Home Topics User behavior analytics What is user behavior analytics (UBA)?
Explore IBM's UBA solution Subscribe to security topic updates
Illustration of smartphone with fingerprint scanning and cloud security

Published: 19 June 2024

Contributor: Matthew Kosinski

What is user behavior analytics (UBA)?

In cybersecurity, user behavior analytics (UBA) is the use of data analytics, artificial intelligence and machine learning to track the behavior of users in a network, model their normal behavior patterns and detect deviations that might signify security threats. 

UBA tools can detect when individual users do things they wouldn't normally do, such as logging in from a new IP address or viewing sensitive data they don't typically work with.

These minor anomalies might not trigger other network monitoring tools. However, UBA can determine that this activity is abnormal for this specific user and alert the security team. 

Because they can detect subtly suspicious behaviors, UBA tools can help security operations centers (SOCs) spot evasive attacks such as insider threats, advanced persistent threats and hackers using stolen credentials.   

This capacity is important for SOCs today. The abuse of valid accounts is the most common way that cybercriminals break into networks, according to the IBM X-Force Threat Intelligence Index.

UBA tools and techniques are used in various fields. For example, marketers and product designers often track user behavioral data to understand how people interact with apps and websites. However, in cybersecurity, UBA is primarily used for threat detection. 

UBA versus UEBA

First defined by the analyst firm Gartner in 2015, user and entity behavior analytics (UEBA) is a class of security tools that evolved from UBA.  

Like UBA, UEBA tools monitor network activity, establish baselines for normal behaviors and detect deviations from those norms. The key difference is that UBA tracks only human users, while UEBA systems also track activity and metrics from nonhuman entities such as apps and devices.   

There is some debate about whether the terms are interchangeable. Some firms, such as the IDC, maintain that these are distinct classes of technology.1 On the other hand, former Gartner analyst Anton Chuvakin has said that he considers UBA and UEBA to be roughly synonymous.

Regardless, a focus on users is what separates UBA and UEBA from similar security tools like security information and event management (SIEM) and endpoint detection and response (EDR). These tools enable security teams to understand and analyze system activity at the level of the individual user. Tracking nonhuman entities can add context, but it is not necessarily the core purpose of these tools.  

Or, to quote Chuvakin: "'U' is a must," but "going beyond 'U' to other 'E' is not."

Cost of a Data Breach report

Prepare for threats by understanding the causes of data breaches and the factors that influence their costs.

How UBA works

User behavior analytics tools continuously gather user data from sources throughout the network, which they use to create and refine baseline models of user behavior. The tools compare user activity against these baselines in real time. When they detect anomalous behavior that poses a significant risk, they alert the appropriate stakeholders. 

Gathering user data

UBA tools gather data about user attributes (for example: roles, permissions, location) and user activities (for example: changes they make to a file, sites they visit, data they move). UBAs can gather this information from various data sources, including: 

  • User directories, such as Microsoft Active Directory 

  • Network traffic logs from intrusion detection and prevention systems (IDPSs), routers, VPNs and other infrastructure

  • User activity data from apps, files, endpoints and databases

  • Login and authentication data from identity and access management systems 

  • Event data from SIEMs, EDRs and other security tools 

Creating behavioral baselines

UBA tools use data analytics to turn user data into baseline models of normal activity.  

UBA tools can use basic analytics methods such as statistical modeling and pattern matching. Many also use advanced analytics, such as artificial intelligence (AI) and machine learning (ML). 

AI and ML allow UBA tools to analyze massive data sets to create more accurate behavior models. Machine learning algorithms can also refine these models over time so that they evolve alongside changes to business operations and user roles. 

UBA tools can create behavior models for both individual users and groups of users. 

For an individual user, the model might take note of things like where the user logs in from and the average amount of time they spend in different apps. 

For groups of users—such as all the users in a department—the model might account for things like the databases these users access and the other users they interact with.  

An individual user might have several user accounts for the different apps and services they use during a typical workday. Many UBA tools can learn to consolidate activity from these accounts under a single unified user identity.

Account activity consolidation helps security teams detect behavior patterns even when user activity is broken up across disparate parts of the network.

Anomaly detection

After creating baseline models, UBA tools monitor users and compare their behavior to these models. When they detect deviations that might signal potential threats, they alert the security team.  

UBAs can detect anomalies in a few different ways, and many UBA tools use a combination of detection methods.  

Some UBA tools use rule-based systems where security teams manually define situations that should trigger alerts, such as users trying to access assets outside their permission levels. 

Many UBA tools also use AI and ML algorithms to analyze user behavior and spot anomalies. With AI and ML, UBA can detect deviations from a user's historical behavior.

For example, if a user has logged into an app only during work hours in the past and is now logging in on nights and weekends, that might indicate a compromised account.  

UBA tools can also use AI and ML to compare users to their peers and detect anomalies that way.

For example, there is a good chance that no one in the marketing department needs to pull customer credit card records. If a marketing user starts trying to access those records, that might signal an attempt at data exfiltration.

In addition to training AI and ML algorithms on user behaviors, organizations can use threat intelligence feeds to teach UBA tools to spot known indicators of malicious activity.  

