What is UEBA (User and Entity Behavior Analytics)?

estimated reading time: 2 min

UEBA helps companies identify suspicious behavior and strengthens data loss prevention (DLP) efforts. Beyond these tactical uses, UEBA can also serve more strategic purposes, such as demonstrating compliance with regulations surrounding user data and privacy protection.

Tactical use cases

Malicious insiders – These are people with authorized and even privileged access to the corporate network who are trying to stage a cyberattack. Data alone—such as log files or records of events—can’t always spot these people, but advanced analytics can. Because UEBA provides insights on specific users, as opposed to IP addresses, it can identify individual users violating security policies.

Compromised insiders – These attackers gain access to authorized users’ or devices’ credentials through phishing schemes, brute-force attacks, or other means. Typical security tools might not find them because the use of legitimate, albeit stolen, credentials makes the attacker appear to be authorized. Once inside, these attackers engage in lateral movement, moving throughout the network and obtaining new credentials to escalate their privileges and reach more sensitive assets. While these attackers may be using legitimate credentials, UEBA can spot their anomalous behavior to help thwart the attack.

Compromised entities – Many organizations, particularly manufacturers and hospitals, use a significant number of connected devices, such as IoT devices, often with little to no security configurations. The lack of protection makes these entities a prime target for hackers, who may hijack these devices to access sensitive data sources, disrupt operations, or stage distributed denial-of-service (DDoS) attacks. UEBA can help identify behaviors that indicate these entities have been compromised so threats can be addressed before they escalate.

Data exfiltration – Insider threats and malicious actors often seek to steal personal data, intellectual property, or business strategy documents from compromised servers, computers, or other devices. UEBA helps security teams spot data breaches in real-time by alerting teams to unusual download and data access patterns.

Strategic use cases

Implementing zero trust security – A zero trust securityapproach is one that never trusts and continuously verifies all users or entities, whether they’re outside or already inside the network. Specifically, zero trust requires that all users and entities be authenticated, authorized and validated before being granted access to applications and data—and subsequently be continuously re-authenticated, re-authorized and re-validated in order to maintain or expand that access throughout a session.

An effective zero trust architecture requires maximum visibility into all users, devices, assets, and entities on the network. UEBA gives security analysts rich, real-time visibility into all end-user and entity activity, including which devices are attempting to connect to the network, which users are trying to exceed their privileges, and more.

GDPR Compliance – The European Union’s General Data Protection Regulation (GDPR) imposes strict requirements on organizations to protect sensitive data. Under the GDPR, companies must track what personal data is accessed, by whom, how it is used, and when it is deleted. UEBA tools can help companies comply with GDRP by monitoring user behavior and the sensitive data they access.