November 29, 2018 / by Cheryl Dsa / In ueba /

What is UEBA

Network attacks are constantly advancing and they can often bypass traditional security systems. The old tools and systems are quickly becoming obsolete and hackers have devised a number of ways to get past them. Attackers now carry out automated attacks and stay under the radar of their victims. They reduce the speed of their attacks and decentralize them across several IPs and accounts to mimic legitimate and normal transactions.

Hackers are also taking over user and consumer accounts to sneak into systems undetected. These hacked or spoofed credentials are not detected immediately, they get overlooked and can often lead to significant data breaches.

Avivah Litan, Vice President and distinguished research analyst at Gartner said,

“Most enterprise security is based on yesterday’s security concepts that use rules and signatures to prevent bad occurrences, what’s needed is rapid detection and response, enabled in part through behavioral analytics.”

So what exactly is behavioral analytics?

UEBA — defined, explained and explored

UEBA (User and Entity Behavior Analytics), is the process of analyzing the behaviors of an organization’s insiders (employees, staff), outsiders (third party vendors, contractors), entities (endpoints, servers, accounts, laptops) and applications. It combines the data collected from users and entities to identify any unusual behavior coming from them. It is a process that observes the normal conduct of users and entities and detects any anomalous behavior where a user deviates from these “normal” patterns.

What is UEBA?

UEBA learns from what users and entities do on a regular basis, for instance,

  • where do users log in from?
  • what devices do they log in from?
  • what file servers and applications do they access?
  • what privileges do they have? and so on.

It establishes a baseline from this data of what is usual or normal behaviour. By understanding what is normal for each user and entity, UEBA can easily detect when something unusual occurs. For example, if a user suddenly accesses a server they don’t usually access and they are doing it from a foreign location.

A simple and more relatable example would be if your credit card was stolen. A thief can steal your wallet and spend thousands of dollars using your credit card. If this spending pattern does not match yours, the company’s fraud detection department will often recognize this type of suspicious behaviour and contact you to verify the purchases and block the card in question.

How does UEBA work?

UEBA solutions work on the premise of establishing baselines by learning the behavior of users, groups and devices and applying risk scoring that adapts over time based on activity. The risk score increases or changes every time a security incident occurs based on the type and priority of the threat

For example, the system monitors a user’s behavior on a daily basis, when do they arrive at work, what devices do they log into, what other devices such as printers and removable drives do they use, and many other similar data points to determine the user’s normal behavior. The same process is followed for entities such as servers, databases and other significant endpoints.

If and when there is a deviation from the established baseline, the system adds to the risk score of that particular user or entity. The more unusual the activity, the higher is the risk score added. This continues for each suspicious behavior until the risk score reaches a predefined threshold and an alert is raised. This is helpful not only in identifying threats but also in keeping track of their insecure and privileged users are and more.

Advantages of UEBA

The advantages of this behavioral analytics approach are manifold. Some of the main advantages are:

  • Identifying threats manually through alerts involves a lot of effort. UEBA can identify and validate threat without manual intervention through automation and security intelligence, thus helping security analysts focus on real threats rather than chase false positives.
  • The risk score comprises a number of events, thus relieving analysts of the gruesome task of manually reviewing large numbers of individual alerts and mentally combining them to detect a threat.
  • One slightly suspicious event will not raise a security alert on its own. The UEBA system needs to detect multiple signs of abnormal behavior to create an alert, thus tremendously reducing the number of false positives.


The best security solution doesn’t mean anything if compromised credentials can easily access your data. Companies must now provide a flexible security solution that can identify anomalous user activity in order to prevent all avenues of breaches.

five essential use cases