Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

What is UEBA? Complete Guide to User and Entity Behavior Analytics

Threat Detection

UEBA can either stand for “User and Event Behavior Analytics” or “User and Entity Behavior Analytics.” It extends on an early type of cybersecurity practice – User Behavior Analytics, or UBA – which uses machine learning and deep learning to model the behavior of users on corporate networks, and highlights anonymous behavior that could be the sign of a cyberattack.

UEBA extends this analysis to “Entities” and “Events” other than users, such as routers, servers, and endpoints. UEBA solutions are more powerful than earlier UBA approaches, as they can detect complex attacks across multiple users, IT devices and IP addresses.

UEBA is now a very important component of IT security and forms a critical part of Varonis’ Threat Detection solutions. These solutions can drastically reduce the time to detect and respond to cyberattacks – spotting threats that traditional products miss by combining visibility and context from both cloud and on-prem infrastructure.

Gartner Peer Insights has rated Varonis as the leading UEBA solution, see their industry comparisons and ratings here.

How Does UEBA Work?

image of top three UEBA functions

The basic principles behind UEBA solutions will be familiar from UBA approaches. User and entity behavior analytics first collects information on the normal behavior of users and entities from system logs. These systems then apply advanced analytical methods to analyze the data, and establish a baseline of user behavior patterns. UEBA then continuously monitors entity behavior and compares it to baseline behavior for the same entity or similar entities.

The purpose of this analysis is to detect any anomalous behavior or instances when there are deviations from “normal” patterns. For example, if a particular user regularly downloads 10 MB of files every day but suddenly downloads gigabytes of files, the system would be able to detect this anomaly and alert you to the potential security threat.

UEBA shares this structure with UBA, but also looks at entities. The key idea is that UEBA extends the reach of its analytics to cover non-human processes and machines entities. Gartner analyst Anton Chuvakin has a good breakdown of UEBA: in short, it’s still UBA but enhanced with more context from entities and better analytics.

Why go beyond the user?

Many times it makes sense to not to look at individual user accounts to spot unusual behaviors. For example, hackers who have landed on a victim’s computer may be leveraging multiple users to launch their post-exploitation— say lateral movement to other machines.

The larger entity to focus on is not at the account but at the machine level, which can then be identified by an IP address. In other words, look for unusual activities where the common element is the IP address of a workstation.

Or in the case of existing Windows system software – regsvr32 or rundll32 –which hackers use in a context not associated with normal usage, the more logical entity to focus on is the software itself.

Components of User and Entity Behavior Analytics

UEBA solutions have three main components that are all crucial to their functioning:

  1. Data Analytics uses data on the “normal” behavior of users and entities to build a profile of how they normally act. Statistical models can then be applied in order to detect unusual behavior and alert system administrators.
  2. Data Integration means that UEBA systems are able to compare data from various sources – such as logs, packet capture data, and other datasets – with existing security systems.
  3. Data Presentation is the process through which UEBA systems communicate their findings. This is typically done via issuing a request for a security analyst to investigate unusual behavior.

The Difference Between UBA and UEBA

In October 2017, Gartner released a new market guide for UEBA. This was the first time that an “E” had appeared in UBA.

To understand this additional letter, it might be worthwhile to review the market definition of UBA. UBA’s primary market focused on security (the theft of data) and fraud (use of stolen information) technologies. However, as data theft grew, so did the security technologies market. As a result, Gartner concluded that its growth and maturation required a distinct divergence from fraud detection technologies.

This shift has also been driven by a number of parallel changes in the way that corporations have viewed cybersecurity. The evolution of DevSecOps and the rise of chaos engineering has highlighted the importance of tracking and monitoring all the devices connected to a system and monitoring their access controls. As we’ve previously noted, today it’s crucial to understand what every entity on an access control list (ACL) represents, including the implicit identities that are built into a Windows environment, and specifically the difference between the “Everyone” group and “Authenticated users”.

These considerations led to renaming UBA to UEBA, where the letter “E”, according to Gartner:

…recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior.

In other words, UEBA software correlates both user activity and other entities such as managed and unmanaged endpoints, applications (including cloud, mobile and other on-premises applications), networks, as well as external threats.

By using UEBA, you’re protecting against external threats that make their way inside the perimeter as well as the insider threats that already exist–you’re protecting your data from the inside out.

Finally, let us humbly mention that Varonis is a named “representative vendor” in Gartner’s New Market Guide for User and Entity Behavior Analytics.

Do I Need a UEBA Solution?

The rise of UEBA has been driven by a simple realization: preventative measures are no longer enough to keep corporate systems secure. Web gateways, firewalls, intrusion prevention tools, and encrypted connection systems like VPNs are no longer able to protect you against intrusion. Hackers will get into your systems at some point, and it’s important to detect them as soon as that happens.

