Forcepoint User and Entity Behavior Analytics (UEBA)
AI-Fueled Behavior Analytics to Identify Real Entity Risk

Use Cases:

Features:

Uniquely Powerful Analytics to Achieve Situational Awareness

Platform Architecture:

From Data to Behavior Insights - Functional Architecture

The Forcepoint User and Entity Behavior Analytics (UEBA) platform is a distributed, fault-tolerant, fullstack application that enables deep visibility into your critical data streams for identifying enterprise insider risks. The purpose of this document is to provide an understanding of the major components within the Forcepoint UEBA application, how they contribute to the overall Forcepoint UEBA solution, and specific technical benefits of these components.

As described below, and illustrated on the following page, raw data from a multitude of sources flows into the Ingest Architecture, and finally into the Application layer, where enriched Forcepoint UEBA events are persisted, analyzed, and presented to analysts for investigative review.

Architecture Layers

Layer I: Data › Forcepoint UEBA collects raw data from a wide variety of enterprise data feeds, including communications, physical access, endpoint, and network activity. Forcepoint DLP and Forcepoint Insider Threat are recommended—but not required —data sources.

Layer II: Ingest › In the Ingest layer, raw data feeds are transformed and prepared for analysis. Leveraging a flexible data collection platform (i.e., TCP listener, FTP download), Forcepoint UEBA gathers raw data, transforms to Forcepoint UEBA’s event format, and passes data through its ingest pipeline and analytics engine.

Layer III: Application › The Application layer provides massively scalable data storage and querying capabilities, runtime behavior analytics, an analyst and administrator interface, as well as an outbound API.

Forcepoint UEBA Analytics Framework

Forcepoint UEBA’s analytic approach is founded on three core elements that establish: what can and should be captured; how to capture activity and enrichment information; and which analytic models to run to identify insider risk. Each element is briefly described below.

Audit Guidance › Recommends the ideal logging and collection settings given a customer’s network and security ecosystem.

Information Model › Ensures the consistency of data mapping across very different data sources.

Baseline Analytic Models › Provides out-of-the box analytic configurations of features, models and scenarios.

Layer I: Data Processing Platform

Forcepoint UEBA relies on feeds from an organization’s existing sensors, logs and network security fabric to deliver its insider threat behavioral analytics. To consume raw data, Forcepoint UEBA’s Data Processing Platform leverages a range of collections mechanisms which can include listening for incoming TCP or UDP streams (i.e., syslog), API queries (i.e., Splunk API), or batch data pulls using FTP, file share access, etc.

Layer II: Ingest

The first set of components in the platform handles data ingest and enrichment. Once the types of data to be analyzed in Forcepoint UEBA are determined, as prescribed by the Audit Guidance, those data sources are mapped to the Information Model in the pre-ingest dataflow processing platform. They are then ingested into Forcepoint UEBA via the Public API and are finally piped through a series of enrichment and analytic processes. Each of these components and their benefits are discussed below.

1. Pre-Ingest Data Flow Processing Platform › Forcepoint UEBA primarily uses the Apache NiFi framework for processing data prior to ingest into the platform. Originally developed by the National Security Agency, Apache NiFi moved to open source in 2014. The key concepts of the NiFi framework—data provenance, transformation, loose coupling, high concurrency, metrics—align closely with Forcepoint UEBA’s ingest objectives, and the productized Forcepoint UEBA/NiFi solution provides customers with a set of workflows, templates, and processors, for datasource consolidation and publishing to the Forcepoint UEBA Public API, that are standardized, hardened and resilient. The data flow processing platform also enables customers to develop and implement environment-specific enrichment processors for marking up events prior to ingest in Forcepoint UEBA, so data feeds can be customized without the added cost of Forcepoint UEBA professional services. In summary, the pre-ingest data flow processing platform provides additional extensibility and flexibility without introducing added cost or complexity.

2. UEBA Streaming Ingest Public API › The Forcepoint UEBA Public API is a RESTful API used for ingesting event and entity information into the application, either in real-time or via bulk upload to the API. The API contains numerous convenience endpoints that align with the Information Model mappings (also used in the preingest data flow processing platform), and also offers a standardized set of metrics that measure request latencies. Convenience and visibility into ingest are two primary benefits offered by the Public API. (Note: Certain data sources can be placed directly into the ingest pipeline discussed below, but Forcepoint UEBA strongly recommends use of the Public API.)

