What is User and Entity Behavior Analytics (UEBA)?

UEBA is a cybersecurity process that monitors normal usage behavior and flags deviations from established patterns. Because while a perpetrator can easily steal an employee’s username and password, it's much harder to imitate that person’s normal behavior on the network connecting to applications and data. UEBA helps detect intentional and unintentional insider threats, where an authorized user does something that is harmful to your organization.

On any given day, your users hop between countless cloud or on-premises apps, opening, modifying, downloading, uploading, or sharing data. Even when everyone went to work in offices, tracking these behaviors were data-intensive. This has become even more difficult in a remote work environment considering all the different devices and apps your employees use to stay productive, where they are, and what times they typically interact with apps.

Instead of relying on static security checks, like passwords and two-factor authentication, organizations should use automated threat detection that has the ability to monitor and detect subtle changes that, if unchecked, could jeopardize your organization’s infrastructure and data.

‍

How does UEBA work?

In many ways, user and entity behavior analytics (UEBA) is like a credit card fraud detection engine. UEBA uses machine learning and data analytics to determine when there is anomalous behavior that could result in a potential security threat. For example, if a user that normally downloads megabytes of files every day suddenly downloads gigabytes of files, a UEBA system would detect this anomaly and alert the enterprise security team to respond.

Geo-anomalies are also tell-tale signs for anomalous or malicious behavior. If someone signs into a work account from San Francisco, but minutes later an account login is observed across the world in the Czech Republic, the UEBA system would automatically detect this anomaly and enable an automated response to protect data available to the account.

‍

How UEBA compares to Security Information and Event Management (SIEM). 

When organizations want aggregate, precise security telemetry, they often choose security information and event management (SIEM) solutions. SIEMs enable security teams to aggregate large volumes of disparate data sets, security alerts, and events from multiple sources into a single console for processing and analysis. 

They have workflows and rule engines that enable administrators to prioritize and manage incidents and alerts better. With searches, queries, dashboards and rule-based engines, robust SIEMs give a full view of the enterprise systems and enable administrators to manage incidents in a timely manner. In some cases, they’re able to spot trends and create correlation rules to trigger appropriate mitigation steps.

Although at first glance, user and entity behavior analytics (UEBA) and SIEM may appear to do the same thing, there are a few key differences.

Unlike a SIEM, UEBA does not track security events or monitor devices. Instead, UEBA tracks the behaviors of users and entities within your environment — such as devices and data — for anomalies that may indicate a threat. While UEBA also analyzes a lot of data, it uses machine intelligence to automate and scale its analysis of patterns instead of just relying on human intelligence.

SIEM is an aggregation tool that enables security teams to correlate incidents whereas UEBA is a capability that enables the automation of threat detection.

‍

Why do I need user and entity behavior analytics (UEBA)?

At its core, user and entity behavior analytics (UEBA) is uniquely built for finding the hard to identify anomalies. By continuously monitoring usage activities by entities and users, it has the telemetry to model patterns, identify risky or malicious behavior, and prevent threats in real-time. 

UEBA is capable of tracking both risks from insiders, such as careless sharing, and external threats, such as the behaviors of hijacked accounts, compromised credentials, and credentials used in credential stuffing. Data and intellectual property (IP) theft by disgruntled employees, or soon-to-be ex-employees, is a great example of an insider threat.

For example, if a user account is downloading a large amount of sensitive content from Microsoft 365, which causes multiple data loss prevention (DLP) violations, based on that intelligence, administrators can write policies that automatically cut off the user’s access to further downloads. They could also deny the user access to other apps, like Salesforce or SAP SuccessFactors. 

In the context of a ransomware attack, UEBA could also prevent data from getting taken hostage. Lookout actually witnessed a situation like this during the onboarding of a customer. The UEBA capability detected a large volume of data that was being deleted and replaced by encrypted files which were being quickly uploaded and renamed. With the ability to identify this malicious behavior, the customer was able to quarantine the account and restore the file.

‍

The top benefits of UEBA.

• Workload Reduction: UEBA systems are particularly useful in reducing unnecessary work for security teams. With a user behavior analytics system serving as a type of filter to validate threats as legitimate or not, human security professionals can spend their time focusing on real threats. This saves hours of time that would otherwise be spent sorting through potential security breaches. It also means companies can spend less on IT staff since the functional workload is reduced.

• Accurate Tracking: UEBA allows organizations to monitor and track network users. Any person or entity that interacts with the network will be looked at by the UEBA system, ensuring security teams can respond to any internal or external threats.

• Risk Prediction: One of UEBA’s most valuable features is the ability to predict sensitive data breaches and security issues before they occur. This means security teams can be proactive instead of reactive. Data exfiltration, privilege misuse, and cyber threats are all easier to prevent than to fix. User behavior analytics gives teams the power to keep their data secure and locked down.

