User and Entity Behavior Analytics
User and entity behavior analytics (UEBA) solutions use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons.
UEBA works to improve older security tools, which would identify security incidents using statistical analysis and predefined correlation rules. The most common use cases sought by enterprises are detecting malicious insiders and external attackers infiltrating their organizations (compromised insiders).
With UEBA, you can easily detect suspicious behavior with no predefined patterns or rules. This is possible through machine learning and deep learning, made to model the behavior of users and devices on corporate networks. It identifies abnormal behavior, determines if it has security implications, and alerts security teams.
Baselining is key to a UEBA system, as it makes it possible to detect potential threats. The UEBA system compares the established baseline with current user behavior, calculates a risk score and determines if deviations are acceptable. If the risk score exceeds a certain threshold, the system alerts security analysts in real-time.
Three Pillars of UEBA
According to Gartner’s definition, there are three primary attributes of UEBA systems:
1. Use cases – UEBA solutions report the behavior of entities and users in a network. It detects, monitors and alerts any anomalies. UEBA solutions need to be relevant for multiple use cases. This is unlike systems that perform specialized analysis such as trusted host monitoring, fraud detection, etc.
2. Data sources – UEBA solutions can ingest data from a general data repository. Such repositories include data warehouse, data lake or Security Information and Event Management (SIEM). UEBA tools doesn’t place software agents directly in the IT environment to collect the data.
3. Analytics – UEBA solutions isolate anomalies using analytic methods, including machine learning, statistical models, rules and threat signatures.