To detect anomalies, UEBA first learns about the expected behavior of all users and entities in a network and creates a baseline of regular activities for each of them. Any activity that deviates from this baseline gets flagged as an anomaly. UEBA solutions grow more effective as they gain more experience.

Why you need a UEBA solution

Insider threats refer to any malicious activity faced by organizations due to the actions of users with legitimate access to the network, databases, and applications.

More than 34% of businesses around the globe are affected by insider threats yearly.

Over the last two years, the number of insider incidents has increased by 44%

Close to 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks.

The cost per insider threat in 2022 is $15.38 million


It's just as important to protect your organization from internal threats as external threats.

A UEBA solution leverages the predictability of human behavior to detect and identify the anomalous behavior of users in machines and other entities in the network, which can indicate an insider attack. UEBA solutions also address routers, servers, and endpoints in the network. In addition to a wide rage of insider attacks, a UEBA solution can also help you detect DDoS attacks, brute-force attacks, and data exfiltration.

How a UEBA solution works

Closely monitoring the behavior of a person can reveal a lot about their true intentions. This is the concept that UEBA works on. UEBA closely monitors the activities of every user and entity inside the network and learns their characteristics. UEBA often works along with a SIEM solution by using activity logs to study the usual behavior of users and entities.

ueba solution

A risk score is calculated for each user and entity in the organization after comparing their actions to their baseline of regular activities. The risk score usually ranges from anywhere between zero to 100, indicating no risk to maximum risk, respectively. The risk score is dependent on factors such as the allotted weight of the action, the extent of the deviation from the baseline, the frequency of deviation, and the time elapsed since the deviation.

Defend against insider threats, account compromise, data exfiltration, and logon anomalies with UEBA

Here are some activities that might increase the risk score of users or entities, indicating possible insider threats, account compromise, data exfiltration, or logon anomalies.

Signs of an insider threat

  • New or unusual system accesses
  • Unusual access times
  • Unusual file accesses or modifications
  • Excessive authentication failures

Signs of account compromise

  • Unusual software running for a user
  • Multiple instances of software installed on a host
  • Numerous logon failures on a host

Signs of data exfiltration

  • An unusual number or type of file downloads
  • Multiple removable disk creations by users
  • Unusual commands executed by users
  • Abnormal host logons

Signs of logon anomalies

  • Multiple login failures
  • Successful login after multiple login failures
  • Login attempts at unusual times
  • Logins from unusual locations
  • Unauthorized logins or login attempts

behind the scenes

There are two methods to set up a UEBA system:

Supervised ML

Whereas in the supervised ML method, the UEBA system is fed the list of known good and bad behaviors. This list is limited and therefore might lack proper knowledge for it to detect anomalous behavior. The system builds up these inputs further and detectsanomalous behaviors in the network.


Unsupervised ML

In the unsupervised ML method, the UEBA system undergoes a "training" to learn the normal behavior of every user and entity. This method is unarguably the best because the system studies the everyday behavior of users and entities on its own.

  • Robust principal component analysis
  • Markov chains

Robust principal component analysis (RPCA)

RPCA, a variation of the widely used principal component analysis technique, is a statistical model that uses orthogonal transformation to convert a set of observations of possibly correlated variables (data points) into linearly uncorrelated variables called principal components. The line of best fit is established for the set of principal components, and the data points that deviate from this line of best fit are termed to be anomalous.

Markov chains

A Markov chain is a sequence of stochastic events where the probability of the next event in a chain depends only on the state of the current event. A workflow of events is created by determining the successive state of occurrences of events. As each event occurs, it’s compared with the predicted sequence of events. If any event deviates from the predicted workflow of events, it’s considered an anomaly, and the risk score of the corresponding entity is increased.

Benefits of a UEBA solution

  • It can offer better protection against zero-day exploits for which there are no known "signatures" yet.
  • The activities of each user and entity are compared to their corresponding baseline or "average," and thus the number of false positives and false negatives will be reduced when compared to rule-based alerting mechanisms.
  • Traditional SIEM solutions treat security mishaps as isolated incidents and send alerts, while UEBA solutions look at security holistically and calculate risk scores for each user reducing false alerts as a result.
  • A UEBA solution can detect long-term, malicious lateral movements more effectively than SIEM solutions, and risk scoring helps to keep this in check.
  • There is no reliance on IT administrators to develop thresholds or correlation rules to identify threats.
  • Risk scoring makes it possible for security experts to focus on the most credible, high-risk alerts.

How to choose a UEBA solution

An effective UEBA solution should have the following features:

Peer grouping analysis

Peer grouping is the process by which you group users and hosts into distinct peer groups based on their past behavior. If your security analytics platform adopts peer group analysis, it will be able to determine whether a user or host behaves as expected based on the groups it is in. If it doesn’t, the system triggers an anomaly alert. By doing this in addition to comparing a user’s or host’s behavior to its own baseline, peer group analysis helps reduce the number of false positives.

Actionable reports

Gathered data should be consolidated efficiently into easy-to-view reports, and generating actionable reports is another critical function of a UEBA solution. Regularly reviewing reports helps spot false flagging within the network and provides insights on how to customize a UEBA solution to comply with an organization's security norms.

Customizable anomaly models

All anomaly detection systems offer built-in anomaly models. These are built-in machine learning algorithms that learn the baseline of expected activity for every user and host in the network. If the UEBA solution allows you to train your own anomaly model, it's called a customizable anomaly model. This enables you to cater to the specific security situation of your company in a better way.

Real-time alerts

With alerts, you can receive notifications about anomalies that happen in the network in real time. For example, you might receive a notification email as soon as an anomaly is identified. With real-time alerts, you won't have to log on to your UEBA solution to check for alerts if there was a new risk your network is exposed to.

Data collection and analysis:

A UEBA solution should properly collect and analyze the data of users, machines, and other entities in a network, like event logs and packet capture data. Continuous monitoring and analysis of data from different sources will help to detect anomalies easily and instantly.

Accurate risk scoring

The UEBA solution must be able to assign a risk to every user and host in the network to represent the degree of risk posed by an entity. The risk score depends on the extent and type of anomalies that the user or host triggers.