What is UEBA (user and entity behavior analytics)?
Learn how UEBA gives teams better security insights and enhances zero trust security programs.
Subscribe to the IBM Newsletter Learn about UEBA with QRadar SIEM
Isometric drawing showing different office personnel, all using IBM Security
What is UEBA?

User and entity behavior analytics, or UEBA is a type of security software that uses behavioral analytics, machine learning algorithms, and automation to identify abnormal and potentially dangerous user and device behavior. UEBA is particularly effective at identifying insider threats—malicious insiders or hackers using compromised insider credentials—that can elude other security tools because they mimic authorized network traffic.

UEBA, a term first coined by Gartner in 2015, is an evolution of user behavior analytics (UBA). Where UBA only tracked end-user behavior patterns, UEBA also monitors non-user entities, such as servers, routers, and Internet of Things (IoT) devices, for anomalous behavior or suspicious activity that could indicate security threats or attacks.

UEBA is used within security operations centers (SOCs) alongside other enterprise security tools, and UEBA functionality is often included in enterprise security solutions like security information and event management (SIEM), endpoint detection and response (EDR), extended detection and response (XDR), and identity and access management (IAM).

How UEBA works

UEBA solutions provide security insights through data analytics and machine learning. The behavior analytics tools within the UEBA system ingest and analyze high volumes of data from multiple sources to create a baseline picture of how privileged users and entities typically function. It then uses machine learning to refine the baseline. As ML learns over time, the UEBA solution needs to gather and analyze fewer samples of normal behavior to create an accurate baseline.

After modeling baseline behaviors, UEBA applies the same advanced analytics and machine learning capabilities to current user and entity activity data to identify suspicious deviations from the baseline in real-time. UEBA assesses user and entity behavior by analyzing data from as many enterprise sources as possible—the more, the better. These sources typically include:

  • Network equipment and network access solutions, such as firewalls, routers, VPNs, and IAM solutions.

  • Security tools and solutions, such as antivirus/anti-malware software, EDR, intrusion detection and prevention systems (IDPS), and SIEM.

  • Authentication databases, like Active Directory, that contain critical information about a network environment, the user accounts and computers active in the system, and the user activities allowed.

  • Threat intelligence feeds and frameworks, such as MITRE ATT&CK, which provide information on common cyber threats and vulnerabilities, including zero-day attacks, malware, botnets, and other security risks.

  • Enterprise resource planning (ERP) or human resources (HR) systems that contain pertinent information about users who could pose a threat, such as employees who have given notice or may be disgruntled.

UEBA uses what it learns to identify anomalous behavior and score it based on the risk it represents. For example, several failed authentication attempts within a short timeframe or abnormal system access patterns could indicate an insider threat and would create a low-scoring alert. Similarly, a user plugging in multiple USB drives and engaging in abnormal download patterns could indicate data exfiltration and would be assigned a higher risk score.

Using this scoring metric helps security teams avoid false positives and prioritize the biggest threats while also documenting and monitoring low-level alerts over time that, in combination, could indicate a slow-moving but serious threat.

UEBA use cases

UEBA helps companies identify suspicious behavior and strengthens data loss prevention (DLP) efforts. Beyond these tactical uses, UEBA can also serve more strategic purposes, such as demonstrating compliance with regulations surrounding user data and privacy protection.

Tactical use cases

Malicious insiders – These are people with authorized and even privileged access to the corporate network who are trying to stage a cyberattack. Data alone—such as log files or records of events—can’t always spot these people, but advanced analytics can. Because UEBA provides insights on specific users, as opposed to IP addresses, it can identify individual users violating security policies.

Compromised insiders – These attackers gain access to authorized users’ or devices’ credentials through phishing schemes, brute-force attacks, or other means. Typical security tools might not find them because the use of legitimate, albeit stolen, credentials makes the attacker appear to be authorized. Once inside, these attackers engage in lateral movement, moving throughout the network and obtaining new credentials to escalate their privileges and reach more sensitive assets. While these attackers may be using legitimate credentials, UEBA can spot their anomalous behavior to help thwart the attack.

