Question

UEBA Risk Score

  • 17 May 2021
  • 1 reply
  • 49 views

LogPoint UEBA: User Risk Score

 

How are the User Risk Scores being calculated (“weighted totals”, “fuzzy logic”, ...)?


1 reply

Userlevel 3
Badge +7

It’s not as simple as that. As behaviours occur, LogPoint processes these events and calculates that which is normal from dozens of behavioural perspectives. For example, LogPoint will count how many times Bob logs in each hour, how often his authentication attempts fail, at what time of day, or which day of week he is normally active, etc. These metrics are all calculated using unsupervised machine learning. This means that the system identifies what is normal, rather than administrators setting thresholds for each event type. As new observed behaviours occur, LogPoint determines whether the behaviours are normal, or unusual. When unusual, LogPoint calculates how unusual the behaviour is. The more unusual the behaviour, the higher the significance of the anomaly, and the more it contributes to the overall risk score. So the contribution of each risky event towards the risk score depends on its deviation from the baseline. This is then normalised across other behaviours from other entities to arrive at a risk score that is always between 0 and 100 for all entities - which coincidentally is a problem with some UEBA solutions where there are perpetually escalating risk scores. When the entity is not engaging in any activity, the risk score decays downward towards zero; as a result, when the entity goes a long time without registering any suspicious activities, its risk score will trend toward zero.

Reply