What is UEBA?

User and entity behavior analytics (UEBA) is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network.

UEBA seeks to recognize any peculiar or suspicious behavior—instances where there are irregularities from normal everyday patterns or usage. For example, if a particular user on the network regularly downloads files of 20 MB every day but starts downloading 4 GB of files, the UEBA system would consider this an anomaly and either alert an IT administrator, or if automations are in place, automatically disconnect that user from the network. 

UEBA goes further than simply monitoring human behavior—it monitors machines. A server in one branch office may suddenly receive thousands more requests than usual one day, signaling the start of a potential distributed denial-of-service (DDoS) attack. There is a chance IT administrators might not notice this type of activity, but UEBA would recognize it and take further action. 

 

How UEBA Works

For a UEBA solution to be effective, it must be installed on every device used by or connected to every employee across the organization. This includes devices not only owned by the company but also owned by the employee, as even devices used part time can be targets of a cyberattack. Some organizations may also request that employees install the UEBA solution on their home routers, which could serve as threat vectors. Connecting to the corporate network via a home router opens up additional possibilities for a cyberattack.

The UEBA solution then goes "silent" as it starts collecting data on device and network usage. In learning mode, the UEBA solution's algorithms will determine and further define what is considered normal or even optimal. IT admins can decide how long the learning mode will last before the system goes into testing mode.

There are three main components of a UEBA solution:

  1. Analytics collects and organizes data on what it determines to be normal behavior of users and entities. The system builds profiles of how each normally acts regarding application usage, communication and download activity, and network connectivity. Statistical models are then formulated and applied to detect unusual behavior. 
  2. Integration with other security products and systems already in place is a must as organizations grow and evolve. They most likely have a security stack in place, which may include legacy systems that may not keep up with today's ever-increasing threat landscape. The beauty of UEBA is that it is not meant to obviate existing security products in use across the enterprise. With proper integration, UEBA systems are able to compare data collected from various sources, including logs, packet capture data, and other datasets, and integrate these to make the system more robust. 
  3. Presentation is the process of communicating the findings of the UEBA system and devising an appropriate response. This can vary between organizations. Some UEBA systems will simply create an alert, either for the employee or the IT administrator, to suggest further investigation. Other UEBA systems will be set up to take immediate action—by automatically shutting off network connectivity for that employee due to a suspected cyberattack, for example. 

Benefits of UEBA: Why Companies Need It

The rise of UEBA has been driven by the fact that traditional security products, such as web gateways, firewalls, intrusion detection and prevention tools, and encryption products like virtual private networks (VPNs) are no longer able to protect an organization against intrusion. Sophisticated cyberattackers will find a way to enter a system in some way, and detection even of the seemingly smallest anomaly is crucial. 

Social engineering and phishing are also on the rise. These strategies do not attack an organization's hardware but rather its people, convincing employees to click on links, download software, and send passwords. Infecting one computer is only the start of a potentially large-scale cyberattack. UEBA seeks to detect even the tiniest of unusual behaviors and prevent a small phishing scheme from escalating into a massive data breach. 

Indeed, UEBA can have a tremendous impact on the security posture of an organization. Let us take a closer look at the benefits of UEBA and why companies need to consider adopting it.

Addresses a Wider Range of Cyberattacks

The primary benefit of UEBA is that it allows enterprises to detect a much wider range of cyber threats. Brute-force attacks, DDoS, insider threats, and compromised accounts are just a few categories of threats that UEBA can detect.

This is possible because the UEBA system is monitoring not only human activity on devices but also the devices themselves, including servers, routers, endpoints, and Internet-of-Things (IoT) devices. Cyberattacks have grown in breadth and sophistication, and malicious attackers may find it more advantageous to simply compromise a device rather than to extract passwords from a human user. 

As device usage continues to escalate—there may be fewer printers or fax machines in use—employees are likely using at least a laptop and a smartphone to carry out work-related tasks. This has encouraged malicious actors to target devices as the number of threat vectors has increased exponentially.

Requires Fewer IT Analysts

As with any enterprise application that leverages machine learning and artificial intelligence, software replaces the time and effort of employees who would normally be doing the job. This prospect might excite many organizations —while IT professionals might recoil—but the advancement of UEBA solutions will not lead to a dramatic headcount reduction. This is for two reasons: 

  1. Larger organizations with complex security requirements, such as multinational corporations and governments, recognize the need for additional IT staff and security analysts to set up, configure, and manage the system, in addition to communicating regularly with employees. Additionally, if the organization decides against incorporating automated response capabilities, preferring instead to investigate the unusual behavior before taking action, additional security analysts will have to be dispatched to the employee or hardware location.
  2. If an organization decides that it needs fewer IT syslog analysts once the UEBA system is on autopilot, the company can divert those staff members to other higher-value projects that might be more mission critical.

Reduces Costs

Further to the previous point, if an organization now requires fewer analysts to do the work that the UEBA system is carrying out, then there will be a reduction in IT spend. However, as indicated, this does not mean that the entire security analyst staff needs to be let go once the system is up and running. Machine learning in any environment still requires human intervention.

Additionally, stopping a ransomware attack in its tracks can be considered a cost saving of sorts. The UEBA would have prevented the enterprise from paying cyberattackers to restore a system or losing money in the hours or days of lost productivity because a malware attack rendered a server unavailable.

Lowers Risk

This is the main benefit of the UEBA system. Preventative measures in the form of siloed security products only go so far. Today's organizations face a range of growing threats, which have become ever more difficult to thwart as devices and locations have proliferated. As offices shut down, employees work from home using multiple devices connected to routers accessing the public internet.

