What is User and Entity Behavior Analytics (UEBA)?

In cybersecurity, UEBA is the acronym for user and entity behavior analytics. UEBA is a practice or solution that, as the name says, analyzes behavior. The goal is to find threats by spotting user and device behavior that doesn’t align with known good behavior for those users and entities or for similar users and entities. Because UEBA tools look at behavior rather than malicious code, they offer security coverage that malware scans can’t provide on their own.

Who’s a User in UEBA?

Anyone using devices or assets within an organization’s environment is a user. Traditionally, users were on-site employees using on-site devices or “processes authorized to access an information system.” With the rise of remote work, distributed workforces, and cloud services, users can also be off-site employees and contractors using their own devices or company-issued devices to interact with company data and processes in the cloud.

What’s an Entity in UEBA?

The cybersecurity definition of an entity includes individual users along with an organization, devicem, or process. An entity can also consist of a combination of these elements. For example, an entity could be comprised of a hospital system’s diagnostic equipment, the technicians who use that equipment, and the operating systems and software on the equipment.

How Does UEBA Analyze Behavior?

UEBA analyzes data from logs generated by network agents and other security tools, such assecurity information and event management (SIEM). With a large enough data set, UEBA solutions can benchmark good or typical user and entity behavior and then use those benchmarks to evaluate new behavior. This approach to behavior monitoring can help to quickly identify account takeovers and unauthorized user activity.

For example, if a particular user or group of users always logs into a database during a certain window of time each day to do data entry, but one user suddenly logs in during off hours, that unusual login time can be a flag for potential unauthorized access. If another user logs in during the normal time but starts exfiltrating data rather than entering it, the UEBA solution can flag that behavior as a possible account takeover.

Are There Gaps in the UEBA Approach to Cybersecurity?

Because UEBA relies on logs for analysis, and because most unmanaged devices don’t generate logs, those devices can be invisible to UEBA tools. That’s a problem because many commonly used devices, including connected medical equipment and Industrial Internet of Things (IIoT) sensors, are unmanaged.