5min. read

What is User and Entity Behavior Analytics (UEBA)?

User and entity behavior analytics (UEBA), or user behavior analytics (UBA), is a type of cybersecurity solution or feature that discovers threats by identifying activity that deviates from a normal baseline. While UEBA can be used for a variety of reasons, it is most commonly used to monitor and detect unusual traffic patterns, unauthorized data access and movement, or suspicious or malicious activity on a computer network or endpoints.

Why Companies Need UEBA

Security operations often use security information and event management (SIEM) platforms to monitor and identify potential security threats. SIEMs aggregate event logs and security alerts but have difficulty detecting unknown or advanced security threats that don’t involve malware – such as credential theft – or internal and external attackers who have already gained access to the network previously.

Two main categories of cybersecurity analytics tools have emerged to fill this gap: 

  • Log-centric solutions (UEBA)
  • Network-centric solutions (NTA)

The Differences Between UEBA and NTA

UEBA solutions are typically offered as either a packaged offerings or embedded in traditional security products, such as cloud access security brokers (CASBs) and identity governance and administration (IGA) systems. They work by using live and historical data as well as machine learning to develop a baseline of standard activity from network users and other entities (e.g., hosts, applications, data repositories, network traffic).

Once they establish this baseline, UEBA solutions apply a host of analytics methods (e.g., simple statistics, pattern matching, rules that leverage signatures) to look for anomalies in traffic patterns that indicate potentially suspicious or malicious activity. For UEBA solutions to perform behavior analytics effectively, a company must first have a robust and integrated data set for the machine learning tools.

NTA solutions use machine learning, advanced analytics and rule-based detection to monitor and analyze all traffic and/or flow records on enterprise networks in order to identify potential attacks, insider abuse, suspicious activity and malware. This includes monitoring and analyzing all north-south traffic that traverses the enterprise perimeter as well as all east-west communications from network sensors.

Table 1 shows some of the benefits and drawbacks of using UEBA and NTA.

Table 1: Benefits and Drawbacks of UEBA and NTA

UEBA

Benefits 

Drawbacks 

  • Allows application of analytics and data science to log data to uncover security threats that might otherwise remain hidden in massive repositories.
  • Enables tracking and monitoring of all users and other entities that use the network. 
  • Reduces security events and significantly improves operational efficiency.
  • Offers a narrow view of network behaviors and events since UEBA logs are only enabled on a small part of a company’s network.
  • Isn’t able to pinpoint specific security attacks.
  • Relies on third-party logs to monitor, identify and analyze potential threats and assign risk scores – if/when a third-party logger fails, a UEBA can’t do its job.
  • Deploys slowly – many vendors claim UEBA can be deployed in a few days, but Gartner clients report it often takes 3–6 months in simple use cases and up to 18 in complex ones. 
  • Requires lots of cross-functional approvals and system configuration.

NTA

Benefits 

Drawbacks 

  • Allows companies to see all events, not just logged ones, across their entire network, including every aspect of an attacker’s activities and techniques, from early to late stages of an attack. 
  • Enables companies to profile network devices and user accounts.
  • Deploys with relative ease.
  • Pays for itself in a short time, but still requires the expertise of a security team to know which types of security issues to look for and how to identify them.
  • Offers coverage that, although wide, is shallow.
  • Isn’t able to track local events.

UEBA capabilities are increasingly converging with other tools, giving SecOps teams better and more advanced analytics with which to detect potential security threats. Gartner predicts that, by 2021, the stand-alone UEBA market will no longer exist. Instead, it will be used to modernize SIEMs and other tools with advanced analytics, embedding UEBA features and functionality directly into their platforms.1

XDR: A New Approach to Security 

UEBA capabilities are also converging with a new breed of threat detection and response tools called XDR. The “X” in XDR stands for any data source, such as a network, endpoint or cloud. XDR emerged as an evolution of endpoint detection and response (EDR) tools, recognizing a need for threat visibility that went deeper than a SIEM but wasn’t limited to endpoints. XDR speeds up investigations and uses automation to multiply the productivity of security operations team members.

XDR combines all the capabilities of EDR, UEBA, NTA and other tools into a single solution to deliver the best security possible. It does this by providing comprehensive visibility and robust behavioral analytics companies need across their entire infrastructure – network, clouds and endpoints – to identify, hunt down, investigate and respond to potential security threats. XDR offers companies numerous capabilities and benefits, as shown in figure 1.

XDR allows companies to track visibility, integrate with tools, use large-scale analytics, and simplify investigations. XDR allows analysts to respond to threats faster and more proactively.

Figure 1: Capabilities of XDR

Click here to read more about XDR.

Source

  1. “Market Guide for User and Entity Behavior Analytics”, Gartner, May 21, 2019, https://www.cbronline.com/wp-content/uploads/dlm_uploads/2018/07/gartner-market-guide-for-ueba-2018-analyst-report.pdf.

Resources

Popular Terms