Best User and Entity Behavior Analytics (UEBA) Tools

SHARE

Organizations are adopting user and entity behavior analytics (UEBA) to add advanced analytics and machine learning capabilities to their IT security arsenal. UEBA solutions identify patterns in typical user behavior and pinpoint anomalous activities that do not match those patterns and could correspond with security incidents.

UEBA security: Anomaly-based intrusion detection

Attackers use artificial intelligence (AI) to constantly develop new and complex ways to penetrate networks. This has made legacy signature-based systems - which solely detect threats whose signatures and patterns have already been identified - far less effective in securing modern networks.

In contrast, UEBA solutions use anomaly-based intrusion detection

These tools track and recognize what's considered normal behavior for users, endpoints, data repositories and other network entities to create a baseline for standard network activity. UEBA software then monitors the network and identifies anomalous activities that deviate from the baseline. This allows UEBA products to identify new methods of intrusion and malicious behavior, even if it's not clear what kind of attack it is. UEBA security solutions detect threats inside the network, including insider threats, after perimeter-focused security solutions fail.

If someone accesses sensitive data they usually don't, that alone could be enough for a UEBA system to issue an alert. Throw in an odd location, time or device and it begins to look like a potential attack, perhaps through stolen credentials. While it's possible to limit access through tools like zero trust, malicious behavior on a limited basis is still damaging, so behavior analytics adds an important layer of security on top of access tools.

User behavior analytics are showing up in other security tools like SIEM, network traffic analysis, identity and access management (IAM), EDR, data loss prevention (DLP) and employee monitoring tools. But some standalone products remain on the market. More information on this market trend is available in the future of UEBA section below.

What to look for in a UEBA product

Here are a few key considerations to keep in mind when shopping around for a UEBA security solution:

  • Scalability: Large enterprises collect and store terabytes of data every day. UEBA security's machine learning functionality uses this data to model behavior patterns and detect anomalies. Only UEBA solutions with an architecture designed to support scalability and elasticity are equipped to monitor and configure this endless stream of data. Otherwise, you could end up spending a lot of money and time scaling with additional deployments and new builds.
  • Multiple data classes: An efficient UEBA product solution can analyze multiple classes of data to gain a contextual understanding of normal and anomalous behaviors. For example, a UEBA solution can understand when and how frequently a user is active, how much information they access and what sensitive information they attempt to download by identifying badge logs, network packets and endpoint logs. This holistic picture of behavior allows security specialists to confidently take measures to remedy threats.
  • Streamlined and secure deployment: The most efficient UEBA solutions come with built-in use cases and can be stood up in a matter of days without the need for offsite services to help with configuration and deployment. This saves valuable time and money. These services also typically require VPN access to your network, which can create security risks or regulatory compliance issues.

Top UEBA security solutions

This buying guide includes standalone UEBA products as well as other more comprehensive security solutions. The UEBA products included in this buying guide provide the following capabilities:

  • Monitor and analyze the behavior of users and other entities
  • Detect anomalous behavior that could indicate an insider attack or compromise of user credentials
  • Use advanced analytics to detect multiple kinds of threats
  • Offer the ability to correlate multiple anomalous activities that could be related to a single security incident
  • Provide real-time or near-real-time performance

At the bottom of this article is a chart breaking down some of the features of these top UEBA products.

Jump ahead to:

Aruba Introspect

From Aruba (a Hewlett Packard Enterprise company), IntroSpect integrates AI-based machine learning, pinpoint visualizations and instant forensic insight into a single security solution. Aruba Introspect detects, prioritizes, investigates and responds to internal attacks that evade traditional perimeter-based security defenses. Introspect applies hundreds of machine learning models across users, host and application behaviors to determine high-priority alerts. By coupling this with a comprehensive set of IT data resources, it then delivers full context forensic evidence so security teams can act quickly.

Additional Features:

  • Collects and analyzes everything from packets and flows to logs and alerts
  • Detects gestating attacks from malicious, negligent or compromised users, IoT devices, and systems
  • Machine learning models tuned for attack families such as ransomware
  • Stops attacks by integrating with Aruba ClearPass NAC to automatically take policy-based enforcement actions (quarantine, port block, etc.)

