Texture Top Right Yellow 03

What is UEBA?

Definition and Benefits

User and Entity Behavior Analytics

UEBA stands for User and Entity Behavior Analytics and was previously known as user behavior analytics (UBA). UEBA uses large datasets to model typical and atypical behaviors of humans and machines within a network. By defining such baselines it can identify suspicious behavior, potential threats and attacks that traditional antivirus may not detect. This means UEBA can detect non-malware-based attacks, because it analyzes various behavioral patterns. UEBA also uses these models to assess the threat level, creating a risk score that can help guide the appropriate response. Increasingly, UEBA uses machine learning to identify normal behavior and alert to risky deviations that suggest insider threats, lateral movement, compromised accounts and attacks.

What is defined as an 'entity'?

The term 'entity' in the context of cyber security can refer to IT systems, critical infrastructure, business processes, organizations and nation-states. For UEBA this means analysis of the behavior of these entities as well as individuals - though individuals are often able to act as or through such entities.

How user and entity behavior analytics work

UEBA monitors the behavior of users and entities of an organization. It processes this information and decides whether a particular activity or behavior could result in a cyberattack. It is able to know what is a threat or attack and what is normal use because while a hacker might be able to steal an employee’s password to log in, once inside, the hacker will not be able to mimic ‘normal’ behavior and UEBA can detect this anomalous behavior.

UEBA can process data from general data repositories such as a data lake or data warehouse or through SIEM, which aggregates data from various sources. It integrates information such as logs, packet capture data and other datasets with existing security monitoring systems. This is why UEBA and SIEM are often used together as UEBA relies on cross-organizational security data which is typically collected and stored by SIEM.

The analytics component detects anomalies using a variety of analytics approaches including statistical models, machine learning, rules and threat signatures. More than just tracking events and devices, UEBA uses machine learning to monitor possible threats from insiders. This is done by creating a ‘baseline’: where an end-user logs in from, files and servers they frequently use, privileges they have, frequency and time of access as well as devices used for access. Advanced analytics should be used in tandem with traditional rule and correlation-based analytics available in traditional SIEMs.

As such UEBA can detect a broad range of attack types from simple to complex, unlike specialized tools for employee monitoring, trusted hosts monitoring and fraud.

Because UEBA can detect anomalous behaviors in real-time, it can issue an alert and request for a response to security analysts quickly, allowing them to react to potential threats before they become breaches. Normally security teams would have to sift through alerts to see which are real threats, but with UEBA this analysis is automated, only prioritizing genuine threats.

There is a close relation between UEBA and SIEM technologies, because UEBA relies on cross-organizational security data to perform its analyses, and this data is typically collected and stored by a SIEM.

Difference between UEBA and UBA security

UBA stands for User Behavior Analytics. UEBA includes the word ‘entity’ because it is able to model the behavior of humans as well as machines - networked devices and servers - within the network. The move from traditional UBA to UEBA has been driven the recognition that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior. This is becoming more pertinent due to the rise of connected devices - the Internet of Things - which provide new potential points of entry to the network.

How UEBA works with SIEM

SIEM stands for security information and event management and provides organizations with next-generation detection, analytics and response. SIEM software combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.

Legacy SIEM did not include behavioral analytics which meant they couldn’t monitor threats in real-time. And so UEBA was developed to address this. With the addition of UEBA, SIEM allows security teams to monitor threats in real-time and respond quickly to avoid attacks and address vulnerabilities making it much more effective at threat detection and analysis. It gives security teams the power to use sophisticated quantitative methods to gain insight into and prioritize efforts.

Best practices in using UEBA

UEBA does not replace other systems or solutions, but rather it offers unique capabilities that can be used in tandem with other solutions to offer comprehensive cybersecurity. For example, SIEM uses the analytics aspects of UEBA to model behavior in real-time. In fact, most enterprise security systems - such as FireEye Helix - use SIEM, UEBA and SOAR (Security Orchestration Automation and Response) together.

Follow the four points below for a successful UEBA implementation:

  1. Consider both internal and external threats when creating new policies, rules and baselines
  2. Ensure that only the appropriate members of the security team receive UEBA alerts
  3. Remember that non-privileged user accounts can be a threat as hackers can use standard accounts to upgrade their privileges to increase access
  4. Remember that UEBA processes should complement the traditional monitoring infrastructure and tools. They are not a substitute for basic monitoring systems such as Intrusion Detection Systems (IDS)

Read more about Helix and its capabilities.