Not only can the UEBA solution be downloaded onto employees' home devices but it can also be used with IoT and rugged devices placed in such diverse environments as retailers, warehouses, and hospitals. Any device connected to a corporate network can be vulnerable to a cyberattack. It is impossible for an IT team, no matter how large, to physically track every device in use, and UEBA removes much of this labor.

It is important to note that UEBA can be used not only for threat detection but also for compliance. Regulated industries, such as financial services and healthcare, have security standards that companies must comply with. While simple, everyday network monitoring tools can determine whether software has been updated with the most recent security patches, UEBA takes things several steps further. 

Detecting behavior anomalies can allow the IT staff to determine that, for example, a router was not configured with the strongest security setting as per the industry standard. This can allow the team to address the situation immediately, preventing the company from having to pay fines or engage in a legal proceeding associated with a breach.

There are some drawbacks to acquiring and implementing a UEBA system. One is price. It simply might be out of reach for certain organizations. The sophistication of UEBA, while a positive for large corporations with complex, evolving security needs, can be a negative for small and medium-sized businesses that can address threat detection and management through a range of other point solutions, such as web gateways, firewalls, and VPNs.

UEBA vs. SIEM

Security information and event management (SIEM) is the use of a complex set of tools and technologies that give organizations a comprehensive view of their IT security system. It makes use of data and event information, allowing visibility into normal patterns and delivering alerts when there are unusual circumstances and events. SIEM is similar to UEBA in that it uses user and entity behavior information to define what is considered normal behavior and what is not. 

SIEM is an excellent starting point for security monitoring and analytics, as it captures data from firewalls and the logs for operating systems and network traffic. This of course begs the question: Would an organization need both SIEM and UEBA? Would there be a significant overlap?

The answer is yes and no. While they might seem extremely similar, they actually do different things. 

SIEMs are good security management tools but are less sophisticated when it comes to more advanced threat detection and response. SIEMs can handle real-time threats rather easily, but they may be unable to detect a sophisticated cyberattack. This is because sophisticated cyberattackers avoid simple one-off threats and instead engage in an extended attack that can go undetected by traditional threat management tools for several weeks or even months.

On the other hand, UEBA solutions are capable of detecting more sophisticated threats, such as those that might be undetectable day to day but over time display a surprising pattern. Malvertising is an example of this, a seemingly harmless advertising applet downloaded to a browser that collects user data or infects a user's device.

By stacking UEBA and SIEM tools together, enterprises are better able to defend themselves against a wide range of threats. By focusing less on system events and more on specific user or entity activities, UEBA builds a profile of an employee or entity based on usage patterns and sends out an alert if it sees unusual or suspicious user behavior. 

While SIEM is excellent at compliance reporting and monitoring of events, such as access activity, UEBA is better at detecting insider threats and protecting an organization's digital assets—especially when those assets include high-value intellectual property (IP). 

Of course, you would not want to jump in with both systems. If you have already deployed a SIEM system, evaluate its user monitoring, profiling, and anomaly detection capabilities to determine whether they can be adapted to your use cases before turning to a UEBA solution.

Both SIEM and UEBA have important capabilities that allow organizations to meet their business and security needs. Because insider attacks are real and costly, consider UEBA as a complement to SIEM.

 

UEBA vs. NTA

Network traffic analysis (NTA) solutions use machine learning, advanced analytics, and rule-based detection to monitor and analyze all traffic and flow records on enterprise networks. An NTA system is also able to identify potential threats and suspicious activity. So how is it different from a UEBA solution?

NTA has certain benefits. The first is that it allows companies to see all events, not just logged ones, across their entire network. This includes every aspect of a cyberattacker’s activities. Further, NTA enables companies to profile both user accounts and network devices (just as UEBA can), and it deploys with relative ease. 

As with SIEM, an organization with more sophisticated security needs will likely require both an NTA and a UEBA solution in place at the same time. NTA cannot track local events, such as those from a device that is not connected to the network, and generally lacks the ability to identify more advanced security issues in the way that UEBA is capable of.

UEBA vs. UBA

UEBA differs from user behavior analytics (UBA) in that UEBA includes an extra "E" in its acronym, which stands for entities, or devices and applications. As such, UEBA is a more comprehensive version of UBA because it incorporates the monitoring of nonhuman processes and machine entities, including routers, servers, and endpoints or devices.

Technology industry analyst firm Gartner added the "E" in October 2017 to more accurately help the security industry understand that entities other than users need to be profiled to more accurately identify threats. 

Of course, both user and entity activity are correlated because devices are connected to routers. Other entities that need to be tracked include managed and unmanaged endpoints, applications (including cloud, mobile, and other on-premises applications), networks, and the threats themselves. 

As such, entity, or the "E," is much more all-encompassing, as is UEBA vs. regular UBA.

How Fortinet Can Help

The Fortinet UEBA solution, FortiInsight, detects and protects organizations from threats by not only continuously monitoring the behavior of all users and endpoints but also utilizing automation for responding to threats in real time when needed.

By harnessing machine learning and advanced analytics, FortiInsight automatically identifies noncompliant or unusual behavior and then quickly alerts IT admins of any potentially compromised accounts. Organizations can benefit from this proactive approach because of the additional layer of protection, whether users and their devices are using the corporate network or not. 

 

FAQs

What does UEBA stand for?

UEBA stands for user and entity behavior analytics.

What is UEBA in security?

UEBA is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of both users and devices.

How does user behavior analytics work?

User behavior analytics collects information from system logs on the normal behavior of users across an organization. Using machine learning, UBA then analyzes the data, establishes a baseline of user behavior patterns, and detects any irregularities.