Markets and use cases: Large organizations in healthcare, education, finance, legal, oil & gas, government, technology and retail

How Delivered: Appliance and software-only versions

Scalability: No limit

Throughput/bandwidth restrictions: None, scales horizontally

Pricing: Based on the number of entities monitored

Cynet 360

Cynet 360 is an Autonomous Breach Protection Platform for enterprise security. This comprehensive solution monitors and analyzes behavioral and interaction indicators across endpoints, users, network traffic and files to identify attackers. UEBA capabilities are included as a native solution in the Cynet 360 system. It utilizes machine learning and heuristic analysis to establish a baseline for normal network behavior so it can hone in on malicious activity.

Additional Features:

  • Endpoint Detection and Response
  • Network monitoring and control
  • Response orchestration
  • Network analytics
  • Vulnerability scanning

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

Exabeam Advanced Analytics

Exabeam offers a SIEM platform that integrates its standalone products, including UEBA, log management, incident response and querying. Exabeam Advanced Analytics is the company's UEBA solution. It's designed for advanced threat detection, rapid incident investigation and efficient threat hunting. Its analytics dashboard provides an overview of threats in the environment, including open cases and related high-risk users and assets.

Headquartered in San Mateo, Calif., it has raised $65 million in funding, including a $30 million round that closed earlier this year. Exabeam's largest investors include Lightspeed Venture Partners and Cisco Investments. The organization claims Exabeam Advanced Analytics is "the world’s most deployed behavioral analytics platform."

Additional features:

  • Integrates with other Exabeam products and most SIEM products
  • Accepts data from hundreds of different sources
  • Patented session data model
  • Risk scoring
  • Ransomware detection and prevention
  • Session timelines
  • Alert prioritization

Markets and use cases: Any large organization. Exabeam has a special advisory board and programs for federal government agencies.

Delivery: Physical appliance or cloud-ready virtual machine

Endpoints: Unlimited

Throughput/bandwidth limits: None; scales horizontally

Pricing: Quotes available on request

Forcepoint

Forcepoint claims that its user behavior monitoring technology has protected governments and other organizations for more than 15 years. It was founded in 1994 under the name, Websense. It was renamed Forcepoint in 2016 after Raytheon acquired it for $1.9 billion. Forcepoint currently claims more than twenty thousand customers.

Forcepoint enables security teams to learn from existing data and proactively monitor for high-risk behavior. The platform collects and analyzes data from a wide array of sources, including communication platforms and security devices, to provide context for different user behaviors. The entity timeline allows you to reconstruct the series of events that led to an elevated risk score.

Additional features:

  • Distributed architecture
  • Daily consolidated risk scores for individuals
  • Risk prioritization
  • Customizable policies
  • Visualizations
  • Video replay of users' screens
  • Timelines
  • Forensics
  • Agent-based

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Fortinet FortiInsight

Fortinet's UEBA technology provides automated detection and response capabilities to protect organizations from insider threats. Leveraging machine learning and advanced analytics, FortiInsight identifies non-compliant, suspicious, or anomalous behavior and rapidly alerts any compromised user accounts.

Fortinet acquired ZoneFox, which is now an integral part of its FortiInsight product. When integrated with FortiSIEM as part of the Fortinet Security Fabric, it provides visibility into data activity and reduces the risk of insider threats or to compliance issues with the likes of GDPR and HIPAA. It includes endpoint behavioral monitoring of devices even when they are off the corporate network and any resources accessed. FortiInsight is a rule-based engine that identifies policy violations, unauthorized data access and extraction and compromised accounts.

Additional features:

  • Data streamed securely from the endpoint to the Fortinet datastore
  • 5-factor data identification model
  • Lightweight Agent-Based Protection
  • Windows OS support
  • Native file system drivers
  • Forensics
  • Network monitoring
  • Federated security

Key markets and use cases: Security operations teams, especially banks, manufacturers and game developers.

