UEBA: Protecting Your Network When Other Security Systems Fail

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

UEBA monitors the activities of users and entities (such as hardware devices and networks) and compares present activity to “normal” or “baseline” behavior. Using advanced statistical analysis and, in some cases, machine learning algorithms, the aim is either to detect anomalous activity, which could be an indication of an intrusion or malicious “insider” actions, or to spot known malicious behavior patterns. As such, UEBA provides a layer of internal defense after preventive technologies have failed.

See our picks for Top UEBA vendors and solutions

UEBA acts as a backstop for perimeter security systems. If login credentials are compromised, intruders can easily bypass perimeter security systems that concentrate on preventing network intrusions. Perimeter security systems also do nothing to protect against malicious insiders who already have access to the corporate network. One of the key UEBA benefits is that it can protect IT infrastructure even when malicious actors have gained access to network resources.

UEBA capabilities are increasingly being integrated into other security solutions, particularly security information and event management (SIEM) systems, intrusion detection and prevention systems (IDPS), and identity and access management (IAM) systems.

In late 2017, a Crowd Research Partners survey found that 38% of companies were using some sort of UEBA security solution, but the figure today is likely higher, as the market for UEBA technology is growing strongly. Despite 40% growth rates, Gartner expects UEBA technology to eventually be absorbed by other security solutions.

UBA vs UEBA

When looking at UEBA solutions, you may also come across the term UBA: user behavior analytics. So what is the difference between UBA and UEBA?

  • UBA: When behavior analytics was first introduced, it was in the context of protecting data against theft by malicious actors, and the prevention of fraud perpetrated by malicious users who had access to and misused data. The focus was on analyzing how users interacted with data, hence the name user behavior analytics.
  • UEBA: This term was first used by Gartner, because the use of behavior analytics very quickly went beyond monitoring users’ behavior for data theft and fraud detection purposes. The term UEBA “recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior,” Gartner said.

What can UEBA do?

UEBA can protect your organization in a number of ways, including:

  • Spotting malicious insider threats: UEBA can be used to spot anomalous or known malicious activity carried out by employees (and other authorized users such as contractors). It can also spot threats caused by genuine mistakes made by innocent employees.
  • Identifying advanced persistent threats (APTs) and targeted attacks: These are notoriously difficult to detect because they usually involve exploiting previously unknown vulnerabilities and entail complex behavior that has not previously been identified as malicious. However, since they usually involve user or entity behaviors that deviate from normal baseline activity, UEBA can be used to flag them for more investigation.
  • Finding misuse of privileged accounts: UEBA can monitor privileged accounts (which are prime targets for malicious actors because of their powers) to spot if they are being used in unexpected or unusual ways. This could include use by a non-privileged user, or spotting the collection and exfiltration or modification of large amounts of data or high-value data (such as credit card information).
  • Monitoring applications (including cloud-based applications): UEBA can help security staff see if any applications start behaving unusually, which could be an indicator that they have been compromised.

How UEBA works

At the most basic level, a UEBA system does two things:

  1. Data collection: a UEBA system collects user and entity data from a number of different sources. These can include web proxy data, directory data, access logs, structured data access, network data, and even HR information, email and chat content, and building access card data.
  2. Data analysis: the system then analyses the data using various techniques to learn normal behavior, spot unusual behavior, and recognize bad or malicious behavior.

The simplest way to analyze the data is to use simple patterns and rules to spot anomalous behavior. More sophisticated systems use statistical analysis, and the most powerful analysis techniques involve machine learning (ML). This can be applied in a number of ways:

  • Supervised ML: this type of ML involves training the system by supplying it with sets of good or normal behaviors and sets of malicious behaviors. This enables the system to “learn” to recognize each type of behavior, and identify and flag bad behavior when it encounters it.
  • Unsupervised ML: this type of ML is more general because the system builds up a view of what normal activity looks like by itself, and then alerts administrators if it spots abnormal behavior. It is then the job of the administrators or security analysts to decide if the abnormal behavior is actually malicious, perhaps as the result of a targeted attack, or simply unusual but legitimate.
  • Hybrid or semi-supervised ML: here the system uses unsupervised ML to generate alerts of anomalous behavior, but the outcome of human analysis of the alerts is then fed back into the system to allow the system to learn over time.