Compromised entities – Many organizations, particularly manufacturers and hospitals, use a significant number of connected devices, such as IoT devices, often with little to no security configurations. The lack of protection makes these entities a prime target for hackers, who may hijack these devices to access sensitive data sources, disrupt operations, or stage distributed denial-of-service (DDoS) attacks. UEBA can help identify behaviors that indicate these entities have been compromised so threats can be addressed before they escalate.

Data exfiltration – Insider threats and malicious actors often seek to steal personal data, intellectual property, or business strategy documents from compromised servers, computers, or other devices. UEBA helps security teams spot data breaches in real-time by alerting teams to unusual download and data access patterns.

Strategic use cases

Implementing zero trust security – A zero trust security approach is one that never trusts and continuously verifies all users or entities, whether they’re outside or already inside the network. Specifically, zero trust requires that all users and entities be authenticated, authorized and validated before being granted access to applications and data—and subsequently be continuously re-authenticated, re-authorized and re-validated in order to maintain or expand that access throughout a session.

An effective zero trust architecture requires maximum visibility into all users, devices, assets, and entities on the network. UEBA gives security analysts rich, real-time visibility into all end-user and entity activity, including which devices are attempting to connect to the network, which users are trying to exceed their privileges, and more.

GDPR Compliance – The European Union’s General Data Protection Regulation (GDPR) imposes strict requirements on organizations to protect sensitive data. Under the GDPR, companies must track what personal data is accessed, by whom, how it is used, and when it is deleted. UEBA tools can help companies comply with GDRP by monitoring user behavior and the sensitive data they access.

UEBA, SIEM, and other security tools

UEBA, or UEBA-type capabilities, are included in many security tools available today. While it can be used as a standalone product, UEBA should be viewed as one tool in the comprehensive cybersecurity toolbox. In particular, UEBA is often used in conjunction with, or built into, the following tools:

Security information and event management (SIEM) – SIEM systems aggregate security event data from disparate internal security tools in a single log and analyze that data to detect unusual behavior and potential threats. UEBA can expand SIEM visibility into the network through its insider threat detection and user behavior analytics capabilities. Today, many SIEM solutions include UEBA.

Endpoint detection and response (EDR) – EDR tools monitor system endpoints, such as laptops, printers, and IoT devices, for signs of unusual behavior that could indicate a threat. When threats are detected, the EDR automatically contains them. UEBA complements—and is often a part of—an EDR solution by monitoring the behavior of users on these endpoints. For example, a suspicious login might trigger a low-level alert to the EDR, but if the UEBA finds the endpoint is being used to access confidential information, the alert can be appropriately elevated and addressed quickly.

Identity and access management (IAM) – Identity and access management tools ensure the right people and devices can use the right applications and data when needed. IAM is proactive and seeks to prevent unauthorized access while facilitating authorized access. UEBA adds another level of protection by monitoring for signs of compromised credentials or the abuse of privileges by authorized users.

Related solutions
IBM Security QRadar SIEM

Detect, investigate and respond to critical cybersecurity threats across your enterprise.

Explore QRadar SIEM
IBM Security QRadar SIEM Add-ons

Enhance QRadar SIEM with UEBA, artificial intelligence, incident forensics and more.

Explore the add-ons
Insider threat security solutions

Protect against malicious or unintentional threats from insiders with access to your network.

Explore the solutions
Resources What is SIEM (security information and event management)?

SIEM helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations.

What is EDR (endpoint detection and response)?

EDR protects end users, endpoint devices and IT assets against threats that get past antivirus and other traditional endpoint security tools.

What is machine learning?

Machine learning enables computers to learn the way that humans learn, gradually improving their accuracy.

Take the next step

Schedule time today with one of our experts to get a custom tour of IBM Security QRadar® SIEM. Learn how you can better prepare for attacks, leverage AI and automation can help find and correlate advanced threats faster, uncover suspicious insider activity compromising your network, and much more.

Request a SIEM demo