In cybersecurity, UEBA is the acronym for user and entity behavior analytics. UEBA is a practice or solution that, as the name says, analyzes behavior. The goal is to find threats by spotting user and device behavior that doesn’t align with known good behavior for those users and entities or for similar users and entities. Because UEBA tools look at behavior rather than malicious code, they offer security coverage that malware scans can’t provide on their own.
Anyone using devices or assets within an organization’s environment is a user. Traditionally, users were on-site employees using on-site devices or “processes authorized to access an information system.” With the rise of remote work, distributed workforces, and cloud services, users can also be off-site employees and contractors using their own devices or company-issued devices to interact with company data and processes in the cloud.
The cybersecurity definition of an entity includes individual users along with an organization, devicem, or process. An entity can also consist of a combination of these elements. For example, an entity could be comprised of a hospital system’s diagnostic equipment, the technicians who use that equipment, and the operating systems and software on the equipment.
UEBA analyzes data from logs generated by network agents and other security tools, such assecurity information and event management (SIEM). With a large enough data set, UEBA solutions can benchmark good or typical user and entity behavior and then use those benchmarks to evaluate new behavior. This approach to behavior monitoring can help to quickly identify account takeovers and unauthorized user activity.
For example, if a particular user or group of users always logs into a database during a certain window of time each day to do data entry, but one user suddenly logs in during off hours, that unusual login time can be a flag for potential unauthorized access. If another user logs in during the normal time but starts exfiltrating data rather than entering it, the UEBA solution can flag that behavior as a possible account takeover.
Because UEBA relies on logs for analysis, and because most unmanaged devices don’t generate logs, those devices can be invisible to UEBA tools. That’s a problem because many commonly used devices, including connected medical equipment and Industrial Internet of Things (IIoT) sensors, are unmanaged.
The Armis platform identifies all devices in an enterprise’s environment, whether they’re on-premises, remote, transient, virtual, or in the cloud. Drawing on the Armis Device Knowledgebase – with real-time information on more than two billion devices and growing – Armis benchmarks, monitors, and analyzes device data to close the gaps in UEBA program visibility, enhance threat detection, and streamline response.