The value of UEBA, then, is not that it prevents hackers or insiders from accessing critical systems. Instead, UEBA systems can quickly spot when this has happened, and alert you to the risk.

Deciding whether a UEBA system is appropriate for you should rest on this principle, and a number of other considerations. Here they are:

  • First, it is true that UEBA can reduce your vulnerability to the most common types of cyberattack. As we point out in our research on cybersecurity statistics, Some of these most common attacks include phishing, whaling, social engineering, Distributed Denial of Service (DDoS) attacks, malware and ransomware. UEBA will quickly alert you if any of these attacks have been successful.
  • On the other hand, you should note that UEBA tools and processes are not meant to replace earlier monitoring systems, but instead should be used to complement them and enhance your company’s overall security posture.
  • Because of this, UEBA should always be used in combination with a perimeter monitoring solution like Varonis’ Edge. Edge analyzes metadata from perimeter technologies like DNS, VPN, and web proxies to spot signs of attack at the perimeter. We put perimeter activity in context with a user’s core data access activity, geolocation, security group memberships and more — giving your SOC analysts cleaner, more meaningful alerts.
  • Similarly, UEBA is not a replacement for Cloud Access Security Blockers (CASB), a security application that helps organizations manage and protect the data stored in the cloud. Gartner advises organizations to find a “Goldilocks” CASB solution —one that provides just-right capabilities for SaaS applications and Cloud infrastructure, and to use this in combination with UEBA.

The bottom line is that UEBA software can effectively alert security officers when the baseline activity within an environment exhibits anomalies, signaling a potential attack. This is extremely useful, but is not a replacement for a comprehensive Threat Detection solution.

In addition, UEBA comes with various pros and cons that will have an impact on whether it is correct for your business. Let’s look at them.

Pros of UEBA

  • The primary pro of UEBA is that it allows you to automatically detect a wide range of cyberattacks. These include insider threats, compromised accounts, brute-force attacks, the creation of new users, and data breaches.
  • This is useful because automated systems can dramatically reduce the number of security analysts you need to employ. At the moment, this will be a major attraction for many companies, because though the cybersecurity market remains strong, there is a huge cybersecurity skills gap. 74 percent of respondents to the ESG/ISSA research report say that their firms are being affected by the shortage. This number, by the way, has crept up from 70 percent last year.
  • Because UEBA allows fewer security analysts to do more, it can also significantly reduce your cybersecurity budget. This, again, is a major reason why more and more companies are using UEBA. Investment in cybersecurity budgets increased by 141 percent between 2010 and 2018, driven in large part by new approaches like UEBA.

Cons of UEBA

On the other hand, there are some drawbacks to UEBA, even when used alongside other cybersecurity tools.

  • The primary drawback of UEBA is upfront cost. Whilst for larger companies an investment in UEBA will quickly pay itself back, smaller companies might not need such a complex monitoring solution. Since most dedicated hosting solutions already provide advanced user access controls for websites and web portals, small companies implementing UEBA might see it as a duplication of time and money.
  • Secondly, the data generated by UEBA is more complex than that generated by more basic UBA systems. This can make it hard to understand for analysts without the requisite training. That said, Varonis’ security training offers a way to quickly and efficiently train staff in advanced techniques like UEBA, obviating this drawback.
  • Finally, and to repeat some of the points above, it is important to recognize that UEBA helps you in very specific ways, and is not a replacement for other cybersecurity systems. It will let you spot unusual behavior, but will not do anything to stop intruders.

Machine Learning and User Entity Behavior Analytics

UEBA relies for its effectiveness on machine learning (ML) techniques. As we’ve previously mentioned in our article on AI and ML in cybersecurity, these tools can provide a great deal of support to a cybersecurity or IT team. While ML may have a long ways to go before it can be used for threat detection on its own without human intervention, there are many tasks it can handle to level up security.

Let’s take a closer look at how ML is used in UEBA. Gartner’s guide to UEBA (downloadable here) has some insights into UEBA and its appropriate use cases. As they point out, there’s more emphasis in UEBA than in UBA on using data science and machine learning to separate out normal activities of persons and entities from abnormal.

Gartner sees UEBA being applied to use cases where finer-tuned analytics and gathering more context is essential, including:

  • Malicious Insiders
  • APT groups leveraging zero-day vulnerabilities
  • Data exfiltration involving novel channels
  • User Account access monitoring

Since these use cases involve a shifting attack surface, Gartner notes that machine learning or ML is essential to establish a baseline derived from “interactions between all users, systems, and data”. But as ML researchers have pointed out, there’s no single approach to working out these baselines.

image showing clustering
SimplyStats

K-means clustering. Classification. Regressions. Component Analysis. All can be used in UEBA algorithms. If the nerd is strong in you, you can learn more about these topics here.

