User Behavior Analytics: Cracking Insider & Unknown Security Threats

User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats

January 02, 2019

Orion Cassetto

Learn about UBA technology, and its extension UEBA (User Entity Behavior Analytics), how it works, and which threats it uncovers that no other tool can see.

What is User Behavior Analytics (UBA), Now Known as UEBA?

User Behavior Analytics was defined by Gartner in 2014 as a category of cybersecurity tools that analyze user behavior on networks and other systems, and apply advanced analytics to detect anomalies and malicious behavior. These can be used to discover security threats like malicious insiders and privileged account compromise, which traditional security tools cannot see.

In 2015 Gartner updated its definition to include an “E”—the new category User and Entity Behavior Analytics (UEBA) includes behavioral analysis of entities other than users, such as routers, servers and endpoints. UEBA is much more powerful because it can analyze behavior across multiple users, IT devices and IP addresses, to detect complex attacks.

How Does User Behavior Analytics Work?

UEBA solutions work by creating a baseline of behavior for users and entities. Data on normal behaviors and activity is collected and analyzed for patterns to create these baselines. UEBA tools then monitor systems and use these baselines as a reference against which new data is compared.

The creation of baselines is what enables UEBA to detect threats that traditional tools cannot, such as insider theft. When data that doesn’t match the baseline is identified it is classified with a risk score based on its deviation from the baseline. If activity meets a certain risk threshold an alert is sent to your security team.

What Does a UBA / UEBA System Comprise?

UBA / UEBA solutions are typically built of the following modules:

Data collection, parsing and aggregating of security events, via log data or agents installed on IT systems.Central storage where raw data, metadata, and the results of analyses are stored.
An analysis engine that analyzes events, identifies anomalies, and prioritizes them to pinpoint security incidents.Automated response—some UBA / UEBA solutions can integrate with other security tools or IT systems and perform automated actions in response to a security incident.

UBA / UEBA Security Use Cases: How Does User Behavior Analytics Help Organizations?

User behavior analytics solutions can help you discover security threats that traditional tools—which are based on signatures, correlation rules, or simple statistical analysis—cannot see.

Discovering compromised accountsUBA / UEBA can identify user accounts taken over by attackers, because they exhibit anomalous behavior compared to the real business user.
Identifying malicious insider threatsInsider threats are a major, growing threat, and are extremely difficult to detect via traditional security tools, because these attacks use legitimate credentials, machines and access privileges. UBA / UEBA tools can identify malicious insiders by analyzing their behavior compared to similar, non-malicious users.
Identifying privileged account abuseUBA / UEBA can help monitor accounts with administrative or escalated privileges, to ensure they are not being misused, either by their designated owner or by others. Privileged account issues include policy violations or neglectful acts which are not full blown attacks, but can have damaging results.
Cloud security monitoringCloud assets are provisioned dynamically and used remotely, making them difficult to capture with traditional tools. UBA / UEBA can look at cloud-based assets and discover if, as a group, they are acting normally or abnormally.
Entity monitoringUEBA can be used to monitor IoT devices, such as critical medical equipment or sensors deployed in the field. Behavioral analysis can be used to establish a baseline for the behavior of groups of similar IoT devices, and identify when a device exhibits anomalous behavior.

Key Capabilities of UBA / UEBA Solutions

The following are minimal capabilities that define a full user behavior analytics solution:

  • Monitor and analyze behavior—of users and other entities—should have the ability to collect data from IT systems and create a behavioral baseline of entities on the network.
  • Detect anomalous behavior—a deviation from the behavioral baseline that is significant and could indicate an insider attack or other security threat.
  • Leverages machine learning and advanced analytics—making it possible to detect unknown threats and learn from big data sets, even if an attack has never been seen before.
  • Combines multiple activities into one security incident—a UBA / UEBA solution is able to identify security incidents across multiple users, entities or IPs, and also combine data from many different sources, such as anti-malware, firewall, proxies, DLP, and VPN.
  • Near-real time performance—to be effective as an incident response tool, UBA / UEBA technology must collect data and alert security analysts very soon after an event has occurred.

UEBA: A Core Component in Next-Generation SIEM Solutions

Security Information and Event Management (SIEM) solutions, which are the foundation of the modern Security Operation Center (SOC), are highly complementary to UBA / UEBA, because they also collect security events from across the organization, analyze them and identify security incidents—albeit with correlation rules and basic statistical analysis.

While Gartner does not use the term next-generation SIEM, Gartner’s vision for the next-generation of SIEM includes a full-featured UEBA solution, to enable it to perform behavioral analysis of anomalies on security events and log data.

Incorporating UBA / UEBA in a SIEM can provide strong security benefits, by combining the breadth of information accessed by a SIEM (which integrates with almost all security tools and IT systems across the enterprise), with the advanced analytical capabilities of UBA / UEBA technology.

One example of a next-generation SIEM that includes UEBA is Exabeam’s Security Management Platform. Exabeam provides the following UEBA capabilities:

  • Rule and signature-free incident detection—identifies abnormal, risky activity without requiring predefined correlation rules or attack patterns, as in traditional SIEMs.
  • Automatic timelines for security incidents—stitches together security events into a timeline that shows an entire security incident across users, IP address and IT systems.
  • Dynamic peer groupings—dynamically groups similar users and entities to analyze the collective behavior and identify anomalous individual actions.
  • Lateral movement detection—detects attackers after their initial penetration, as they move through a network using different IP addresses, credentials and machines.

To learn more about how UEBA works under the hood, and how it powers next-generation SIEM technology, see our in-depth guide on UEBA.

Want to learn more about User and Entity Behavior Analytics?
Have a look at these articles:

Recent UEBA Articles

Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

Read More

An Outcome-based Approach to Use Cases: Solving for Lateral Movement

Read More

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Read More

Using Advanced Analytics to Detect and Stop Threats [White Paper]

Read More

Understanding Insider Threat Detection Tools

Read More

Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More

What Is XDR? Transforming Threat Detection and Response

Read More