What UEBA Stands For (And a 5-Minute UEBA Primer)

What UEBA Stands For (And a 5-Minute UEBA Primer)

November 07, 2018

Orion Cassetto

UEBA stands for User and Entity Behavior Analytics. We explain every word of the acronym and provide a 5-minute primer with everything you need to know about UEBA.

What UEBA Stands For

What UEBA stands for is User and Entity Behavior Analytics which is a category of information security tools that analyze user behavior, and apply advanced analytics to detect anomalies in an effort to stop data breaches. Let’s explain each word in this acronym:

User UEBA technology can help understand the behavior of users on networks, applications and other IT systems, to help identify security issues.
Entity The “E” in UEBA is newer—introduced by Gartner in 2015. UEBA technology can monitor other entities besides users—such as routers, servers, enterprise applications, or even IoT devices.
Behavior What does UEBA do with users and entities? It establishes a behavioral baseline that defines how they “usually” behave. And then identifies anomalies that deviate from that baseline, which have security significance
Analytics The analytics part of UEBA is based on AI and machine learning algorithms. UEBA ingests large volumes of data and runs them through machine learning models that learn from historical behavior and understand what constitutes abnormal behavior—across thousands of users, entities and peer groups.



Quick Orientation: UEBA and Related Security Trends

What Is UEBA?

What UEBA stands for Entity Behavior Analytics, and it’s a new category of security solutions that uses machine learning and deep learning to learn how users and other entities on a corporate network typically behave, detect abnormal behavior, and figure out if this behavior has security implications.

Unlike traditional security tools, which were based on correlation rules and known attack patterns, UEBA can identify new types of attacks and incidents that hide in the noise. These include zero day attacks and insider threats.

What Does UBA Stand for?

Now that we’ve covered what UEBA stands for, we’ll define UBA. UBA stands for User Behavior Analytics (like UEBA, just without the “E”).

What Is UBA?

UBA (User Behavior Analytics) was an old name for the UEBA category, coined by Gartner in 2014. In the earlier definition, UBA tools performed their analysis only on the behavior of individual users, and groups of users.

In 2015, Gartner updated its definition to include the “E”—renaming the category to User and Entity Behavior Analytics. In this broader definition, UEBA tools are also responsible for analyzing baseline behavior and detecting anomalies for other entities on the network—such as routers, servers, endpoints and applications.

What Is the Difference between UEBA and UBA?

While UBA focused on the behavior of individual users, UEBA is capable of analyzing new and diverse entities that operate on a corporate network. In addition, UEBA protects against external threats as well as insider threats that already exist.

What Is the Difference between UEBA and SIEM?

Security Information and Event Management (SIEM) systems are an important infrastructure in the Security Operations Center (SOC). They are responsible for collecting all security logs and events from across the enterprise, by interfacing with many enterprise systems and other security tools, analyzing these events and generating alerts for security teams.

UEBA is highly related to SIEM, because it performs many of the same functions—it too collects events from the corporate network, analyzes them and generates alerts. However while UEBA solutions focus on the analysis side, SIEM systems are great at covering very broad volumes of security data, organizing it for security analysts and enabling structured processes in the SOC.

What Is Next Gen SIEM (Includes UEBA)?

In 2017, Gartner proposed that a SIEM platform should include a few advanced capabilities, one of which is UEBA. Essentially, Gartner called to vendors to build UEBA solutions into SIEM platforms and offer them together. While Gartner does not refer to a ‘next-generation SIEM’ directly, their document outlines which capabilities should be included in the next generation of SIEMs. One of the vendors who heeded this call was Exabeam, a next-generation SIEM which includes UEBA and security automation capabilities.

How Does UEBA Help Incident Response?

UEBA is an essential part of modern incident response. In the past, security analysts would sift through large numbers of alerts to discover a “real” security incident, and would then have to dig for additional evidence to uncover what has happened.

UEBA automates most of this process—identifying events that have special security significance, and pulling together related events that may be part of the same security incident. Thus, UEBA can help organizations perform incident response more quickly, accurately, and with less investment of precious security analyst hours.

A 5-Minute UEBA Primer

Components of UEBA Systems

Analysis Module Takes in parsed event data and analyzes it to identify anomalies and prioritize security incidents.
Central Storage Raw data and analysis results are stored here.
Automated Response UEBA solutions can integrate with IT systems and security tools, and can execute automated responses to security incidents.
This may also be done by specialized solutions called Security Automation and Orchestration (SOAR)

Top UEBA Use Cases

Malicious Insider UEBA solutions can identify malicious insiders, even though their behavior might seem innocent to traditional security tools. It does this by establishing a baseline of each user’s typical behavior and detecting when that behavior changes.
Compromised Insider UEBA solutions can rapidly detect bad activities carried out by attackers who take control of a privileged account without the account holder’s knowledge. They can also detect lateral movement–attackers switching to different systems or user accounts to deepen their penetration into IT systems.
Incident Prioritization UEBA can intelligently predict which incidents are particularly abnormal, suspicious or potentially dangerous. They go beyond correlation rules or attack patterns to identify unseen bad activity. It can also add context about the organizational importance of assets—for example, for a system holding critical data, even a small deviation from regular behavior is significant.
Data Loss Prevention (DLP) UEBA can take alerts from DLP tools which are used by many large organizations, prioritize and consolidate them to understand which of the alerts really represent anomalous behavior. This reduces alert fatigue and helps analysts quickly identify a real data leak.
Entity Analytics (IoT) IoT represents a big security challenge—some organizations manage thousands of IoT devices deployed in the field, with limited visibility over their behavior and rudimentary security capabilities. UEBA can track unlimited connected devices, establish behavioral baselines and pick up abnormal or malicious activity such as connections from unusual sources, activity at unusual times, or device features which are not typically used.

Example of a Next-Gen SIEM with UEBA

One example of a modern SIEM solution which comes with UEBA technology built in is Exabeam’s Security Management Platform. Exabeam provides the following UEBA capabilities:

  • Incident detection that does not rely on rules or signatures—Exabeam identifies abnormal and risky activity without predefined correlation rules or threat patterns and provides meaningful alerts with lower false positives.
  • Security incident timelines—Exabeam stitches sessions together to create a complete timeline for a security incident, spanning users, IP addresses and IT systems.
  • Peer groupings—Exabeam dynamically groups similar entities, such as users who have the same organizational role, to analyze normal behavior across the group and detect unusual behavior.
  • Lateral movement—Attackers who penetrate a system move through the network, gaining access to more and more systems using different IP addresses and credentials. Exabeam combines data from multiple sources to uncover an attacker’s journey through the network.

Get a demo of Exabeam to test drive an integrated UEBA, SIEM and SOAR platform.

To learn more about UEBA technology, read our UEBA chapter of our Essential Guide to SIEM.



Learn More About User and Entity Behavior Analytics


What Is UEBA and Why It Should Be an Essential Part of Your Incident Response

In the world of cybersecurity, security teams are trending away from using prevention-only approaches, according to a 2018 Gartner report called Market Guide for User and Entity Behavior Analytics. As security teams shift toward balancing cyber threat prevention with the newer detection and incident response (IR) approaches, they are increasingly adding technologies like user and entity behavior analytics (UEBA) to their conventional SIEMs and other legacy prevention systems in an effort to boost the effectiveness of their security systems.

Read more: What Is UEBA and Why It Should Be an Essential Part of Your Incident Response


Threat Detection and Response: How to Stay Ahead of Advanced Threats

Threat detection is the number one priority for cybersecurity teams. If you don’t even see the bad guys in your network, you will not be able to respond appropriately. But with so many potential threats and adversaries, putting in place appropriate threat detection can seem a daunting task. Throw in a bunch of marketing buzzwords and cyber terms of art and it’s even harder to establish a clear strategy. Breaking down threat detection and response to the most basic elements can bring that clarity.

Read more: Threat Detection and Response: How to Stay Ahead of Advanced Threats


User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats

User Behavior Analytics was defined by Gartner in 2014 as a category of cybersecurity tools that analyze user behavior on networks and other systems, and apply advanced analytics to detect anomalies and malicious behavior. These can be used to discover security threats like malicious insiders and privileged account compromise, which traditional security tools cannot see.

Read more: User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats


Behavioral Profiling: The Foundation of Modern Security Analytics

Until recently, security systems could only defend against what they knew. Security teams would painstakingly define correlation rules to specify what constitutes suspicious activity, or systems would scan software or traffic patterns, searching for previously known attack signatures. In today’s threat landscape, this approach is still important but is not enough to defend against sophisticated attackers with an increasingly advanced attack toolset.

Read more: Behavioral Profiling: The Foundation of Modern Security Analytics


Security Analytics

No organization has a crystal ball and thus cannot predict the future, particularly where security threats are involved. However, by using security analytics tools, your organization can better analyze security events and potentially detect a threat before it impacts your revenues or infrastructure.

Read more: Security Analytics


See our Additional Guides on Information Security

For more in-depth guides on additional information security topics such as data breaches, see below:


Cyber Security Threats Guide

Cyber security threats are intentional and malicious efforts by an organization or an individual to carry out attacks on another organization or individual.

See top articles in our cyber security threats guide


SIEM Security Guide

SIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems.

See top articles in our siem security guide


Insider Threat Guide

An insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases.

See top articles in our insider threat guide


Security Operations Centers Guide

A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team.

See top articles in our security operations center guide


DLP Guide

DLP is an approach that seeks to protect business information. It prevents end-users from moving key information outside the network.

See top articles in our DLP guide


Incident Response Guide

Incident response is an approach to handling security breaches.

See top articles in our incident response guide


Regulatory Compliance Guide

See top articles in our regulatory compliance guide

Recent UEBA Articles

Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

Read More

An Outcome-based Approach to Use Cases: Solving for Lateral Movement

Read More

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Read More

Using Advanced Analytics to Detect and Stop Threats [White Paper]

Read More

Understanding Insider Threat Detection Tools

Read More

Recent Information Security Articles

SIEM Gartner: Get the 2021 Magic Quadrant Report

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More

The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security

Read More

Human Managed Selects Exabeam to Drive Faster Decision-making

Read More