Skip to content

Exabeam Named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM, Recognized for the Sixth Time — Read More

User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats

  • May 09, 2019
  • Jeannie Warner
  • 4 minutes to read

Table of Contents

    User Behavior Analytics was defined by Gartner in 2014 as a category of cybersecurity tools that analyze user behavior on networks and other systems, and apply advanced analytics to detect anomalies and malicious behavior. These can be used to discover security threats like malicious insiders and privileged account compromise, which traditional security tools cannot see.

    In 2015 Gartner updated its definition to include an “E”. The User and Entity Behavior Analytics (UEBA) category now includes behavioral analysis of entities other than users, such as routers, servers and other network devices, and endpoints. UEBA is much more powerful because it can analyze behavior across multiple users, IT devices, and IP addresses to detect complex attacks.

    How does User and Entity Behavior Analytics work?

    UEBA solutions work by creating a baseline of behavior for users and entities. Data on normal behaviors and activity is collected and analyzed over time to find the accustomed patterns and create baselines describing them. UEBA tools then monitor systems and use these baselines as a reference against which new data is compared.

    The creation of baselines and profiles by entity is what enables UEBA to detect threats that traditional tools cannot, such as insider theft. When security events or logged activity  outside the baseline is identified, it is classified with a risk score based on its deviation from the baseline. If activity meets or passes a predefined risk threshold, a security event alert is sent to your security team.

    What does a UBA/UEBA system comprise?

    UBA / UEBA solutions are typically built of the following modules:

    Data collection, parsing and aggregating of security events, via log data or agents installed on IT systems.Central log and event storage where raw data, security metadata, and the results of analyses are stored.
    An analysis engine that analyzes events, identifies anomalies, and prioritizes them to pinpoint security incidents.Automated response—some UBA/UEBA solutions can integrate with other security tools or IT systems to perform automated actions in response to a security event.

    UBA/UEBA security use cases: How does user behavior analytics help organizations?

    User behavior analytics solutions can help you discover security threats that traditional tools — which are based on signatures, correlation rules, or simple statistical analysis — cannot see.

    Discovering compromised accountsUBA/UEBA can identify user accounts taken over by attackers, because they exhibit anomalous behavior compared to the real business user.
    Identifying malicious insider threatsInsider threats are a major, growing threat, and are extremely difficult to detect via traditional security tools because these attacks use legitimate credentials, services and entities, and access privileges. UBA/UEBA tools can identify malicious insiders by analyzing their behavior compared to similar, non-malicious users.
    Identifying privileged account abuseUBA/UEBA can help monitor accounts with administrative or escalated privileges to ensure they are not being misused, either by their designated owner or by others. Privileged account issues include policy violations or neglectful acts which may not be malicious activity, but can still have damaging results.
    Cloud security monitoringCloud assets are provisioned dynamically and used remotely, making them difficult to capture with traditional tools. UBA/UEBA can look at cloud-based assets and discover if, as a group, they are acting normally or abnormally. This includes coordination with CASB or DLP tools which can alert on unusual file size movement or inappropriate sharing
    Entity monitoringUEBA can be used to monitor IoT devices, such as critical medical equipment or sensors deployed in the field. Behavior analysis can be used to establish a baseline for these groups of similar IoT devices, and identify when a device exhibits anomalous behavior. For example, if an industrial control system’s service account attempts to log into the active directory or web server, this highly unusual behavior will throw an alert.

    Key capabilities of UBA/UEBA solutions

    The following are minimal capabilities that define a full user behavior analytics solution:

    • Monitor and analyze behavior of both credentials and other entities — should have the ability to collect data from IT systems and create a behavior pattern baseline of all entities on the network
    • Detect anomalous behavior — a deviation from the behavioral baseline that is significant and could indicate an insider attack or other security threat
    • Use machine learning and advanced analytics — making it possible to detect unknown threats and learn from big data sets, even if an attack pattern has never been seen before
    • Combines multiple activities into one security event — Like Open XDR, a UBA UEBA solution is able to identify security incidents across multiple users, entities or IPs, and also combine data from many different sources, such as anti-malware, firewall, proxies, DLP, and VPN.
    • Near-real time performance — To be effective as an incident response tool, UBA/UEBA technology must collect data and alert security analysts with minimal delay for processing after an event has occurred.

    UEBA: A core component in Next-gen SIEM solutions

    Security Information and Event Management (SIEM) solutions, which are the foundation of the modern Security Operation Center (SOC), are highly complementary to UBA/UEBA because they also collect security events from across the organization, analyze them, and identify security events — albeit with correlation rules and basic statistical analysis.

    While Gartner does not use the term “Next-gen SIEM”, Gartner’s vision for the next generation of SIEM includes a full-featured UEBA solution, to enable it to perform behavioral analysis of anomalies on security events and log data.

    Incorporating UBA/UEBA in a SIEM can provide strong security benefits by combining the breadth of information accessed by a SIEM (which integrates with almost all security tools and IT systems across the enterprise) with the advanced analytical capabilities of UBA/UEBA technology.

    One example of a Next-gen SIEM that includes UEBA is Exabeam’s SOC Platform. Exabeam provides the following UEBA capabilities:

    • Rule and signature-free security event detection — identifies abnormal, risky activity without requiring predefined correlation rules or attack patterns, as in traditional SIEMs
    • Automatic timelines for security incidents — stitches together security events into a timeline that shows an entire security event chain across users, IP addresses and IT systems
    • Dynamic peer groupings — dynamically groups organizationally similar users and functional entities to analyze collective behavior to identify anomalous individual actions
    • Lateral movement detection — detects attackers after their initial penetration, as they move through a network using different IP addresses, credentials and machines

    To learn more about how UEBA works under the hood, and how it powers next-generation SIEM technology, see our in-depth guide on UEBA.

    Learn more about User and Entity Behavior Analytics

    Have a look at these articles:

    Jeannie Warner

    Jeannie Warner

    Director, Product Marketing | Exabeam | Jeannie Warner, CISSP, is the Director of Product Marketing at Exabeam. Jeannie is an information security professional with over twenty years in infrastructure operations/security starting her career in the trenches working in various Unix help desk and network operations centers. She started in Security Operations for IBM MSS and quickly rose through the ranks to technical product and security program manager for a variety of software companies such as Symantec, Fortinet, and Synopsis (formerly WhiteHat) Security. She served as the Global SOC Manager for Dimension Data, building out their multi-SOC “follow the sun” approach to security. Jeannie was trained in computer forensics and practices, and plays a lot of ice hockey.

    More posts by Jeannie Warner

    Learn More About Exabeam

    Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.

    • Webinar

      From Human to Hybrid: How AI and the Analytics Gap Are Fueling Insider Risk

    • Blog

      Exabeam Named a Leader for the Sixth Time in the 2025 Gartner® Magic Quadrant™ for Security Information and Event M...

    • Report

      2025 Gartner® Magic Quadrant™ for SIEM

    • Guide

      Six Reasons Why SIEM May Remain On-Premises to Power Security Operations

    • Webinar

      Modern SOC Essentials Series 2

    • Webinar

      The Evolving Threat Landscape (Session 1)

    • Show More