3. UEBA Ingest Pipeline (Validation › Enrichment › Analytics) › Once event and entity information is ingested via the Public API, it is placed on the Message Queue and into the Queue Worker for further processing and enrichment. Each of the processors in the queue worker ultimately provides benefits downstream for analytics and forensic investigation. Let’s look at each:

• Event Date Validator: Enables Forcepoint UEBA to ingest only events that are relevant to the configured analytic time window
• Deduplication: Allows for removal of duplicate events so they do not create noise and unnecessary work for users in the application
• Entity Resolution: Provides resolution of identifiers on an event to a specific entity, so that a single entity can easily be tied to multiple identifiers and modes of activity
• Disclaimer Detection: Removes analytically uninteresting text, namely disclaimers, from communications events so that they do not generate noise in the system
• Labeling: Racilitates labeling of events based a defined set of policies
• Feature Scoring: Represents the first building block in our analytic process, by scoring every event based on the configured set of Baseline Analytic Models loaded into the system

Layer III: Forcepoint UEBA Application

Once events and entities are ingested into the system, they are then stored for use in the application. This section outlines the functions and benefits of each component in the application itself.

4. Data Store › Forcepoint UEBA uses ElasticSearch (ES) as the primary data store for event and entity information. Elasticsearch is proven at scale and provides significant end-user benefits for text search, analytics and aggregation that other database technologies simply cannot provide.

5. Master Data Service (MDS) › Forcepoint UEBA’s proprietary Master Data Service provides much of the application’s analytic capability and also correlates data from within the Elasticsearch data store to other supporting technologies (e.g., Postgres and Redis are used to store relational and transactional data). One advantage of that separation of data stores is the ability to scale them independently of each other, allowing for more deployment configuration controls based on users monitored and data ingested, and ultimately lower operational expense for our customers.

• Runtime Analytics: These analytics enable the execution of ad hoc, real-time analyst queries, entity-centric risk score calculations and scenariobased user behavior analysis (i.e., data exfiltration, privileged user abuse, and flight risk scenario-based analytic rollups).
• Data layer: User credentials, entitlements and roles are stored in the Master Data Service. Additionally, cached application data is maintained here, speeding query response times.
• Files/Attachments: For those event feeds which include files and attachments, the Master Data Service indexes the contents of those files for attachments, and optionally persists the original attachments for easy end-user access and drill-down from the user interface. This vastly improves analyst productivity by allowing an integrated forensic deep dive, directly from a scored event.

6. UI Services › Forcepoint UEBA’s user interface layer is a web application, whereas the client is a browser. A server running node.js HTTPS is used for all browser/ server interactions, Redis for caching application data, as well as user sessions.

7. Outbound API › Lastly, Forcepoint UEBA provides an Outbound API service that allows external applications to retrieve processed events and their associated analytic metadata (i.e., Feature and Models). This enables customers to leverage Forcepoint UEBA’s analytic findings in other systems (i.e., security orchestration or workflow).

Key Architecture Takeaways

In summary, the Forcepoint UEBA ingest and application stack uses a variety of well understood and highly respected open source technologies, combined with proprietary solutions, in order to offer the following technical differentiators and benefits for our customers:

• Modern, scalable architecture that grows horizontally as data volumes grow
• Flexible entity and event data model that is “baked into” the Forcepoint UEBA ingest pipeline, which can consume, resolve and analyze both structured and unstructured data, and allows for rapid integration of new feeds
• Pipelined data processing that sequences content classification, event scoring, risk modeling and behavioral profiling
• Highly configurable real-time analytics allow Forcepoint UEBA to tackle a variety of use cases, from rogue trading to market manipulation to data exfiltration and corporate espionage
• Real-time query engine allows ad hoc, analyst-driven investigation and behavioral analytics

Information Security:

Protect IP, Detect Compromised Accounts and Reduce Insider Risk

Forcepoint User and Entity Behavior Analytics (UEBA) enables security teams to proactively monitor for high risk behavior inside the enterprise. Our security analytics platform provides unparalleled context by fusing structured and unstructured data to identify and disrupt malicious, compromised and negligent users. We uncover critical problems such as compromised accounts, corporate espionage, intellectual property theft, and fraud.

Why Forcepoint UEBA for security

Our clients rely on us to deliver context about human behavior inside the enterprise. Only Forcepoint UEBA offers configurable analytics to help security analysts tackle the problems that matter most to the business. We are built to scale while helping security teams:

• Reduce the time to detect insider attacks
• Surface relevant alerts at a time when security teams are drowning in noise
• Get granular about insider activity, going beyond SIEM and other tools in your stack
• Improve investigation efficiency for incident response and post-breach forensics

Platform Pillars

Forcepoint UEBA provides insight into high-risk behaviors and individuals, not just anomalous alerts. By evaluating nuanced interactions between people, data, devices and applications, Forcepoint UEBA prioritizes timelines for security teams. Our software is built upon four pillars:

• Rich Context › Fuses disparate data sources into a single narrative, combining communications content to decipher intent alongside SIEM, endpoint and employee enrichment feeds.
• Behavioral Analytics › Applies multiple types of rigorous behavioral and content-based analytics focused on change, pattern, and anomaly detection to better detect sophisticated attacks.
• Search & Discovery › Exposes powerful forensic search and discovery tools through a context-rich user interface for ongoing monitoring and deep-dive investigations.
• Intuitive Workflow › Delivers proactive reporting that fully integrates with human workflow and existing client information architecture to streamline operational efficiency.