But even the biggest boosters of ML-based analytics will tell you, there are limits. They are notably hard to tune and can lead to the curse of all UEBA systems: too many false positives. In other words, the algorithms are so sensitive they alert on conditions that may be unusual but are not abnormal and indicative of an attacker or insider.

Perhaps a system architect had to work over the weekend to meet a deadline and was copying hundreds of files. And UEBA clustering algorithms, say, found this employee’s actions to be abnormal, locked his account, and thereby causing a critical project to be delayed.

UEBA, Clean Data, and Threat Models

The bigger question for UEBA — as it was for system and information event management or SIEM systems — is the data source.

As we’ve pointed out in the IOS blog before, it’s very difficult to base security analytics on the raw Windows events log. It’s a complicated (and potentially error-prone) process to correlate related events from the system log. On top of that, it’s resource-intensive. There are, ahem, better solutions that can produce cleaner file-related event histories.

Another problem posed by the UEBA algorithms is that they’re in a sense starting from scratch: they have to be trained either through formal supervised training or on-the-fly in a semi-supervised fashion. There is nothing inherently wrong with this idea since it’s simply the way ML works.

But in the data security space, we have a big advantage in that we know how most of the more critical incidents occur. Thankfully, the folks at MITRE have done the heavy lifting and have organized a lot of the techniques and tactics into various models.

image of the Mitre matrix
MITRE ATT&CK

This is a good thing!

For UEBA, we don’t need to rely solely on ML techniques to “learn” what the key factors are in determining abnormal behaviors. MITRE and others tell us that, for example, lateral movement, credential access, and privilege escalation are some of the common known methods of attackers.

Starting with these well-understood patterns gives you a big head start in organizing event data. This naturally leads to the topic of threat modeling.

Why is Varonis a UEBA Leader?

Threat models are the key characteristics of real-world attacks organized into larger more meaningful categories. And this is where Varonis can help.

Varonis uses predictive threat models to automatically analyze behaviors across multiple platforms and alert you to a potential attacker. From CryptoLocker infections to compromised service accounts to disgruntled employees, we’ll detect and alert you on all types of abnormal user behavior.

Without any configuration, Varonis threat models are ready to go. Varonis uses predictive threat models to automatically analyze behaviors across multiple platforms and alert you to a potential attacker. From CryptoLocker infections to compromised service accounts to disgruntled employees, we’ll detect and alert you on all types of abnormal user behavior.

Learn more about why Varonis was recognized by The Gartner Market Guide for User and Entity Behavior Analytics or request a demo today and find out for yourself!

User Entity Behavior Analytics Best Practices

image of UEBA best practices tips

Once you have your UEBA system up and running, there are a few principles that can help you to ensure that it stays as secure as possible, and provides the best value for your investment.

Some of these cybersecurity tips are common to both UEBA and other types of security software. The way in which you use these systems is one of the most critical elements in leveling up your security, and this, in turn, relies on your employees and their knowledge and use of cybersecurity best practices.

Train Your Staff

One of the most important elements of using a UEBA system correctly is to make sure that your staff has the knowledge and skills necessary to work with these systems. Cybersecurity memo templates can drive home the importance of cybersecurity to your employees, and you should promote security awareness and cybersecurity best practices year-round. This is as true for UEBA systems as it is for any other type of security software.

Consider Insider Threats

A more specific tip when it comes to working with UEBA systems is to ensure that you consider your entire threat profile when making rules and policies to detect attacks. One of the major advantages of UEBA is that you can detect insider threats as effectively as those from outside your organization, but only if you have configured your system to look for them.

Lock Down Access

Securing your UEBA system, like any other system you use, relies on you granting the right privileges to the right staff members. Do not give access to your UEBA system to everyone – instead, only relevant team members should be able to see this data, and they should also be the only people receiving alerts from the system.

Beware of Escalating Privileges

Don’t regard non-privileged user accounts as harmless. Hackers will generally target these accounts, and then try to escalate privileges to penetrate sensitive systems. UEBA systems can help detect unauthorized privilege escalation, and you should configure your software to alert you to any instances of this.

Use Other Tools

Do not treat UEBA processes and tools as a substitute for basic monitoring systems such as Intrusion Detection Systems (IDS). UEBA systems are a complement to traditional monitoring infrastructure, not a replacement for it.

UEBA vs. SIEM

UEBA and SIEM comparison

Another source of confusion for many security analysts is the difference between UEBA and SIEM. In this section, we’ll take a look at the differences between them.

