use cases that help detect specific behavioral anomalies that are important and can be damaging to the company.
Start with a small set of behaviors that are important to your business. Map those behaviors to the out-of-the-box use cases available in UBA. For each use case, UBA documents the logs and/or flow sources needed for that use case to work properly along with the required reference sets where needed.
As you did in the QRadar tune up stage, please:
1) Ensure those log sources are being loaded into QRadar
2) Confirm they are parsing properly and capturing the users’ identities in the username field
Next, if the use case needs any reference sets, please populate them with the required information and go over the use case logic to make sure it makes sense to you. Finally, verify or tune its trigger frequency. Now you are ready to enable the use case.
I would strongly recommend you setup a cadence of 3 to 5 use cases per week. Set them up properly, see how they behave and detect, tune them, and move on to the next set of 5.
In Conclusion: The UBA Deployment Checklist
Attached below is a check list that you can use to help walk you through the steps of a good UBA deployment:
- Check QRadar health
- Network hierarchy
- Console performance, search speed
- Tune logs, especially the chatty ones like NGFW
- Run a Query in the log Activity where username is not N/A; identify and tune as necessary
- Logs parsing particularly users’ identity identify not showing in the username field
- Create custom property for username, if required
- Identify all sources of identity
- Active Directory
- Import identities into UBA starting with Active Directory
- Import identities from other repositories (via csv file)
- Coalesce all identities of a user to a primary ID (using only fields with unique values)
- Check the box that restricts the app to only work with IDs that are imported into UBA (this will avoid the problem of ID count swell, and give more time to bring in all the known identities into UBA)
- List out the behaviors that are important to monitor
- Map those behaviors to the UBA use case(s) that help detect any anomalous deviations in those behaviors
- Identify the data sources (logs/flows) needed for each of the use cases
- Ensure the logs are being loaded into QRadar
- Ensure the logs are parsing properly, including the users’ identity
- Populate the reference sets if the use case depends on one
- Verify that the building blocks BB:UBA: Common Event Filters and BB:UBA: Common Log Source Filters are correct. Also ensure you have populated the dependent elements like UBA: Trusted Log Source Group
- Verify the logic and building blocks of each use case (click on the <pencil> on the use case/rules tuning page)
- Enable each use case once its log sources, reference set, and logic is configured properly
Learn more about detecting insider threats with QRadar User Behavior Analytics.