User and Entity Behavior Analytics (UEBA) is a cyberthreat detection technology based on behavioral analysis of users, devices, applications, and other objects in an information system.
The main task of UEBA is the timely detection of targeted attacks and insider threats. UEBA solutions process a large amount of data from various sources, specify normal behavior models for each user and object, and notify infosec experts of any deviations from them.
History of UEBA technology
UEBA represents a development of UBA (User Behavior Analysis) technology. The term UBA was introduced in 2014 by analysts to designate a new information technology category that they considered relevant in compiling ratings of security software vendors. UBA solutions analyze user activity and can detect insider threats and financial fraud (suspicious transactions).
In 2015, analysts expanded this category of security technologies to include behavioral analysis of “entities” (devices, applications, etc.). Thus, the term UEBA emerged. The main difference between UEBA and UBA is apparent in the name: Whereas UBA systems analyze only user behavior, their UEBA cousins also take into account the behavior of “entities.”
How UEBA systems work
UEBA solutions collect and analyze data from various sources. Such data can include:
- Logs of servers, workstations, routers, and other devices,
- Registries of access control and authentication systems,
- Data from other infosec solutions (firewalls, antiviruses, SIEM products, DLP systems),
- User e-mails and messages in social networks, instant messengers, and so forth,
- Company personnel records and other information.
UEBA systems apply machine learning and statistical analysis to the data collected to generate patterns of normal user and entity behavior. Data about ongoing user and entity activity is then matched against these templates. If a particular action differs significantly from the template (for example, an employee sends an e-mail to a manager who they don’t normally interact with, or someone transfers a large amount of data to an external server), the system notifies the infosec team.
Applying UEBA solutions
Behavioral analysis systems identify problems that are difficult to detect with other infosec products: primarily, insider threats, complex targeted attacks, and compromise of corporate users.
In addition to threat hunting, UEBA solutions can detect criminal activity in real time, enabling infosec experts to respond promptly and minimize the consequences of an attack.