Delivery: Hosted solution

Endpoints: Scales well: In 15 days inside one organization, it recorded 130,000 events, 6.4 million user actions, and detected three cloud services used by 16 users, five tools associated with hacking and 14 high-risk users making use of removable storage.

Throughput/bandwidth limits: Consumes less than 0.5% of CPU, 20 MB of RAM memory and 5 KB/s of network traffic.

Pricing: Licensed based on the number of endpoints protected, whether the endpoint is a server, desktop, laptop, database server or SharePoint server.

Gurucul Unified Security Analytics

Gurucul offers three different types of security analytics based on its Predictive Identity Based Behavioral Anomaly Engine (PIBAE): 

  • UEBA
  • Identity analytics
  • Cloud security

This engine uses identity as a threat surface to create behavioral baselines that can be cross-correlated across different peer groups. It uses this information to detect, rank, remediate and deter anomalous activity.

Gurucul was founded in 2009 by security veterans who worked for identity management vendor Vaau, which was acquired by Sun Microsystems and then by Oracle.

Additional features:

  • Large library of machine learning algorithms
  • Fuzzy logic-based link analysis
  • Granular, self-tuning risk modeling
  • Signature-less
  • Modular architecture
  • Transaction scoring
  • Risk-ranked timelines
  • Hybrid behavior analytics that incorporates UEBA and identity analytics
  • Hadoop-based

Markets and use cases: Corporate security operations

Delivery: Appliance, virtual machine, cloud or bare metal

Pricing: Quotes available on request

LogRhythm UserXDR

LogRhythm UEBA detects known and unknown user-based threats by applying machine learning and scenario analytics to the surface. It then prioritizes threats according to their severity. It offers a full spectrum of security analytics using both scenario-based and behavior-based techniques. This augments organizational security environments, functioning either as a standalone UEBA product or as an add-on to existing SIEM or log management solutions.

Additional features:

  • Evidence-based starting points for investigation
  • Scoring and prioritizing of risk associated with anomalous user behavior
  • LogRhythm TrueIdentity builds comprehensive behavior profiles
  • Automated user baselining and risk analysis
  • Embedded security orchestration, automation, and response (SOAR)

Markets and use cases: Detection of insider threats, compromised accounts, privilege abuse and misuse, brute-force attacks, new privileged accounts, and unauthorized data access and exfiltration, especially in banking and finance, energy and utilities, healthcare, the federal sector, retail and hospitality.

Delivery: Appliance, software, cloud

Number of Endpoints: Up to millions of endpoints

Throughput/bandwidth limits: Can analyze hundreds of thousands of evidence points per second and store petabytes of data

Pricing: Begins at $115/Identity per year

Microsoft Azure Advanced Threat Analytics (ATA)

Microsoft Azure Advanced Threat Analytics (ATA) is a cloud-based security solution. It leverages on-premises active directory signals to identify, detect and investigate advanced threats, compromised users and insider threats.

In November 2014, Microsoft announced its acquisition of Israel-based security intelligence startup, Aorato. Aorato received $11 million in equity funding prior to the acquisition. In 2015, Microsoft introduced Advanced Threat Analytics to its Enterprise Mobility Suite and made it available as a standalone product. Microsoft considers Advanced Threat Analytics part of its Cloud Platform but the product is available only for on-premises deployment.

Additional features:

  • SIEM integration
  • Attack timelines
  • Mobility support
  • Organizational security graph
  • Email alerts
  • Deep packet inspection
  • Agentless

Markets and use cases: Small businesses

Delivery: On-premises software

Endpoints: Hundreds of thousands supported

Throughput/bandwidth limits: None

Pricing: Quotes available on request and negotiable under various licensing strategies. Estimated price for a standalone license is $80 per user, $61.50 per operating system per year.

One Identity Safeguard

One Identity Safeguard for Privileged Analytics delivers identity governance, access management and privileged account management solutions. It identifies high-risk privileged users, monitors questionable behaviors and uncovers threats using user behavior analytics technology.