Redefining Security Analytics

Context-Driven Visibility › Forcepoint UEBA uniquely delivers visibility into employee activities, behaviors and relationships by integrating unstructured, context-rich data streams with structured data. Our analytic models allow entities and events to be scored and prioritized through multiple lenses across all data streams — previously unavailable to security teams. We also integrate with Active Directory, SIEM, EDRs, and key data sources to offer true situational awareness, and a powerful forensic platform that radically enhances internal investigations.

Configurable Analytics › Traditional, black-box UBA tools are often limited to structured data sources, analyzed in disparate systems, with a fixed configuration of analytics. Forcepoint UEBA, in contrast, delivers powerful analytic capabilities that allow security teams to address evolving security use cases, and to perform real-time ad hoc analysis, including advanced search across all data sets. Our analytics can be tuned without additional programming, allowing a more nimble response to security threats.

Scale › We are fundamentally built to scale. Only Forcepoint UEBA uses ElasticSearch to power instant access to massive amounts of data. Our platform seamlessly stores both structured and unstructured data and scales horizontally to grow with our clients. Forcepoint UEBA also provides variable levels of access and administrative controls so you can rely on our technology to work for your business in any type of deployment.

Regulatory Surveillance:

Meet your compliance obligations more effectively and with fewer resources

Join the revolution of industry-leading banks, hedge funds, and asset managers using Forcepoint User and Entity Behavior Analytics (UEBA) to more precisely identify employees engaged in bad behavior—whether illegal, non-compliant, or posing a reputational risk— and speed both initial review and deeper investigation. Forcepoint UEBA creates the most targeted set of employees and events for review, and then gives compliance teams the most intuitive and context-rich interface from which to triage, escalate, and resolve alerts as necessary.

Why Forcepoint UEBA

• Identify employees that are putting the organization at risk
• Reduce the cost of surveillance
• Respond quickly to regulators

Platform Pillars

Forcepoint UEBA provides insight into high-risk behaviors and individuals, not just high-risk events. By evaluating nuanced interactions between people, data, devices and applications over time, Forcepoint UEBA prioritizes timelines for compliance teams. Our software is built upon four technical pillars:

• Full Context › Fuses disparate data sources into one platform, including communications content, trade activity and alerts from existing trade monitoring systems, and employee enrichment feeds.
• Sophisticated Analytics › Applies multiple types of rigorous behavior and content-based analytics focused on change, pattern, and anomaly detection.
• Search and Discovery › Exposes powerful forensic search and discovery tools through a context-rich user interface for ongoing monitoring and deep-dive investigations.
• Intuitive Workflow › Delivers proactive reporting that fully integrates with human workflow and existing client information architecture.

How Forcepoint UEBA is reshaping the cost of surveillance

Optimize Workflow › Forcepoint UEBA is radically reshaping organizational workflow in two big ways. First, organizations are able to adopt a more strategic supervisory structure that efficiently distributes work across front office supervisors, compliance teams, and audit functions. Second, the capability to see all relevant data in one place—without waiting multiple days for it to be retrieved from various silos by IT personnel— significantly increases day-to-day monitoring and indepth investigations.

Replace Costly, Ineffective Technology › Forcepoint UEBA’s modern “big data” architecture is highly scalable to cover more employees, data, and use cases than legacy technology. In addition, the capability to support sophisticated analytics, house all relevant data, and provide real-time search results across the platform is foundational to unlocking analyst efficiency.

Discover and Stop Insider Threat:

Forcepoint UEBA's uniquely powerful analytics find malicious insiders no matter how they try to hide

The insider threat spans an overwhelming landscape. It is nearly impossible to achieve situational awareness while at the same time quickly identifying specific threats. The Forcepoint User and Entity Behavior Analytics (UEBA) Insider Threat platform leverages a uniquely powerful analytic framework that pierces through the fog by looking across all insider activity, factoring in the intrinsic risk of each insider and supplementing activity streams with value-add information from across a company’s security and compliance ecosystem.

The Unique Power of Forcepoint UEBA's Analytics

Operational Overview

Forcepoint UEBA integrates readily with communications, security, and other enterprise applications currently in use. Forcepoint UEBA’s built-in, proprietary behavioral analytics models analyze information from across the across the enterprise to generate a holistic view of behavioral risk:

Screenshots:

Documentation:

Download the Forcepoint UEBA User & Entity Behavior Analytics Datasheet (.PDF)