• Cost Savings: Because UEBA helps companies prevent security issues in the first place, it can save businesses significant amounts of money over time. Restoring systems and user accounts, lost productivity, or legal issues are all expensive mistakes that can be avoided entirely due to the superior protection and risk management UEBA provides.

• Cloud Compatible: In the age of bringing your own device (BYOD) and remote work, UEBA security is particularly useful when paired with DLP and other data protection capabilities. By having UEBA native to your cloud security solutions, security teams can ensure that any activity within the organization’s infrastructure is monitored and responded to when necessary.

‍

What’s the difference between UEBA and network traffic analysis (NTA)?

‍

Network traffic analysis is a method of monitoring network traffic and identifying anomalies and suspicious behavior. While UEBA and NTA are similar in some ways, they also have some distinct differences. 

NTA has the advantage of processing data in real-time or near real-time. It also has the ability to analyze traffic and activity across a network, including events that are not logged, for superior threat detection. Similarly to UEBA, it detects behavioral anomalies via machine learning, along with advanced analytics and intelligent monitoring. 

UEBA, on the other hand, only tracks logged events on a system’s network. However, it can monitor and record local events that happen off-network. NTA is limited to devices that are actually connected to the network itself. 

Overall, both NTA and UEBA are effective ways to secure a network using machine learning and complex analytics. There is no need to replace earlier monitoring systems. While both have their own unique advantages, a sophisticated security system will most likely need to include both NTA and UEBA. Utilizing them simultaneously offers the best, most comprehensive security solutions for proactive teams.

‍

Best practices for UEBA. 

In order to maximize the benefits of user and entity behavior analytics to your security architecture, teams are encouraged to implement the following:

• UEBA systems work best when used in tandem with earlier monitoring systems. Instead of replacing current security measures with UEBA solutions, consider adding UEBA to fortify your system’s defenses.

• Companies should ensure that user behavior analytics alerts and access are limited to the relevant employees and teams. Restricting access according to least privilege offers an additional layer of security and improves overall security posture.

• When utilizing a UEBA system properly, companies should take advantage of the proactive strategies UEBA machine learning allows. Because of the predictive nature of this security tool, UEBA solutions are made to stop threats before they happen. IT teams should be conscious of taking action before security threats and breaches occur, so that they can make the most of UEBA’s detection capability.

• UEBA advanced analytics can be particularly useful when working with big data. Due to its ample storage and computational powers, companies are encouraged to implement these systems in the cloud when protecting large amounts of data and proprietary information.

• Security analysts should keep in mind the diverse array of security use cases UEBA offers. User behavior analytics are well-suited to address a wide range of cyber attacks, including compromised accounts, insider threats, brute-force attacks, aggressive malware, and other threats that static or legacy security measures may be inadequate to protect against.

When security teams and analysts implement UEBA policies and processes, they take their company’s security and safety measures from good to excellent. Most importantly, UEBA allows companies to stop threats before they happen, ensuring superior data protection and sophisticated network safety.

‍

UEBA works best when paired with a holistic platform.

While UEBA provides security teams with a powerful tool to detect various risky and malicious activities, the system cannot solve all issues by itself. To ensure that data is protected, organizations need a holistic platform where UEBA is one of many pieces to the puzzle. There are two other major cloud security best practices to consider: continuously monitoring the risk posture of endpoint devices and the sensitivity of the apps and data accessed by users and endpoints.

Whether you realize it or not, every one of your employees is using some personal device to work remotely. This means you need to track the fluctuating risk posture of both the managed and unmanaged devices to protect your data at all times. Employees also handle data that have varying degrees of sensitivity. By enforcing policies based on user behavior, endpoint risk posture as well as data sensitivity, you can protect your data in a way that doesn't affect your users’ productivity.

To learn more about Lookout UEBA, reach out to our team to request a demo.

‍

Frequently asked questions (FAQs)

What does user and entity behavior analytics (UEBA) do?

UEBA uses machine learning and complex analytics to monitor and manage networks. It’s particularly effective at analyzing the behavior of network users or entities to predict threats before they happen.

What is the use case of UEBA?

UEBA is a network security measure that predicts and tracks system threats. It can monitor user and device behavior on a network to stop data loss, malware, or other security breaches.

What are the three pillars of UEBA?

The three pillars of UEBA are:

• Detect varying use cases: UEBA track and evaluate inconsistencies and potential threats to the network. Therefore its solutions must be applicable to multiple use cases in order to be effective.
• Leverage rich telemetry: UEBA can pull and process data from a data bank or repository. Instead of collecting the data itself, UEBA systems generally access and sort data compiled and stored in a security system.
• Automated responses: The power behind UEBA is in its machine learning and predictive data processing capabilities. UEBA solutions use analytics to identify unusual behavior and network threats.