What is user behavior analytics (UBA)?

UBA tools can detect when individual users do things they wouldn't normally do, such as logging in from a new IP address or viewing sensitive data they don't typically work with.

These minor anomalies might not trigger other network monitoring tools. However, UBA can determine that this activity is abnormal for this specific user and alert the security team.

Because they can detect subtly suspicious behaviors, UBA tools can help security operations centers (SOCs) spot evasive attacks such as insider threats, advanced persistent threats and hackers using stolen credentials.

This capacity is important for SOCs today. The abuse of valid accounts is the most common way that cybercriminals break into networks, according to the IBM X-Force Threat Intelligence Index.

UBA tools and techniques are used in various fields. For example, marketers and product designers often track user behavioral data to understand how people interact with apps and websites. However, in cybersecurity, UBA is primarily used for threat detection.

First defined by the analyst firm Gartner in 2015, user and entity behavior analytics (UEBA) is a class of security tools that evolved from UBA.

Like UBA, UEBA tools monitor network activity, establish baselines for normal behaviors and detect deviations from those norms. The key difference is that UBA tracks only human users, while UEBA systems also track activity and metrics from nonhuman entities such as apps and devices.

There is some debate about whether the terms are interchangeable. Some firms, such as the IDC, maintain that these are distinct classes of technology.¹ On the other hand, former Gartner analyst Anton Chuvakin has said that he considers UBA and UEBA to be roughly synonymous.

Regardless, a focus on users is what separates UBA and UEBA from similar security tools like security information and event management (SIEM) and endpoint detection and response (EDR). These tools enable security teams to understand and analyze system activity at the level of the individual user. Tracking nonhuman entities can add context, but it is not necessarily the core purpose of these tools.

Or, to quote Chuvakin: "'U' is a must," but "going beyond 'U' to other 'E' is not."

User behavior analytics tools continuously gather user data from sources throughout the network, which they use to create and refine baseline models of user behavior. The tools compare user activity against these baselines in real time. When they detect anomalous behavior that poses a significant risk, they alert the appropriate stakeholders.

UBA tools gather data about user attributes (for example: roles, permissions, location) and user activities (for example: changes they make to a file, sites they visit, data they move). UBAs can gather this information from various data sources, including:

• User directories, such as Microsoft Active Directory
   

• Network traffic logs from intrusion detection and prevention systems (IDPSs), routers, VPNs and other infrastructure
   

• User activity data from apps, files, endpoints and databases
   

• Login and authentication data from identity and access management systems
   

• Event data from SIEMs, EDRs and other security tools

UBA tools use data analytics to turn user data into baseline models of normal activity.

UBA tools can use basic analytics methods such as statistical modeling and pattern matching. Many also use advanced analytics, such as artificial intelligence (AI) and machine learning (ML).

AI and ML allow UBA tools to analyze massive data sets to create more accurate behavior models. Machine learning algorithms can also refine these models over time so that they evolve alongside changes to business operations and user roles.

UBA tools can create behavior models for both individual users and groups of users.

For an individual user, the model might take note of things like where the user logs in from and the average amount of time they spend in different apps.

For groups of users—such as all the users in a department—the model might account for things like the databases these users access and the other users they interact with.

An individual user might have several user accounts for the different apps and services they use during a typical workday. Many UBA tools can learn to consolidate activity from these accounts under a single unified user identity.

Account activity consolidation helps security teams detect behavior patterns even when user activity is broken up across disparate parts of the network.

After creating baseline models, UBA tools monitor users and compare their behavior to these models. When they detect deviations that might signal potential threats, they alert the security team.

UBAs can detect anomalies in a few different ways, and many UBA tools use a combination of detection methods.

Some UBA tools use rule-based systems where security teams manually define situations that should trigger alerts, such as users trying to access assets outside their permission levels.

Many UBA tools also use AI and ML algorithms to analyze user behavior and spot anomalies. With AI and ML, UBA can detect deviations from a user's historical behavior.

For example, if a user has logged into an app only during work hours in the past and is now logging in on nights and weekends, that might indicate a compromised account.

UBA tools can also use AI and ML to compare users to their peers and detect anomalies that way.

For example, there is a good chance that no one in the marketing department needs to pull customer credit card records. If a marketing user starts trying to access those records, that might signal an attempt at data exfiltration.

In addition to training AI and ML algorithms on user behaviors, organizations can use threat intelligence feeds to teach UBA tools to spot known indicators of malicious activity.

UBA tools don't raise alerts every time a user does something out of the ordinary. After all, people often have legitimate reasons for engaging in "anomalous" behavior. For example, a user might share data with a previously unknown party because they're working with a new vendor for the first time.

Instead of flagging individual events, many UBA tools assign each user a risk score. Whenever a user does something unusual, their risk score increases. The riskier the anomaly, the higher the increase. When the user's risk score passes a certain threshold, the UBA tool alerts the security team.

This way, the UBA tool does not flood the security team with minor anomalies. However, it would still catch a pattern of regular abnormalities in a user's activity, which is more likely to indicate a cyberthreat. A single significant anomaly might also trigger an alert if it poses a high enough risk.

When a user's risk score is high enough, the UBA tool alerts the SOC, incident response team or other stakeholders.

Some UBA tools have dedicated dashboards where security teams can monitor user activity, track risk scores and receive alerts. Many UBA tools can also push alerts to SIEMs or other security tools.

While UBA tools do not typically have the capacity to respond to threats directly, they can integrate with other tools that do.

For example, some identity and access management (IAM) platforms use UBA data for adaptive authentication. If a user's risk score passes a certain threshold—perhaps because they're signing in from a new device—the IAM system might ask for additional authentication factors.

Because they focus on the activity of users inside the network, UBA tools can help security teams catch malicious actors who get past their perimeter defenses.

Moreover, by tracking long-term patterns in user behavior, UBA can detect the nearly imperceptible traces that the most sophisticated cyberattacks leave behind.

UBA tools can produce false positives and false negatives in some circumstances. Organizations can mitigate those possibilities by using risk scores and training AI and ML algorithms on the unique patterns of their users, but they may not eliminate the risk entirely.

Say that a user starts transferring massive amounts of sensitive data from one cloud to another as part of a planned migration. The UBA’s baseline model might not account for this approved but rare activity and, therefore, set off alarm bells.

False negatives arise when a UBA tool learns to treat potential threats as acceptable behavior. This can happen when anomalies occur repeatedly without correction.

For example, consider a vendor that showcases its UBA’s threat detection skills by simulating data breaches for customers during demos. The UBA tool will see the same breach occur over and over. Eventually, the tool might determine that this breach is normal behavior—because it happens very regularly—and stop issuing alerts about it.

While some vendors offer standalone UBA solutions, the market is increasingly shifting toward providing UBA functionality as an integration with or add-on to other security tools. Specifically, UBA capabilities are often embedded in SIEMs, EDRs and IAM platforms.

SIEMs aggregate security event data from disparate internal security tools in a single log and analyze that data to detect unusual activity. Many SIEMS now include UBA capabilities or readily integrate with UBA tools, which can help organizations optimize their SIEM data.

Combining user behavior data with security event data can help organizations spot threats sooner and prioritize the riskiest anomalies to investigate.

UBAs complement EDR tools by adding user behavior data to endpoint activity data. This gives the security team more insight into what users are doing on their endpoints, which can make it easier to identify patterns of suspicious behavior across devices.

Organizations use IAM tools to control which users can access which resources. As mentioned earlier, integrating UBA tools with IAM systems enables organizations to design intelligent adaptive authentication processes that strengthen authentication requirements as a user's risk score rises.