NEW: 2022 Gartner® Market Guide for Data Loss Prevention

Get my copy
Insider Threats

What is UEBA?

User and entity behavior analytics (UEBA) is a category of cybersecurity tools that use mathematical models to find unusual behavior that could indicate a threat. Originally known as user behavior analytics (UBA), the term “entity” was added to include the behavioral analysis of non-human assets such as physical devices or applications in addition to traditional end users.

These systems attempt to learn the “normal” or baseline behavior of users and entities and then detect deviations from these norms that could indicate the presence of malware, advanced threat, or a malicious insider. For example, a UEBA may identify deviations from a user’s normal baseline behavior, such as accessing an unusual amount of data at odd times. Additionally, some UEBAs attempt to identify the behaviors of threats, such as looking for the behavioral patterns of lateral movement in a network.

UEBA technology has been assimilated into a variety of larger security technologies such as SIEMs. Many SIEM vendors have integrated UEBA capabilities into their offerings, and there is considerable overlap between the technologies. However, UEBAs are typically distinguished based on the complexity of their detection models and ability to ingest additional data sources in addition to traditional logs.

How Does a UEBA Work?

  • 1. Determine Data Sources

    Before a UEBA can look for threats, it must first have data to analyze. A UEBA can analyze a wide range of data types, including event logs from an organization’s Active Directory, endpoint logs, network traffic statistics, and more. This is an important point that organizations will need to consider when deploying a UEBA – what data sources will the UEBA use? The types of data that will be analyzed will have an effect both on the complexity of the deployment and also on the ability of the UEBA to detect threats.

  • 2. Train Behavioral Models

    Once the UEBA has access to data, it can begin to learn the normal behavior in the environment. This is referred to as training the detection models by analyzing local data from users and entities in order to establish a baseline of behavior that is specific to the customer’s environment. This training phase can be applied to individual users and devices and to larger groups such as Active Directory groups, classes of devices or network segments, and VLANs.

  • 3. Detect and Investigate

    After the initial training period is complete, the UEBA can begin to detect anomalous or suspicious events. Detections are driven by a variety of analytical methods ranging from simple statistical analysis to various forms of machine learning and deep learning. Many UEBAs will allow the security team to tune the thresholds of the system to determine how much deviation is required to trigger an alert. Once an alert is generated, an analyst will typically perform an additional investigation in order to determine if the detected anomaly is benign or an indicator of a true threat

What Are the Advantages of UEBA Technology?

Security tools that use UEBA have several advantages, particularly compared to more traditional threat detection tools that rely on signatures to directly detect known threats. These more traditional systems are not able to detect new or unknown threats, and attackers can also evade such controls by slightly altering the appearance of the threat or obscuring the malicious payload using encryption.

UEBA technology doesn’t have these problems. Instead of looking for specific threats that are known to be “bad”, a UEBA model seeks to learn what is “good” and then looks for anything that stands out as unusual. This allows a product with UEBA to find advanced or more complex threats that would typically fly under the radar of traditional threat detection tools.


Download our Definitive Guide to Insider Risk Management

Read the guide to learn more about preventing today’s threats.

What Are the Drawbacks of UEBA’s Approach?

While UEBA technology can provide an added layer of threat detection, they do have several challenges. First, UEBA detections are often not conclusive. A user behaving unusually could be a sign of a threat or something completely benign. As a result, UEBA detections typically require additional investigation in order to determine if the alert is a true threat or a false positive. These investigations can be time-consuming and can add additional work for overburdened security analysts.

Many organizations will set detection thresholds very high in order to avoid false positives and alert fatigue. However, this means that subtle and “low-and-slow” threats will evade detection. UEBA features are also almost always deployed out of band, meaning that they are not able to prevent a threat or loss of data.

Lastly, the core UEBA strategy of learning what is “normal” has its own limitations. If a threat is present when the UEBA is trained, the threat behavior could be learned as part of the baseline. It also means that a UEBA will be blind to risks and threats that blend in with normal user behavior. For example, many insider threats arise from end users who accrue or misuse sensitive data in the course of their normal workflow or make simple mistakes when working with sensitive data.

Start tracing your data