User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats
User Behavior Analytics was defined by Gartner in 2014 as a category of cybersecurity tools that analyze user behavior on networks and other systems, and apply advanced analytics to detect anomalies and malicious behavior. These can be used to discover security threats like malicious insiders and privileged account compromise, which traditional security tools cannot see.
In 2015 Gartner updated its definition to include an “E”. The User and Entity Behavior Analytics (UEBA) category now includes behavioral analysis of entities other than users, such as routers, servers and other network devices, and endpoints. UEBA is much more powerful because it can analyze behavior across multiple users, IT devices, and IP addresses to detect complex attacks.
In this article:
- How does user behavior analytics work?
- What does a UBA/UEBA system comprise?
- UBA / UEBA security use cases: How does user behavior analytics help organizations?
- Key capabilities of UBA/UEBA solutions
- UEBA: A core component in next-generation SIEM solutions
How does User and Entity Behavior Analytics work?
UEBA solutions work by creating a baseline of behavior for users and entities. Data on normal behaviors and activity is collected and analyzed over time to find the accustomed patterns and create baselines describing them. UEBA tools then monitor systems and use these baselines as a reference against which new data is compared.
The creation of baselines and profiles by entity is what enables UEBA to detect threats that traditional tools cannot, such as insider theft. When security events or logged activity outside the baseline is identified, it is classified with a risk score based on its deviation from the baseline. If activity meets or passes a predefined risk threshold, a security event alert is sent to your security team.
What does a UBA/UEBA system comprise?
UBA / UEBA solutions are typically built of the following modules:
|Data collection, parsing and aggregating of security events, via log data or agents installed on IT systems.||Central log and event storage where raw data, security metadata, and the results of analyses are stored.|
|An analysis engine that analyzes events, identifies anomalies, and prioritizes them to pinpoint security incidents.||Automated response—some UBA/UEBA solutions can integrate with other security tools or IT systems to perform automated actions in response to a security event.|
UBA/UEBA security use cases: How does user behavior analytics help organizations?
User behavior analytics solutions can help you discover security threats that traditional tools — which are based on signatures, correlation rules, or simple statistical analysis — cannot see.
|Discovering compromised accounts||UBA/UEBA can identify user accounts taken over by attackers, because they exhibit anomalous behavior compared to the real business user.|
|Identifying malicious insider threats||Insider threats are a major, growing threat, and are extremely difficult to detect via traditional security tools because these attacks use legitimate credentials, services and entities, and access privileges. UBA/UEBA tools can identify malicious insiders by analyzing their behavior compared to similar, non-malicious users.|
|Identifying privileged account abuse||UBA/UEBA can help monitor accounts with administrative or escalated privileges to ensure they are not being misused, either by their designated owner or by others. Privileged account issues include policy violations or neglectful acts which may not be malicious activity, but can still have damaging results.|
|Cloud security monitoring||Cloud assets are provisioned dynamically and used remotely, making them difficult to capture with traditional tools. UBA/UEBA can look at cloud-based assets and discover if, as a group, they are acting normally or abnormally. This includes coordination with CASB or DLP tools which can alert on unusual file size movement or inappropriate sharing|
|Entity monitoring||UEBA can be used to monitor IoT devices, such as critical medical equipment or sensors deployed in the field. Behavior analysis can be used to establish a baseline for these groups of similar IoT devices, and identify when a device exhibits anomalous behavior. For example, if an industrial control system’s service account attempts to log into the active directory or web server, this highly unusual behavior will throw an alert.|
Key capabilities of UBA/UEBA solutions
The following are minimal capabilities that define a full user behavior analytics solution:
- Monitor and analyze behavior of both credentials and other entities — should have the ability to collect data from IT systems and create a behavior pattern baseline of all entities on the network
- Detect anomalous behavior — a deviation from the behavioral baseline that is significant and could indicate an insider attack or other security threat
- Use machine learning and advanced analytics — making it possible to detect unknown threats and learn from big data sets, even if an attack pattern has never been seen before
- Combines multiple activities into one security event — Like Open XDR, a UBA UEBA solution is able to identify security incidents across multiple users, entities or IPs, and also combine data from many different sources, such as anti-malware, firewall, proxies, DLP, and VPN.
- Near-real time performance — To be effective as an incident response tool, UBA/UEBA technology must collect data and alert security analysts with minimal delay for processing after an event has occurred.
UEBA: A core component in Next-gen SIEM solutions
Security Information and Event Management (SIEM) solutions, which are the foundation of the modern Security Operation Center (SOC), are highly complementary to UBA/UEBA because they also collect security events from across the organization, analyze them, and identify security events — albeit with correlation rules and basic statistical analysis.
While Gartner does not use the term “Next-gen SIEM”, Gartner’s vision for the next generation of SIEM includes a full-featured UEBA solution, to enable it to perform behavioral analysis of anomalies on security events and log data.
Incorporating UBA/UEBA in a SIEM can provide strong security benefits by combining the breadth of information accessed by a SIEM (which integrates with almost all security tools and IT systems across the enterprise) with the advanced analytical capabilities of UBA/UEBA technology.
One example of a Next-gen SIEM that includes UEBA is Exabeam’s SOC Platform. Exabeam provides the following UEBA capabilities:
- Rule and signature-free security event detection — identifies abnormal, risky activity without requiring predefined correlation rules or attack patterns, as in traditional SIEMs
- Automatic timelines for security incidents — stitches together security events into a timeline that shows an entire security event chain across users, IP addresses and IT systems
- Dynamic peer groupings — dynamically groups organizationally similar users and functional entities to analyze collective behavior to identify anomalous individual actions
- Lateral movement detection — detects attackers after their initial penetration, as they move through a network using different IP addresses, credentials and machines
To learn more about how UEBA works under the hood, and how it powers next-generation SIEM technology, see our in-depth guide on UEBA.
Learn more about User and Entity Behavior Analytics
Have a look at these articles:
- What UEBA Stands For (And a 5-Minute UEBA Primer)
- What Is UEBA and Why It Should Be an Essential Part of Your Incident Response
- Threat Detection and Response: How to Stay Ahead of Advanced Threats
- Behavioral Profiling: The Foundation of Modern Security Analytics
- SIEM Concepts: Security Analytics
Building a UEBA Risk Engine
Exabeam Achieves ISO 27017 and ISO 27018 Certifications
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!