It provides full visibility into privileged account users and their activities. Organizations can identify risky users, keep a constant lookout for new internal and external threats, and detect unusual privileged behavior. If suspicious activity is discovered, Safeguard enables IT security managers to take immediate action and be well-positioned to prevent potential data breaches.

Additional features:

  • Detect threats in real-time
  • Pattern-free operation
  • Screen content analysis
  • Behavioral biometrics
  • Reduce Alert Noise
  • Automated Response

Markets and use cases: Organizations having their privileged accounts targeted such as financial services, healthcare, utilities and government

Delivery: Appliance

Endpoints: The focus is on safeguarding a small number of privileged accounts rather than all endpoints.

Throughput/bandwidth limits: Each node can support thousands of hosts.

Pricing: Sold by the number of users or number of systems.

Palo Alto Cortex XDR

Cortex XDR is a threat detection, investigation and response app that natively integrates network, endpoint and cloud data. It uncovers threats using behavioral analytics, accelerates investigations with automation, and stops attacks before damage is done through tight integration with existing enforcement points.

Palo Alto Cortex XDR models billions of data points from network, endpoint and cloud sensors to automatically group related alerts into incidents to provide a holistic view of attacks. It accelerates investigations by stitching together data so that IT teams can get to the bottom of any threat with a single click. They can even immediately stop threats with built-in instant response options.

Additional Features:

  • Targeted attack detection
  • Malware and fileless attack detection
  • Insider threat detection
  • Risky user behavior analysis
  • Malware, ransomware, and exploit prevention
  • Automated alert investigation with root cause analysis
  • Supervised and unsupervised machine learning
  • Custom rule-based detection of attack behaviors
  • Incident response and recovery
  • Post-incident impact analysis
  • Threat hunting
  • IoC and threat intelligence searches

Markets and use cases: Security operations teams

Delivery: Cloud

Endpoints: Can scale to support a virtually unlimited number of endpoints

Throughput/bandwidth limits: Virtually unlimited throughput and bandwidth

Pricing: Based on the amount of data stored for 30 days

Rapid7 InsightIDR

Rapid7's InsightIDR is a cloud-based intrusion detection and response system. With 20 years in the cybersecurity industry, Rapid7 has proven itself to be a legacy leader in the space. InsightIDR is a powerful and reliable comprehensive security solution that includes UEBA capabilities.

InsightIDR is unique because its detection mechanisms are based on common attack vectors as well as anomalous behavior. It combines UEBA with the platform's threat intelligence capabilities, gathering insights about security risks from all around the world. And thanks to its cloud architecture, InsightIDR is scalable so it can maintain your growing security data.

Additional Features:

  • Endpoint detection and visibility
  • Centralized log management
  • Network traffic analysis
  • Attacker behavior analytics
  • File Integrity Monitoring (FIM)
  • Visual investigation timeline

Markets and use cases: This platform is ideal for organizations that have moved much of their system to the cloud.

Delivery: Software, cloud

Pricing: Licensing is based on the number of assets and the number of days the log will be retained in the cloud.

RSA NetWitness

RSA NetWitness is a purpose-built, Big-Data-driven, UEBA solution. It's a central part of the RSA NetWitness Platform. By leveraging unsupervised statistical anomaly detection and machine learning, it provides detection for unknown threats based on behavior, without the need for analyst tuning.

RSA NetWitness combines visibility with threat intelligence, business context and advanced analytics. This information is used to assign risk scores to alerts based on how likely they are to be reall attacks. Business context reduces false positives by making it easy to distinguish false alerts from real threats to help teams prioritize remediation tasks. The platform also incorporates full security automation, orchestration and response capabilities, making it easy for teams to collaborate on investigations.

Additional Features:

  • Leverages user, network and endpoint behavior profiling
  • Detects abuse and misuse of privileged accounts, brute force attacks, account manipulation and other malicious activities
  • Requires no customization, ongoing care, or rule authoring, creation or adjustment

Markets and use cases:

  • Key markets include financial, retail, local and federal government, higher education and critical infrastructure
  • Use cases include insider threat, brute force, account takeover, compromised account, privilege account abuse and misuse, elevated privileges, snooping user, data exfiltration, abnormal system access, lateral movement, malware activity and suspicious behaviors.

