User and entity behavior analytics (UEBA)

Sachin Raaghav

Apr 2010 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

It has become almost impossible to imagine a world without the internet. According to Statista, there were 4.66 billion active internet users globally in January 2021, accounting for 59.5% of the global population. When billions of people use the internet, an enormous amount of data moves between different IP addresses, systems, cloud applications, networks, and devices. Among these people are threat actors, such as cybercriminals and hackers, who are capable of compromising an organization's security system. It has become difficult to identify security threats since traditional methods, such as manually checking log entries, have become obsolete. UEBA solves this problem with the help of machine learning, algorithms, and automation.

What is UEBA?

UEBA was previously known as user behavior analytics (UBA). In 2015, the word entity was added by Gartner to include routers, servers, and endpoints. UEBA is a cybersecurity technique used to analyze the suspicious activities of users, devices, and other resources in a network using machine learning and algorithms that flag behavior that could indicate a cyberattack.

Before detecting anomalies, a UEBA solution learns about the typical behavior of all the users and entities in a network and establishes a baseline of routine actions for each of them. A baseline is a fixed point of reference used for comparison purposes. Any activity that deviates from the baseline is referred to as an anomaly.

For example, if an employee logs in regularly at 9am, then that would be the baseline for the login time. If that employee were to log in at 2am, it would be considered an anomaly since this behavior differs from their routine.

Identifying security breaches has become complicated and time-consuming. UEBA solutions detect anomalies more efficiently, helping IT administrators quickly take preventative measures to tackle security threats.

The 3 pillars of UEBA

According to Gartner, UEBA solutions should have three attributes: use cases, data sources, and analytics.

1. Use cases

In an organization's network, a UEBA solution monitors, detects, and reports hostile activity by users and entities. It should also be suitable for various use cases such as:

  • Monitoring employees.
  • Detecting fraudulent activities.
  • Monitoring trusted hosts.

2. Data sources

UEBA solutions should collect data from general data repositories, such as data warehouses and data lakes.

3. Analytics

UEBA solutions should detect anomalies using a variety of analytic methods, such as:

  • Machine learning.
  • Statistical models.
  • Algorithms.
  • Threat signatures.

Components of UEBA

The key components of UEBA solutions are data analytics, data integration, and data presentation.

Data analytics

Data analytics use information about the normal behavior of users, devices, and entities to generate a baseline of how they behave. Any behavior that differs from the baseline is considered an anomaly. IT administrators are alerted if any anomalies are found, and the required actions are taken to prevent any security breaches. Imagine there is an employee who lives in Paris and works from home. One day, while he is on sick leave, there is a login under his employee ID, and its IP address is from Pakistan. A UEBA solution would flag this activity as an anomaly and warn the IT administrator.

Data integration

Data integration is the process of collecting data from different sources, such as data sets, logs, and IP packets, and comparing this data to that of the existing security systems. If the data from the existing security system does not match, it is considered anomalous.

Data presentation

Data presentation is the method by which UEBA systems share their data with IT admins. Data presentation involves using different graphical formats, such as graphs, tables, and diagrams, to visually represent the relationship between two or more data sets. It is easier to identify anomalies with the help of data presentation.

Threats identified by UEBA

UEBA is an essential tool for identifying suspicious activities and threats such as:

Insider threats

An insider threat occurs when a user (employee) with privileged access to IT systems plans to launch a cyberattack on the organization. It is difficult to manually detect insider threats through log records or routine security inspections. Since UEBA solutions know the baseline activities of all users, any anomalous activity atypical of a user will be automatically flagged, thus helping the admin take corrective action. According to Egress’ Insider Data Breach Survey 2021, an overwhelming 94% of organizations experienced insider data breaches in 2020.

Dictionary and brute-force attacks

Cybercriminals use dictionary and brute-force attacks to gain access to user accounts, systems, and networks. These attacks are executed continuously using the trial and error method. Since many attempts are required to conduct this operation, UEBA solutions identify it as an anomalous activity and prevent access.

Compromised and spoof accounts

An account is compromised when it is accessed by unauthorized users, such as cybercriminals and hackers. This could happen if the user unknowingly installed malware or was spoofed by the attacker into giving out their credentials. UEBA solutions detect compromised and spoof accounts.

Privilege escalation

Some cyberattacks utilize superusers. A superuser account is a network account that has significantly more privileges than most user accounts. For example, IT admins have superuser accounts. UEBA solutions find out when superusers are created and if accounts have been given any unauthorized access.

Data theft

Confidential data needs to be protected. UEBA solutions track data access attempts in real time and identify if an unauthorized user accesses any sensitive information.

Here's a tip: With intuitive reports and real-time monitoring, AD360 provides insight into user behavior as well as potential attacks on your network. You can leverage UBA to spot subtle anomalies that might be an indicator of compromise. Get instantly notified via email or SMS when there is a sudden spike in file accesses, and automatically shutdown infected devices.

The shift to UEBA

Cybercrime has advanced at the same rate as emerging technologies. Cybercrime across the country continues to rise at an alarming rate each year. According to Statista, the average cost of a data breach in the United States alone was around $2 million in 2020. IT administrators must constantly monitor users and entities to ensure that their organization's security is not compromised.

UEBA is now an integral component of IT security, and therefore implementing it is crucial for any organization to prevent security breaches. By combining visibility and data, these solutions substantially reduce the time it takes to detect and respond to cyberattacks and they identify risks that traditional solutions miss.