Here’s the simple version. Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies to give you a comprehensive view of the security of your IT system. It makes use of data and event information, allowing you to see patterns and trends that are normal, and alert you when there are anomalous trends and events. UEBA works the same way in that it uses user (and entity) behavior information to come up with what’s normal and what’s not.

If you currently use a security identity event management (SIEM) tool to monitor user activity for threat management, and regulatory compliance, awesome! You have a head start. SIEM is an excellent starting point for security analytics, as it monitors system events captured in firewalls, OS logs, syslog, network traffic logs, and more.

If you have SIEM, you might wonder why you need UBA? At first glance UBA and SIEM appear to be very similar, however, upon closer inspection, they do different things.

If I have SIEM, would I need UEBA?

Good question. The answer will depend on the scale of your business, and what you need your intrusion detection system to do.

Here’s the bottom line. SIEMs are a capable security management tool, but typically lack effective and intelligent threat detection and response. They can be bypassed by advanced attackers with relative ease, and focus more on real-time threats than extended attacks. UEBA solutions are capable of detecting threats that may occur over a much more extended period of time and be significantly more advanced. By using these two tools in conjunction, organizations are capable of defending threats much more effectively.

By focusing less on system events, and more on specific user activities, UBA builds a profile of an employee based on their usage patterns, and sends out an alert if it sees abnormal user behavior. Typically UEBA alerts can be sent via email, SMS, or even be piped into your SIEM.

That said, there are some considerations to think about when you are deciding if you need UEBA in addition to SIEM:

  1. Determine if you want SIEM to analyze security event data produced by security devices, network infrastructures, systems, and applications, or UEBA to gain deep insight into what users on a system are doing — their activities and file access patterns.
  2. Use cases also really help security officers identify, clarify and prioritize requirements for deciding on which solutions to use. Plus, it’s a good way to really “get” the differences between these complementary technologies.

If you have any projects related to compliance, and need to track access activity, here are some relevant SIEM use cases:

    • Compliance reporting
    • Monitoring of events – access activity, data access, application activity, and event management

On the other hand, if you are concerned with insider threats, and protecting organization digital assets, you might want to look at UEBA. Here are some use cases:

    • Insider threat enterprise security
    • Protecting organizations with high-value IP, or sensitive data that needs protection– such as financial, government, telecom, education, hospitals, retail, etc.
  1. If you’re already deployed SIEM, evaluate its user monitoring, profiling, and anomaly detection capabilities to determine whether they can be adapted to satisfy your use cases before turning to UEBA technology.

In short, both SIEM and UEBA have important use cases to help an organization meet its business and security needs. Because insider attacks are real and costly, don’t overlook UEBA as it is an excellent complement to SIEM.

User Entity Behavior Analytics FAQ

Even after all that, you might still have some questions about UEBA, and the way that it can help you protect your systems. Here are the most commonly asked questions.

Q: What is UEBA Security?

A: UEBA normally stands for “User and Entity Behavior Analytics”. It extends on an early type of cybersecurity practice – User Behavior Analytics, or UBA – which uses machine learning and deep learning to model the behavior of users on corporate networks, and highlights anonymous behavior that could be the sign of a cyberattack.

Q: What is Forcepoint UEBA?

A: Forcepoint is one UEBA solution. This system collects and analyzes user activity-based scenarios (Events such as logins, print jobs, etc) and non-activity-based scenarios (Entity information such as HR data) within a company. It can then highlight anomalies in this behavior, and give you a warning about a potential cyberattack.

Q: How Does User Behavior Analytics Work?

A: UEBA systems collect information on the normal behavior of users and entities from system logs. These systems then apply advanced analytical methods to analyze the data and establish a baseline of user behavior patterns. UEBA then continuously monitors entity behavior and compares it to baseline behavior for the same entity or similar entities. The purpose of this analysis is to detect any anomalous behavior or instances when there are deviations from “normal” patterns.

Final Thoughts

UEBA can be a powerful addition to your cybersecurity suite. It provides a novel way for you to perform threat detection and can complement intrusion protection systems and threat detection software.

UEBA systems are also a useful tool for training new security engineers because they offer a great way to learn what suspicious activity looks like. As we point out in our article on working in cybersecurity, Cybersecurity careers don’t only consist of white hat hacking – there is a wide variety of avenues that are fit for different personality types, and UEBA analysis is one of these.

Ultimately, however, you should remember that UEBA systems are not a panacea for cybersecurity. They should also be used alongside a fully-featured Threat Detection solution like Varonis. Used in this way, UEBA systems can drastically reduce the time it takes to detect and respond to cyberattacks – spotting threats that traditional products miss.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.