Check Point Email Security | Blog

The DNA Behind UEBA

Written by Jeremy Fuchs | March 3, 2022

SmartPhish, Avanan's AI algorithm that snuffs out phishing before it reaches the inbox, monitors over 300 different indicators. Another important tenet for protection is User and Entity Behavior Analytics (UEBA), which is a critical form of protection for pre-existing attacks.  What UEBA does is predict if a user has been already compromised, by observing login trends, email habits, and the browser environments that the recipient uses. UEBA monitors the typical behavior of users so that when something out of the ordinary happens, it will stand out.  Avanan is here to take inventory and eliminate damage on anything in process.

Key aspects of UEBA include an understanding of user login locations (e.g., log-ins from locations too geographically distant as to be reasonable in a short period of time, often called a “Superman Attack”), suspicious mail-forwarding rules (like forwarding all mail to an external account), user activity aberrations (e.g. a user who normally sends 50 emails per day all of the sudden sending 500 in one day), and detecting the version of a browser someone is running in case an outdated version has known security holes leading to data leakage.

Avanan's UEBA constantly evolves and learns, based on things like user activity, the SaaS services that folks use most frequently, logins, how often they reset passwords and more. It's a dynamic feature that constantly takes in new information, adjusts and improves. It is a bellwether for reporting pre-existing attacks and Avanan can integrate in such ways where you can limit damage by forcing email password resets and/or MFA adjustments, while also giving you powerful data to understand from who, where, and how malicious actors are canvassing your SaaS environment.

In short, while Avanan customers benefit from the pre-emption of incoming threats via our more than 300 indicators of phishing, UEBA is another important piece of the puzzle and can offer additional peace of mind. We can take user-specific attributes and create abnormality reports and agentless Shadow IT.  This is key, especially if a user gets compromised outside of email. 

This is particularly critical if you are using a Legacy Email Gateway. These gateways sit in front of the inbox; however, by their architecture, they disable Google or Microsoft's protections. And since UEBA actions only help post-delivery, if a gateway's non-UEBA misses a phish--which it often does--it will go straight into the inbox. 

Avanan's UEBA is used to help detect, identify and suggest anomalies. But our bread and butter is stopping attacks before the user can even act. Think about it this way: Wouldn't you want the chicken pox vaccine instead of hearing how to best treat it once the user has already contracted it and has scratched their arm?