Safetica UEBA (User and Entity Behavior Analytics) is an optional extra module for our Safetica ONE DLP solution, which enhances its capabilities regarding user activities and insider threats.
Information in this article applies to Safetica ONE 10 or older.
Safetica UEBA deepens your overview of dangerous and undesirable user actions, so you can identify hidden security risks and avoid idle activities at work. This can be a simple matter of taking care of personal business at work, or something much more serious, like leaking sensitive data out of the company. You will also see if users use their assigned software or if they hang out on social media way too much.
With Safetica UEBA, you can set up real-time alerts, so if there is something suspicious going on, you will be notified immediately. The Safetica UEBA records are collected continuously, even when the endpoint is offline, and are regularly synchronized with the server, where they are stored securely.
With Safetica UEBA, you can:
- Perform user activity audit.
- Find out to what extent are company resources used for work-related purposes.
- Get an overview of social media and job portal visits to reduce the risk of data leaks.
- Gain insight into incoming and outgoing email communication.
- Get regular reports and real-time alerts about user activities.
- Get an overview of what applications are used and what websites are visited by specific users.
Please note that the features offered by Safetica UEBA might differ based on market and regional legislation specifics.
In Safetica Management Console, you can find:
- Applications – overview of application use on endpoints.
- Web sites – web browsing audit on endpoints.
- E-mails – extended audit of e-mails sent and received from endpoints.
- Alerts – real-time notifications about dangerous or undesirable user activities.
- Reports – automated reports about user activities.
In WebSafetica -> Behavior analysis, you can find the following sections:
- Overview – high-level information about user productivity.
- Users activity – specific information about individual users and their activities.
- Trends – overview of the most interesting activities.
- E-mails – information about sent and received emails.
Safetica UEBA in Safetica Management Console
Applications, Web sites, and E-mails can be turned on and configured in Safetica Management Console -> Discovery -> Functions settings. Reports and Alerts have their own icons in the main menu.
In the Applications section of Safetica UEBA, you will find information about all launched applications and the active time users spent in them. You will see application categories, application paths, users working with specific applications, and date and time. You can find out if expensive applications were used effectively or if illegal or dangerous programs were run.
What is active time?
Safetica UEBA only records the time when users are active within applications or on websites. If an application is running in the background, Safetica UEBA doesn't record this time. The state of an application or website is changed to Inactive after 5 minutes of inactivity. You can define this time interval in Maintenance -> Endpoint settings -> Other settings -> Interval for the user's inactivity determination.
Fast switching between various application windows (within 3 seconds) is not recorded as active time. A running screensaver is also not recorded as active time.
In the Web sites section of Safetica UEBA, you will find information about visited websites and the active time spent on them. You will see not only if users visit websites from dangerous categories, such as Malware or Pornography, but also other details like domain and URL, title, protocol, browser, date and time, etc. Thanks to the Job search category, you will see the time spent on job search portals, since employees leaving the company can often create a data leak. You can prevent that if you know about it or find out their reasons for wanting a job change and use this information to increase their job satisfaction.
Safetica supports all major web browsers. Learn more in this article.
Safetica UEBA extends the E-mails section to audit also emails without attachments and emails received by users. It can provide information about emails sent and received through email clients.
Safetica UEBA offers a number of real-time alerts which will notify you about potentially dangerous or undesirable user activities as they arise. You can set warnings for selected incidents and if any such situation occurs, you will be notified by Safetica Management Console or via an email message (depending on your settings).
Alerts available in Safetica UEBA:
Network – Time spent on web categories
Network – Received e-mails count
Network – Sent e-mails count
Applications – Time spent on application categories
Print – Printed documents count
Print – Printed pages count
Usage of dangerous web category
High usage of dangerous web category
Safetica UEBA also supports automated reporting, with which you can create different reports and regularly send them to managers, directors, team leaders, administrators or to yourself. You can create activity reports for individuals, groups, or for the whole company. To change the settings for reporting, go to Reports in main menu.
With Safetica UEBA, you can create the following reports:
Discovery - Web sites
Discovery – E-mails
Discovery – Applications
Discovery – Print
Safetica UEBA in WebSafetica
After activating a Safetica UEBA license, a new Behavior analysis section appears in WebSafetica.
How is user productivity evaluated?
Productivity is evaluated based on usage of websites and applications from certain behavior classes. Behavior classes divide application and web categories into Neutral, Productive, Unproductive, and Critical. You can select which website and application categories are considered productive or unproductive in Management -> Behavior classes. For the evaluation to work correctly, you should divide into categories as many applications and websites as possible.
How to categorize applications and websites?
Categorizing applications and websites is one of the few regular maintenance tasks you should be doing with Safetica. Categories are used for evaluating productivity, blocking access to undesirable websites such as Pornography, or for setting up alerts e.g. for job searches. None of these will be effective if most of the visited websites are not categorized. Best is to have less than 5% of records in the unknown category. You can categorize applications and websites in Workspace -> Applications and websites by clicking the Unknown category link in the Category column.
Overview in the Behavior analysis section, provides high-level information about how users spend their working time. You will see who spent the most time on the web and in applications, how much of this time was spent doing activities classified as productive, and whether users spent any time on websites or in applications that are dangerous or undesirable. The data can be displayed for a chosen date range, user, group of users, or for the whole company – use the drop-down menus in the upper left corner of the screen to configure this.
Data from the table can be saved either as .csv or .xlsx and the charts can be exported as .pdf.
The Users activity section connects users to specific activities and provides detailed information about them. You can see for example who used specific applications and visited specific websites, when, or for how long.
Best practice: See what applications were used the most by specific users in group "Management".
The Trends section contains charts with chosen categories that might be of interest to the admin or management. They help you to quickly analyze various departments in different time periods and export this information as reports.
The E-mails section provides information about emails sent and received via email clients. In E-mails, you will see all incoming and outgoing emails, attached documents, users, subjects, recipient's domain, sender's domain and other details. It is useful to see if users send emails to suspicious recipients, such as to freemail or unknown domains.