User Behavior Analytics (UBA) are cybersecurity tools that analyze user behavior on networks and on other computer systems. UBA focuses on the who, what, when and where of user activity: what apps were launched, network activity, who accessed what files, etc.
User and entity behavior analytics (UEBA) can identify malicious behavior performed by devices, applications, networks, etc. in addition to humans. UEBA tools can also detect more complex attacks across multiple users, sources, IT devices and IP addresses.
UEBA capabilities are typically broken down into 3 categories:
- Data Analytics uses data on the “normal” behavior of users and entities to build a profile of how they normally act. In other words, it establishes a baseline of standard behavior. Statistical models can then be applied in order to detect unusual behavior and alert system administrators.
- Data Integration means that UEBA systems are able to compare data from various sources – such as logs, packet capture data, and other datasets – with existing security systems.
- Data Presentation is the process through which UEBA systems communicate their findings. This is typically accomplished via an alert system. In addition, most UEBA come equipped with dashboards to allow for real-time monitoring.
Both UEBA and UBA tools automate security threat detection and validation processes, enabling cybersecurity analysts to focus on more high value pursuits. They can also be used to proactively identify security weaknesses and loopholes, reducing the attack surface.
UAB & UEAB Data Sources
As security information and event management (SIEM) solutions are typically more focused on log and event data, these tools are highly complementary to UEBA. In fact, UEBA tools often use data supplied by SIEMs. SIEM forwards applicable log events to the UEBA for user profiling, while the UEBA tool generates alerts that can be sent into the SIEM tool for enhancement of the events from other sources, in turn presenting the alert to a security analyst for triage.
Other tools that can serve as data sources for UEBA are data warehouses, data lakes, advanced threat management, HR platforms and customer relationship management (CRM) systems.
UAB & UEAB Shortcomings
Though UBA and UEAB enables the swift identification of malicious activity and helps minimize the damage, it doesn’t usually keep them out. In addition, though UBA/UEAB can be an effective tool for identifying certain types of insider threats, according to a 2018 study, it does fall short when it comes to:
- dealing with privileged users, developers, and knowledgeable insiders as creating a baseline for user behavior is quite difficult for these groups.
- long-term sophisticated “low and slow” attacks where day-to-day behavior only incrementally changes
The Future of UAB & UEAB
As cyber attacks increase in both frequency and complexity, the market for UEAB/UAB tools is expected to expand over the next few years. According to Market Data Forecast, UEBA market is predicted to grow from $890.7 million in 2019 to $1.178 billion by 2025, at a “startling” CAGR of 47.1%.
Others predict that UEAB and IT infrastructure will become more directly integrated. For example, firewalls, databases and other applications could be configured to automatically receive and respond to UEAB alerts. For example, a firewall, upon being notified of a threat, would create new traffic rules immediately and shut down invasive connections without human intervention. In fact, any application associated with that user (i.e. email, databases, CRM, etc.) would automatically eliminate access immediately.
UBA data also has the potential to be used to analyze more than just cybersecurity. In the future, it’s possible some organizations will try to mine UBA data to try to understand and optimize worker performance.
Examples of User and Entity Behavior Analytics (UEBA) Tools
LinkShadow was built with the vision of enhancing organizations’ defenses against advanced cyber-attacks, zero-day malware and ransomware, while simultaneously gaining rapid insight into the effectiveness of their existing security investments. LinkShadow uses UEBA techniques to analyze behavior of employee devices inside the organization, as well as, users connected to the organization’s network from the outside. Any unusual behavior coming from endpoints is identified and then recorded.
Exabeam Entity Analytics improves detection and investigation of advanced device-based threats through the use of behavior analytics, leveraging machine learning and behavioral modeling to identify anomalous, high-risk activity indicative of complex threats.
The UEBA capability in Azure Sentinel eliminates the drudgery from your analysts’ workloads and the uncertainty from their efforts, and delivers high-fidelity, actionable intelligence, so they can focus on investigation and remediation.
Splunk User Behavior Analytics (UBA) uses behavior modeling, peer-group analysis, and machine learning to uncover hidden threats in your environment. Splunk UBA automatically detects anomalous behavior from users, devices, and applications, combining those patterns into specific, actionable threats.
Fortinet’s User and Entity Behavior Analytics (UEBA)
Fortinet’s User and Entity Behavior Analytics (UEBA) technology protects organizations from insider threats by continuously monitoring users and endpoints with automated detection and response capabilities. Leveraging machine learning and advanced analytics, FortiInsight automatically identifies non-compliant, suspicious, or anomalous behavior and rapidly alerts any compromised user accounts. This proactive approach to threat detection delivers an additional layer of protection and visibility, whether users are on or off the corporate network.