User and entity behavior analytics (UEBA) is a category of cybersecurity tools that use mathematical models to find unusual behavior that could indicate a threat. Originally known as user behavior analytics (UBA), the term “entity” was added to include the behavioral analysis of non-human assets such as physical devices or applications in addition to traditional end users.
These systems attempt to learn the “normal” or baseline behavior of users and entities and then detect deviations from these norms that could indicate the presence of malware, advanced threat, or a malicious insider. For example, a UEBA may identify deviations from a user’s normal baseline behavior, such as accessing an unusual amount of data at odd times. Additionally, some UEBAs attempt to identify the behaviors of threats, such as looking for the behavioral patterns of lateral movement in a network.
UEBA technology has been assimilated into a variety of larger security technologies such as SIEMs. Many SIEM vendors have integrated UEBA capabilities into their offerings, and there is considerable overlap between the technologies. However, UEBAs are typically distinguished based on the complexity of their detection models and ability to ingest additional data sources in addition to traditional logs.
How Does a UEBA Work?
1. Determine Data Sources. Before a UEBA can look for threats, it must first have data to analyze. A UEBA can analyze a wide range of data types, including event logs from an organization’s Active Directory, endpoint logs, network traffic statistics, and more. This is an important point that organizations will need to consider when deploying a UEBA – what data sources will the UEBA use? The types of data that will be analyzed will have an effect both on the complexity of the deployment and also on the ability of the UEBA to detect threats.
2. Train Behavioral Models. Once the UEBA has access to data, it can begin to learn the normal behavior in the environment. This is referred to as training the detection models by analyzing local data from users and entities in order to establish a baseline of behavior that is specific to the customer’s environment. This training phase can be applied to individual users and devices and to larger groups such as Active Directory groups, classes of devices or network segments, and VLANs.
3. Detect and Investigate. After the initial training period is complete, the UEBA can begin to detect anomalous or suspicious events. Detections are driven by a variety of analytical methods ranging from simple statistical analysis to various forms of machine learning and deep learning. Many UEBAs will allow the security team to tune the thresholds of the system to determine how much deviation is required to trigger an alert. Once an alert is generated, an analyst will typically perform an additional investigation in order to determine if the detected anomaly is benign or an indicator of a true threat.
What Are the Advantages of UEBA Technology?
Security tools that use UEBA have several advantages, particularly compared to more traditional threat detection tools that rely on signatures to directly detect known threats. These more traditional systems are not able to detect new or unknown threats, and attackers can also evade such controls by slightly altering the appearance of the threat or obscuring the malicious payload using encryption.
UEBA technology doesn’t have these problems. Instead of looking for specific threats that are known to be “bad”, a UEBA model seeks to learn what is “good” and then looks for anything that stands out as unusual. This allows a product with UEBA to find advanced or more complex threats that would typically fly under the radar of traditional threat detection tools.