Garter notes that building up a picture of baseline or normal behavior can be much harder than many organizations imagine for a number of reasons. These include:

  • the behavior of privileged users, IT developers and others can be highly irregular depending on their job functions;
  • a given user or peer group can be “bad” from the start of profiling so that ongoing bad behavior will not be noted as anomalous to the baseline.

UEBA in action

Here’s one way UEBA can work. Imagine that a company has a developer named Bob on staff. Every morning, Bob logs in to the network around 8 a.m., sometimes from home and sometimes from the office. He first checks his email and the company collaboration platform. Then he spends most of his time each day writing code in his IDE, working within the company’s cloud-based dev and test environments, and visiting development-related websites. He has access to many different corporate databases that are integral to the applications he is creating. He frequently works through lunch, but he always takes a one-hour lunch break at noon on Thursdays. And he usually logs off for the day around 6 or 7 p.m.

Then one day after Bob logs out at noon on a Thursday, he logs back in from home. And instead of checking his email or opening up his IDE, he goes straight to the database full of customer information and begins looking up specific names. He doesn’t appear to copy or transfer any information digitally, but he does look up about twenty-five individuals, all of whom happen to be executives at Fortune 500 companies.

This type of activity is obviously a little suspicious. Maybe Bob just skipped his usual lunch date and is feeling a little nosy and needs some disciplinary action. Or maybe his password has been compromised and hackers are looking for data they can use to mount a spear-phishing attack against the company’s customers. Or maybe an advanced persistent threat has paid Bob a lot of money to get them some information from the company database.

This type of behavior might go undetected by other security solutions, but UEBA solutions could spot it and flag it in real time or near-real time, allowing security personnel to investigate and respond very quickly.

Do you need UEBA?

Standalone UEBA systems are targeted at very large global organizations, and even in this group they are far from ubiquitous. The reason for this is that UEBA solutions are expensive to acquire, implement, maintain, and use, according to Gartner. Those companies that do own or are considering implementing UEBA systems generally have a compelling reason to do so, such as augmenting an existing SIEM solution or as part of a comprehensive insider threat protection program.

Outside of this group, the most likely reason that any organization will acquire UEBA technology is when it is added to an existing security tool such as a SIEM system as part of a product update.

How to implement UEBA

implementing a UEBA security solution is a major undertaking that is not for the faint of heart. Gartner’s Market Guide for User and Entity Behavior Analytics points out that standalone UEBA tools are generally deployed on-premises or offered as a cloud-based service (with some requiring both).

Standalone UEBA vendors often require organizations to install appliances or deploy software for the core components of the solution, in addition to appliances (virtual or physical) for monitoring network traffic and endpoint agents.

Some have specific requirements around data platforms, such as requiring that data be sent to a standalone data lake managed by the vendor.

Alerts generated by standalone UEBA systems are generally presented in a proprietary UEBA console. These may warn of known malicious behavior, but more commonly they will flag suspicious behavior that warrants investigation.

Gartner recommends that when implementing a UEBA tool, start “small,” with a narrow set of well-defined use cases and a limited set of data.

In any case, most companies that implement a UEBA solution find that it takes at least three to six months to get the system up and running and tuned (so that different log sources are given the correct weighting in the overall analysis) to deliver UEBA benefits.

UEBA market size

The market for standalone UEBA security solutions is experiencing explosive growth, with Gartner predicting that it will grow at a compound annual growth rate of 48% per year to reach in excess of $350 million by 2020. In addition to this, many companies will gain access to UEBA through other security systems.

The future of UEBA

The number of standalone UEBA vendors has decreased over the last year or so due to acquisition by bigger companies: Niara was acquired by HPE-owned Aruba, Balabit was bought by One Identity, E8 Security was acquired by VMware, and Fortscale was bought by RSA, to name a few examples.

Gartner expects this trend to accelerate, with the standalone UEBA market effectively ceasing to exist by 2021.

However, UEBA technology is not going to disappear in the near term. Instead, Gartner expects that core UEBA techniques and technologies will be embedded in 80% of threat detection and incident prioritization solutions. In the longer term, however, Gartner predicts that UEBA will be superseded by more encompassing security analytics technologies.

The most obvious destination for UEBA technology is in SIEM systems. Gartner predicts considerable convergence between the two, with all leading SIEM vendors already offering UEBA capabilities either by developing their own UEBA technology, integrating with other UEBA solutions, or partnering with a UEBA vendor. Some UEBA vendors such as Exabeam and Securonix have moved the other way, adding SIEM functionality to their feature sets.

Paul Rubens Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required