What is user and entity behavior analytics (UEBA)?

UEBA, a term first coined by Gartner in 2015, is an evolution of user behavior analytics (UBA). Where UBA only tracked end-user behavior patterns, UEBA also monitors non-user entities, such as servers, routers and Internet of Things (IoT) devices for anomalous behavior or suspicious activity that might indicate security threats or attacks.

UEBA is effective at identifying insider threats—malicious insiders or hackers who use compromised insider credentials—that can elude other security tools because they mimic authorized network traffic.

UEBA is used within security operations centers (SOCs) alongside other enterprise security tools, and UEBA functions are often included in enterprise security solutions such as security information and event management (SIEM), endpoint detection and response (EDR), extended detection and response (XDR), and identity and access management (IAM).

UEBA solutions provide security insights through data analytics and machine learning. The behavior analytics tools within the UEBA system ingest and analyze high volumes of data from multiple sources to create a baseline picture of how privileged users and entities typically function. It then uses machine learning (ML) to refine the baseline. As ML learns over time, the UEBA solution needs to gather and analyze fewer samples of normal behavior to create an accurate baseline.

After modeling baseline behaviors, UEBA applies the same advanced analytics and machine learning capabilities to current user and entity activity data to identify suspicious deviations from the baseline in real time. UEBA assesses user and entity behavior by analyzing data from as many enterprise sources as possible—the more, the better. These sources typically include:

• Network equipment and network access solutions, such as firewalls, routers, VPNs and IAM solutions.
   

• Security tools and solutions, such as antivirus and antimalware software, EDR, intrusion detection and prevention systems (IDPS) and SIEM.
   

• Authentication databases, such as Active Directory, contain critical information about a network environment, including user accounts, active computers within the system, and the activities users are allowed to perform.

• Threat intelligence feeds and frameworks, such as MITRE ATT&CK, which provide information on common cyberthreats and vulnerabilities, including zero-day attacks, malware, botnets and other security risks.
   

• Enterprise resource planning (ERP) or human resources (HR) systems that contain pertinent information about users who could pose a threat, such as employees who have given notice or might be disgruntled.

UEBA uses what it learns to identify anomalous behavior and score it based on the risk it represents. For example, several failed authentication attempts within a short time frame or abnormal system access patterns could indicate an insider threat and would create a low-scoring alert. Similarly, a user plugging in multiple USB drives and engaging in abnormal download patterns might indicate data exfiltration and would be assigned a higher risk score.

Using this scoring metric helps security teams avoid false positives and prioritize the biggest threats while also documenting and monitoring low-level alerts over time that, in combination, could indicate a slow-moving but serious threat.

UEBA helps companies identify suspicious behavior and strengthens data loss prevention (DLP) efforts. Beyond these tactical uses, UEBA can also serve more strategic purposes, such as demonstrating compliance with regulations surrounding user data and privacy protection.

Malicious insiders: These attackers are people with authorized and even privileged access to the corporate network who are trying to stage a cyberattack. Data alone—such as log files or records of events—can’t always spot these people, but advanced analytics can. Because UEBA provides insights on specific users, as opposed to IP addresses, it can identify individual users violating security policies.

Compromised insiders: These attackers gain access to authorized users’ or devices’ credentials through phishing schemes, brute-force attacks or other means. Typical security tools might not find them because the use of legitimate, albeit stolen, credentials makes the attacker appear to be authorized. Once inside, these attackers engage in lateral movement, moving throughout the network and obtaining new credentials to escalate their privileges and reach more sensitive assets. While these attackers might be using legitimate credentials, UEBA can spot their anomalous behavior to help thwart the attack.

Compromised entities: Many organizations, particularly manufacturers and hospitals, use a significant number of connected devices, such as IoT devices, often with little to no security configurations. The lack of protection makes these entities a prime target for hackers, who might hijack these devices to access sensitive data sources, disrupt operations or stage distributed denial-of-service (DDoS) attacks. UEBA can help identify behaviors that indicate these entities have been compromised so threats can be addressed before they escalate.

Data exfiltration: Insider threats and malicious actors often seek to steal personal data, intellectual property or business strategy documents from compromised servers, computers or other devices. UEBA helps security teams spot data breaches in real time by alerting teams to unusual download and data access patterns.

Implementing zero trust security: A zero trust security approach is one that doesn't trusts and continuously verifies all users or entities, whether they’re outside or already inside the network. Zero trust requires that all users and entities be authenticated, authorized, and validated before being granted access to applications and data. Once access is granted, they must be continuously reauthenticated, reauthorized, and revalidated to maintain or expand that access throughout a session.

An effective zero trust architecture requires maximum visibility into all users, devices, assets and entities on the network. UEBA gives security analysts rich, real-time visibility into all end-user and entity activity, including which devices are attempting to connect to the network, which users are trying to exceed their privileges, and more.

GDPR compliance: The European Union’s General Data Protection Regulation (GDPR) imposes strict requirements on organizations to protect sensitive data. Under the GDPR, companies must track what personal data is accessed, by whom, how it is used and when it is deleted. UEBA tools can help companies comply with GDPR by monitoring user behavior and the sensitive data they access.

UEBA, or UEBA-type capabilities, are included in many security tools available today. While it can be used as a stand-alone product, UEBA should be viewed as one tool in the comprehensive cybersecurity toolbox. In particular, UEBA is often used with, or built into, the following tools:

Security information and event management (SIEM): SIEM systems aggregate security event data from disparate internal security tools in a single log and analyze that data to detect unusual behavior and potential threats. UEBA can expand SIEM visibility into the network through its insider threat detection and user behavior analytics capabilities. Today, many SIEM solutions include UEBA.

Endpoint detection and response (EDR): EDR tools monitor system endpoints, such as laptops, printers and IoT devices, for signs of unusual behavior that could indicate a threat. When threats are detected, the EDR automatically contains them. UEBA complements—and is often a part of—an EDR solution by monitoring the behavior of users on these endpoints. For example, a suspicious login might trigger a low-level alert to the EDR, but if the UEBA finds the endpoint is being used to access confidential information, the alert can be appropriately elevated and addressed quickly.

Identity and access management (IAM): Identity and access management tools ensure the right people and devices can use the right applications and data when needed. IAM is proactive and seeks to prevent unauthorized access while facilitating authorized access. UEBA adds another level of protection by monitoring for signs of compromised credentials or the abuse of privileges by authorized users.