Risk scores

UBA tools don't raise alerts every time a user does something out of the ordinary. After all, people often have legitimate reasons for engaging in "anomalous" behavior. For example, a user might share data with a previously unknown party because they're working with a new vendor for the first time. 

Instead of flagging individual events, many UBA tools assign each user a risk score. Whenever a user does something unusual, their risk score increases. The riskier the anomaly, the higher the increase. When the user's risk score passes a certain threshold, the UBA tool alerts the security team. 

This way, the UBA tool does not flood the security team with minor anomalies. However, it would still catch a pattern of regular abnormalities in a user's activity, which is more likely to indicate a cyberthreat. A single significant anomaly might also trigger an alert if it poses a high enough risk.   

Raising alerts

When a user's risk score is high enough, the UBA tool alerts the SOC, incident response team or other stakeholders. 

Some UBA tools have dedicated dashboards where security teams can monitor user activity, track risk scores and receive alerts. Many UBA tools can also push alerts to SIEMs or other security tools.  

While UBA tools do not typically have the capacity to respond to threats directly, they can integrate with other tools that do.  

For example, some identity and access management (IAM) platforms use UBA data for adaptive authentication. If a user's risk score passes a certain threshold—perhaps because they're signing in from a new device—the IAM system might ask for additional authentication factors

UBA use cases

Because they focus on the activity of users inside the network, UBA tools can help security teams catch malicious actors who get past their perimeter defenses.

Moreover, by tracking long-term patterns in user behavior, UBA can detect the nearly imperceptible traces that the most sophisticated cyberattacks leave behind. 

Catching insider threats

Whether intentionally or through negligence, insider threats are users who abuse or misuse their legitimate privileges to cause harm to the company. Because these users often have permission to be in the systems they're damaging, many security tools can miss them. 

On the other hand, UBA can see when users behave abnormally. A user might have the rights to work with sensitive data, but if they transfer a lot of that data to an unknown device, the UBA can flag this as potential theft.

Detecting hijacked accounts

Hackers can use phishing or malware to steal credentials and disguise themselves as legitimate users. As with insider threats, security tools can miss these attackers because they seem like authorized users. 

However, the hackers will inevitably do something malicious that a real user wouldn't, such as exploiting vulnerabilities or making lateral movements. UBA tools can pick up on these anomalies. 

Hunting advanced persistent threats (APTs)

APTs can lurk in networks for months or years, quietly stealing data or spreading malware. They often avoid detection by masquerading as legitimate users and taking many small steps over time rather than making big, risky moves. UBAs excel at detecting these long-term patterns of suspicious behavior.

UBA challenges

UBA tools can produce false positives and false negatives in some circumstances. Organizations can mitigate those possibilities by using risk scores and training AI and ML algorithms on the unique patterns of their users, but they may not eliminate the risk entirely. 

Say that a user starts transferring massive amounts of sensitive data from one cloud to another as part of a planned migration. The UBA's baseline model might not account for this approved but rare activity and, therefore, set off alarm bells. 

False negatives arise when a UBA tool learns to treat potential threats as acceptable behavior. This can happen when anomalies occur repeatedly without correction.

IDC shares one such story in which a vendor showcased its UBA threat detection skills by simulating data breaches for customers. Eventually, the UBA tool saw the same data breach occur so many times that it determined this was normal behavior that did not require an alert.1

UBA and other security tools

While some vendors offer standalone UBA solutions, the market is increasingly shifting toward providing UBA functionality as an integration with or add-on to other security tools. Specifically, UBA capabilities are often embedded in SIEMs, EDRs and IAM platforms. 

Security information and event management (SIEM)

SIEMs aggregate security event data from disparate internal security tools in a single log and analyze that data to detect unusual activity. Many SIEMS now include UBA capabilities or readily integrate with UBA tools, which can help organizations optimize their SIEM data.  

Combining user behavior data with security event data can help organizations spot threats sooner and prioritize the riskiest anomalies to investigate.

Endpoint detection and response (EDR)

UBAs complement EDR tools by adding user behavior data to endpoint activity data. This gives the security team more insight into what users are doing on their endpoints, which can make it easier to identify patterns of suspicious behavior across devices.

Identity and access management (IAM)

Organizations use IAM tools to control which users can access which resources. As mentioned earlier, integrating UBA tools with IAM systems enables organizations to design intelligent adaptive authentication processes that strengthen authentication requirements as a user's risk score rises.

Related solutions
Threat detection and response solutions

Use IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

Explore threat detection and response solutions

IBM Cyber Threat Management Services

Predict, prevent and respond to modern threats, increasing business resilience.

Explore threat management services

IBM AI cybersecurity solutions

Improve the speed, accuracy and productivity of security teams with AI-powered solutions.

Explore AI cybersecurity solutions
Resources X-Force Threat Intelligence Index

Understanding attackers’ tactics is crucial to protecting your people, data and infrastructure. Learn from the challenges and successes of security teams around the world.

KuppingerCole Leadership Compass: Managed Detection and Response (MDR)

Get an overview of the market for managed detection and response services, and learn why IBM is named an overall leader.

What is UEBA?

User and entity behavior analytics, or UEBA, is a type of security software that uses behavioral analytics and automation to identify potentially dangerous user and device behavior.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services

1 A CISO's Guide to Artificial Intelligence (link resides outside ibm.com). IDC Research.