What UEBA Stands For

What UEBA stands for is User and Entity Behavior Analytics which is a category of cybersecurity tools that analyze user behavior, and apply advanced analytics to detect anomalies. Let’s explain each word in this acronym:

User UEBA technology can help understand the behavior of users on networks, applications and other IT systems, to help identify security issues.
Entity The “E” in UEBA is newer—introduced by Gartner in 2015. UEBA technology can monitor other entities besides users—such as routers, servers, enterprise applications, or even IoT devices.
Behavior What does UEBA do with users and entities? It establishes a behavioral baseline that defines how they “usually” behave. And then identifies anomalies that deviate from that baseline, which have security significance
Analytics The analytics part of UEBA is based on AI and machine learning algorithms. UEBA ingests large volumes of data and runs them through machine learning models that learn from historical behavior and understand what constitutes abnormal behavior—across thousands of users, entities and peer groups.



Quick Orientation: UEBA and Related Security Trends

What Is UEBA?

What UEBA stands for Entity Behavior Analytics, and it’s a new category of security solutions that uses machine learning and deep learning to learn how users and other entities on a corporate network typically behave, detect abnormal behavior, and figure out if this behavior has security implications.

Unlike traditional security tools, which were based on correlation rules and known attack patterns, UEBA can identify new types of attacks and incidents that hide in the noise. These include zero day attacks and insider threats.

What Does UBA Stand for?

Now that we’ve covered what UEBA stands for, we’ll define UBA. UBA stands for User Behavior Analytics (like UEBA, just without the “E”).

What Is UBA?

UBA (User Behavior Analytics) was an old name for the UEBA category, coined by Gartner in 2014. In the earlier definition, UBA tools performed their analysis only on the behavior of individual users, and groups of users.

In 2015, Gartner updated its definition to include the “E”—renaming the category to User and Entity Behavior Analytics. In this broader definition, UEBA tools are also responsible for analyzing baseline behavior and detecting anomalies for other entities on the network—such as routers, servers, endpoints and applications.

What Is the Difference between UEBA and UBA?

While UBA focused on the behavior of individual users, UEBA is capable of analyzing new and diverse entities that operate on a corporate network. In addition, UEBA protects against external threats as well as insider threats that already exist.

What Is the Difference between UEBA and SIEM?

Security Information and Event Management (SIEM) systems are an important infrastructure in the Security Operations Center (SOC). They are responsible for collecting all security logs and events from across the enterprise, by interfacing with many enterprise systems and other security tools, analyzing these events and generating alerts for security teams.

UEBA is highly related to SIEM, because it performs many of the same functions—it too collects events from the corporate network, analyzes them and generates alerts. However while UEBA solutions focus on the analysis side, SIEM systems are great at covering very broad volumes of security data, organizing it for security analysts and enabling structured processes in the SOC.

What Is Next Gen SIEM (Includes UEBA)?

In 2017, Gartner proposed that a SIEM platform should include a few advanced capabilities, one of which is UEBA. Essentially, Gartner called to vendors to build UEBA solutions into SIEM platforms and offer them together. While Gartner does not refer to a ‘next-generation SIEM’ directly, their document outlines which capabilities should be included in the next generation of SIEMs. One of the vendors who heeded this call was Exabeam, a next-generation SIEM which includes UEBA and security automation capabilities.

How Does UEBA Help Incident Response?

UEBA is an essential part of modern incident response. In the past, security analysts would sift through large numbers of alerts to discover a “real” security incident, and would then have to dig for additional evidence to uncover what has happened.

UEBA automates most of this process—identifying events that have special security significance, and pulling together related events that may be part of the same security incident. Thus, UEBA can help organizations perform incident response more quickly, accurately, and with less investment of precious security analyst hours.

A 5-Minute UEBA Primer

Components of UEBA Systems

Analysis Module Takes in parsed event data and analyzes it to identify anomalies and prioritize security incidents.
Central Storage Raw data and analysis results are stored here.
Automated Response UEBA solutions can integrate with IT systems and security tools, and can execute automated responses to security incidents.
This may also be done by specialized solutions called Security Automation and Orchestration (SOAR)

Top UEBA Use Cases

Malicious Insider UEBA solutions can identify malicious insiders, even though their behavior might seem innocent to traditional security tools. It does this by establishing a baseline of each user’s typical behavior and detecting when that behavior changes.
Compromised Insider UEBA solutions can rapidly detect bad activities carried out by attackers who take control of a privileged account without the account holder’s knowledge. They can also detect lateral movement–attackers switching to different systems or user accounts to deepen their penetration into IT systems.
Incident Prioritization UEBA can intelligently predict which incidents are particularly abnormal, suspicious or potentially dangerous. They go beyond correlation rules or attack patterns to identify unseen bad activity. It can also add context about the organizational importance of assets—for example, for a system holding critical data, even a small deviation from regular behavior is significant.
Data Loss Prevention (DLP) UEBA can take alerts from DLP tools which are used by many large organizations, prioritize and consolidate them to understand which of the alerts really represent anomalous behavior. This reduces alert fatigue and helps analysts quickly identify a real data leak.
Entity Analytics (IoT) IoT represents a big security challenge—some organizations manage thousands of IoT devices deployed in the field, with limited visibility over their behavior and rudimentary security capabilities. UEBA can track unlimited connected devices, establish behavioral baselines and pick up abnormal or malicious activity such as connections from unusual sources, activity at unusual times, or device features which are not typically used.

Example of a Next-Gen SIEM with UEBA

One example of a modern SIEM solution which comes with UEBA technology built in is Exabeam’s Security Management Platform. Exabeam provides the following UEBA capabilities:

  • Incident detection that does not rely on rules or signatures—Exabeam identifies abnormal and risky activity without predefined correlation rules or threat patterns and provides meaningful alerts with lower false positives.
  • Security incident timelines—Exabeam stitches sessions together to create a complete timeline for a security incident, spanning users, IP addresses and IT systems.
  • Peer groupings—Exabeam dynamically groups similar entities, such as users who have the same organizational role, to analyze normal behavior across the group and detect unusual behavior.
  • Lateral movement—Attackers who penetrate a system move through the network, gaining access to more and more systems using different IP addresses and credentials. Exabeam combines data from multiple sources to uncover an attacker’s journey through the network.

Get a demo of Exabeam to test drive an integrated UEBA, SIEM and SOAR platform.

To learn more about UEBA technology, read our UEBA chapter of our Essential Guide to SIEM.

Further reading

Director, Product Marketing

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog