What is User and Entity Behavior Analytics? A Definition of UEBA, Benefits, How It Works, and More



Learn about user and entity behavior analytics (UEBA) in Data Protection 101, our series on the fundamentals of information security.

What is UEBA?

Hackers can break into firewalls, send you e-mails with malicious and infected attachments, or even bribe an employee to gain access into your firewalls. Old tools and systems are quickly becoming obsolete, and there are several ways to get past them.

User and entity behavior analytics (UEBA) give you more of a comprehensive way to make sure that your organization has top-notch IT security, while also helping you detect users and entities that might compromise your entire system.

A Definition of User and Entity Behavior Analytics

User and entity behavior analytics, or UEBA, is a type of cyber security process that takes note of the normal conduct of users. In turn, they detect any anomalous behavior or instances when there are deviations from these “normal” patterns. For example, if a particular user regularly downloads 10 MB of files every day but suddenly downloads gigabytes of files, the system would be able to detect this anomaly and alert them immediately. 

UEBA uses machine learning, algorithms, and statistical analyses to know when there is a deviation from established patterns, showing which of these anomalies could result in a potential, real threat. UEBA can also aggregate the data you have in your reports and logs, as well as analyze file, flow, and packet information.

In UEBA, you do not track security events or monitor devices; instead, you track all the users and entities in your system. As such, UEBA focuses on insider threats, such as employees who have gone rogue, employees who have already been compromised, and people who already have access to your system and then carry out targeted attacks and fraud attempts, as well as servers, applications, and devices that are working within your system.

Benefits of UEBA

It is the unfortunate truth that today's cyber security tools are fast becoming obsolete, and more skilled hackers and cyber attackers are now able to bypass the perimeter defenses that are used by most companies. In the old days, you were secure if you had web gateways, firewalls, and intrusion prevention tools in place. This is no longer the case in today’s complex threat landscape, and it’s especially true for bigger corporations that are proven to have very porous IT perimeters that are also very difficult to manage and oversee.

The bottom line? Preventive measures are no longer enough. Your firewalls are not going to be 100% foolproof, and hackers and attackers will get into your system at one point or another. This is why detection is equally important: when hackers do successfully get into your system, then you should be able to detect their presence quickly in order to minimize the damage.

How UEBA Works

The premise of UEBA is actually very simple. You can easily steal an employee’s user name and password, but it is much harder to mimic the person’s normal behavior once inside the network.
For example, let’s say you steal Jane Doe’s password and user name. You would still not be able to act precisely like Jane Doe once in the system, unless given extensive research and preparation. Therefore, when Jane Doe’s user name is logged in to the system, and her behavior is different than that of typical Jane Doe, that is when UEBA alerts start to sound. 

Another relatable analogy would be if your credit card was stolen. A thief can pickpocket your wallet and go to a high-end shop and start spending thousands of dollars using your credit card. If your spending pattern on that card is different from the thief’s, the company’s fraud detection department will often recognize the abnormal spending and block suspicious purchases, issuing an alert to you or asking you to verify the authenticity of a transaction.

As such, UEBA is a very important component of IT security, allowing you to:

1. Detect insider threats. It is not too far-fetched to imagine that an employee, or perhaps a group of employees, could go rogue, stealing data and information by using their own access. UEBA can help you detect data breaches, sabotage, privilege abuse, and policy violations made by your own staff.

2. Detect compromised accounts. Sometimes, user accounts are compromised. It could be that the user unwittingly installed malware on his or her machine, or sometimes a legitimate account is spoofed. UEBA can help you weed out spoofed and compromised users before they can do real harm.

3. Detect brute-force attacks. Hackers sometimes target your cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute-force attempts, allowing you to block access to these entities.

4. Detect changes in permissions and creation of super users. Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that were granted unnecessary permissions.

5. Detect breach of protected data. If you have protected data, it is not enough to just keep it secure. You should know when a user accesses this data when he or she does not have any legitimate business reason to access it.

UEBA vs. SIEM

Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies that gives a comprehensive view of the security of your IT system. It makes use of data and event information, allowing you to see patterns and trends that are normal, and alert you when there are anomalous trends and events. UEBA works the same way, only that it uses user (and entity) behavior information to come up with what's normal and what's not. 

SIEM, however, is rules-based, and advanced hackers can easily work around or evade these rules. What's more, SIEM rules are designed to immediately detect threats happening in real time, while advanced attacks are usually carried out over a span of months or years. UEBA, on the other hand, does not rely on rules. Instead, it uses risk scoring techniques and advanced algorithms, allowing it to detect anomalies over time. 

One of the best practices for IT security is to use both SIEM and UEBA to have better security and detection capabilities.

Best Practices for UEBA

UEBA arose out of the malicious behavior by users and other entities. UEBA tools and processes are not meant to replace earlier monitoring systems, but instead should be used to complement them and enhance your company’s overall security posture.

Another great practice is to harness the storage and computational powers of big data, using machine learning and statistical analysis to prevent getting an avalanche of useless alerts and become overwhelmed with the large volume of data generated.

UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a more proactive approach to security and gaining more visibility into user and entity behavior, today’s enterprises are able to build a stronger security posture and more effectively mitigate threats and prevent security breaches.

Jeff Aldorisio

ANALYST REPORTS

451 Research Paper: A Data-Centric Approach to Endpoint Security