Delivery: Appliance and virtual formats

Endpoints: 100,000 users per server

Throughput/bandwidth limits: As above

Pricing: Based on the total number of employees that have corporate network access. For example, 1,000 to 2,500 users are licensed at $1.50 per user per month, with pricing dropping to a fifth of that for large deployments.

Securonix Security Analytics

Securonix Security Analytics incorporates SIEM, UEBA and fraud detection capabilities in its platform. The company's patented machine learning algorithms earned them a spot in Gartner's SIEM magic quadrant and the top spot on our top SIEM vendors list. Securonix analyzes and stores logs from all data sources as well as other security platforms, such as firewalls and Data Loss Prevention (DLP) tools. It uses AI-driven analytics to send out alerts of possible threats and to build cases that deliver insightful threat scores. It also chains together anomalies to create and assign confidence scores alongside the risk scores. Securonix Security Analytics helps IT teams maintain a secure and regulatory compliant data environment.

Additional features:

  • More than 1,000 one-click deploy threat models
  • 350 connectors
  • Visualizations
  • Investigation and response capabilities
  • Fraud reporting
  • Trade surveillance
  • Patient data analytics
  • Threat Model Exchange library
  • Predictive and adaptive learning
  • Integrates with SNYPR Security Analytics Platform
  • Agentless

Markets and use cases: Corporate security operations teams, especially very large enterprises

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

Splunk User Behavior Analytics

Splunk's "Data-to-Everything" platform makes IT, security, and many other parts of an organization work more efficiently by managing massive amounts of data. Its security solution uses machine learning, automation and orchestration to process billions of events and analyze historical and real-time data to build behavior baselines so teams can quickly make decisions and take action.

Founded in 2003 to support the open source Splunk software, the company now claims most of the Fortune 100 as customers and more than $2 billion in revenue.

Additional features:

  • Security dashboard
  • Hadoop-based
  • Multi-dimensional behavior baseline
  • Integration with Splunk Enterprise and Splunk Enterprise Security
  • Anomaly exploration
  • Agentless

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or as an AWS service

Endpoints: 500,000 on a single node (additional scaling possible with additional nodes)

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Varonis

Varonis offers a variety of data management, governance and security products, including its DatAlert UBA solution. Its primary focus is securing companies against insider threats. The Varonis Data Security Platform in general gets very high marks from users for deployment, product capabilities and support.

Additional features:

  • Predictive threat models
  • Security time machine
  • Integration with other security solutions
  • Web-based dashboards
  • Alert scoring and prioritization
  • Custom alert criteria
  • Agents for some platforms, agentless for others

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Not applicable; UEBA occurs on servers rather than endpoints

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Veriato Cerebral

Veriato specializes in employee monitoring solutions, including its UEBA product, Cerebral. This AI platform integrates UEBA with User Activity Monitoring (UAM) to improve rapid incident response. From the GUI, users can quickly see all individual users; with elevated risk score, which helps security teams hunt threats proactively. Veriato boasts more than 50,000 customers in more than 100 countries.

Additional features:

  • Simple tuning
  • Behavioral groups
  • Alerting
  • Integration with SIEM and other security solutions
  • Psycholinguistic analysis
  • Screen snapshots
  • Keystroke recording
  • Agent-based

Markets and use cases: Corporate security operations teams and HR departments

Delivery: On-premises software

Endpoints: 200,000 with a single instance

Throughput/bandwidth limits: None

Pricing: Quotes available on request

UEBA best practices

UEBA software is a powerful tool but it's not an all-encompassing network security solution. It will take some work for it to operate effectively. Here are a few best practices for using UEBA sotware:

  • Customized alerts: The UEBA system will send out an alert when anomalies are detected. Alerts should be configured to only notify relevant team members. Having too many cooks in the kitchen can convolute the remediation process. This also prevents unnecessary panic.
  • Integrate with other solutions: While UEBA solutions can collect a lot of information on their own, they should not be your only source of data. Integrating them with other monitoring tools such as Intrusion Detection Systems (IDS) and applications like  Customer Relationship Management (CRM) systems will provide valuable contextual insight for identifying behavior.
  • Review reports: Even if you have a lot of trust in your UEBA solution, it's important to regularly review anomalous activity reports. If there are certain activities that are continuously being incorrectly flagged by your system as anomalous, then you could be wasting valuable time and effort digging into issues that don't exist and some fine-tuning may be in order.

