Skip to main content

What is UEBA?

User and Entity Behavior Analytics (UEBA) models and identifies typical and atypical behavior of humans and machines within a network. UEBA solutions are intended to work in conjunction with rule or signature based-approaches, such as SIEMs. They are very effective at processing large datasets in order to identify potential threats. UEBA solutions model behavior in order to create a baseline, which is then used to assess potential risks. These risks affect a risk score that ultimately decides threat response.

  • Baselines

    UEBA solutions operate by creating a baseline for human and machine behavior based upon normal behavior. A behavioral model for each applicable attribute of a user or entity is created using data science. Given enough data, trends can be identified which signify typical behavior. Deviation from this baseline can easily be recognized as abnormal behavior and a potential threat.

  • Risk Scores

    UEBA solutions utilize the concept of risk scores to reduce false positive security alerts. A single behavioral abnormality is not enough to alert analysts of a potential threat. Instead, atypical behavior adds risk to the user or entity. After the user or entity receives enough risk within a specific timeframe, they are considered high risk and analysts are notified of a potential threat.

  • SIEMs

    SIEMs are a capable security management tool, but typically lack effective and intelligent threat detection and response. They can be bypassed by advanced attackers with relative ease, and focus more on real-time threats than extended attacks. UEBA solutions are capable of detecting threats that may occur over a much more extended period of time and be significantly more advanced. By using these two tools in conjunction, organizations are capable of defending threats much more effectively.

UEBA solutions have three main components that structure their behavior.

  1. 1. Data Analytics

    UEBA solutions use data to establish a baseline behavior and pattern set for entities and users. Statistical models are used to detect aberrant behavior.

  2. 2. Data Integration

    UEBA solutions are capable of integrating information such as logs, packet capture data, and other datasets with existing security monitoring systems.

  3. 3. Data Presentation

    UEBA solutions are capable of issuing a request for response to security analysts quickly, which enables them to react to potential threats promptly and effectively.

UEBA solutions help to significantly reduce the load security teams deal with on a regular basis. Instead of security teams sifting through potentially millions of alerts per day, a UEBA solution can do the sifting. They identify critical breaches and notify security teams quickly, so teams can focus on responding to the most important threats. Additionally, they provide underlying data for the breaches, which can significantly improve response investigations.

Also See: UBA, UEBA, & SIEM: Security Management Terms Defined

2017