The future of User Behavior Analytics

Although UEBA solutions have only been around for a few years, they quickly became popular among large enterprises. However, just as quickly, there is a major shift happening that may eliminate the existence of stand-alone UEBA products altogether.

UEBA market analysis

According to Gartner's Market Guide for User and Entity Behavior, they predict that the UEBA market will cease to exist as a stand-alone product in the near future. Gartner predicts that by 2022 as much as 95 percent of all UEBA deployments will be as features of broader security platforms instead of standalone products. Gartner currently doesn't plan to even track UEBA revenue beyond 2020 due to the stark increase in acquisitions, pivots into specific markets or the development of additional features to evolve into a modern SIEM.

There are a few reasons for this major shift in the security market:

Use cases: Stand-alone pure-play UEBA platforms were originally built to support a broad range of use cases. Vendors with embedded UEBA features in their solutions, such as SIEMs, are often tailored to more specific use cases. Most organizations prefer to use technologies that cater to their unique security and business needs.

Deployment and maintenance: Buyers report that deployment and ongoing maintenance of pure-play UEBA solutions are time-consuming and labor-intensive. When these capabilities are wrapped up in a more comprehensive solution, all of the time and resources needed to get it up and running and to maintain its operation are consolidated.

When shopping for an analytics-based security software, it's best to think of UEBA as part of a more comprehensive security solution rather than a standalone product. Before making a purchasing decision, check whether your existing security vendors already offer UEBA features and advanced analytics in its tool's latest release.

UEBA product features comparison

Below is a chart comparing the top UEBA solutions:

 

UEBA Vendor

Use Cases

Special Features

Delivery

Aruba

High-risk and regulated industries

Integrated network traffic analysis

Appliance and software

Cynet

Security operations teams seeking broader app and device management

Integrates access control, application management and endpoint management

Cloud or on-premises

Exabeam

Large organizations, federal agencies

Ransomware detection and prevention

Physical appliance or cloud-ready virtual machine

Forcepoint

Security operations teams

Consolidated risk scores for individuals; video replays of users' screens

On-premises software

Fortinet

Banks, manufacturers and game developers

Monitors endpoints even when off network

Hosted solution

Fortscale

Organizations of all sizes; security vendors

Darknet analysis; DLP integration

On-premises software or embedded in other security solutions

Gurucul

Corporate security operations

Large library of machine learning algorithms; fuzzy logic-based link analysis

Appliance, virtual machine, cloud or bare metal

LogRhythm

High-risk and highly regulated industries

Embedded orchestration, automation and response

Appliance, software and cloud

Microsoft ATA

Small businesses

Mobility support; deep packet inspection

On-premises software

One Identity

Aimed at high-risk privileged accounts

Real-time threat detection, behavioral biometrics

Appliance

Palo Alto

Security operations teams seeking broad protections

Automated alert investigation, impact analysis, threat hunting

Cloud

RSA

Security operations teams seeking automation

Unsupervised anomaly detection and machine learning

Appliance and virtual formats

Securonix

Security operations teams, especially in very large enterprises

Fraud reporting; trade surveillance; patient data analytics

On-premises software or cloud-based

Splunk

Security operations teams

Multi-dimensional behavior baseline; anomaly exploration

On-premises software or AWS service

Varonis

Security operations teams

"Security Time Machine" analyzes past data; ransomware detection

On-premises software

Veriato Cerebral

Security operations teams and HR departments

Psycholinguistic analysis; screen snapshots; keystroke recording

On-premises software