In this article

UEBA: the what, why & how  

The what
Simply put, User-Entity Behavioral Analysis (UEBA) is categorized as a set of statistical techniques designed to recognize anomalous user behavior. 

The concept of "user" in the cybersecurity world refers to either human users that do human things on a computer (emailing, browsing websites, running office applications like Excel) or non-human users, AKA "entities," that perform a variety of automated tasks (like Ansible or Puppet running network functions or daemon processes on Linux).

As the users go about their business on the network, the UEBA has one objective: detect possible imposters.  

Let's use a spy movie scenario as an example. A superspy who can perfectly mimic the appearance of an enemy's soldier can easily infiltrate the enemy's compound. BUT, the disguise must account for even the smallest behavioral characteristics, as the slightest deviation could trigger alarm bells.

The same holds true for imposters trying to infiltrate a network. An attacker might be able to access the network with user credentials, captured through phishing or a compromised website watering hole, but once inside, they will likely exhibit all sorts of odd behavior, like enumerating network file shares, changing local registry settings, executing files from temp directories, installing drivers, etc. Such unusual actions should trigger alarm bells, right? Now, UEBA makes that happen.

The why

Traditional Identity and Access Management (IAM) solutions are designed to implicitly trust users. Even though there are added layers like multi-factor authentication that can bump protection, and security information and event management (SIEM) tools with incredible analytics capabilities to expose malicious activity, it's simply not enough.

A new generation of attackers has upped their game with super stealth techniques to evade detection, and impersonating a trusted user is one of them. We call this an insider threat, and it is no match for conventional cybersecurity methods. This is because if a hacker has legitimate access privileges, this hooligan can run amuck with the green light from the IAM system. Traditional IAM cannot differentiate between good actors and bad actors disguised as good actors.

Ergo, the advent of UEBA.

The how

Fundamentally, UEBA uses sophisticated data science techniques to automatically identify potentially malicious behavior of users and entities within an organization's networks and data centers. 

UEBA requires powerful statistical models built from extremely large, high-quality data sets, using traditional methods, expert-driven analytics and evolving machine learning algorithms to perform the following functions:

  • Behavioral monitoring - UEBA offers a baseline for every user and entity's typical behavior and forms statistical models to determine unusual behavior and send alerts to security operation centers (SOCs) accordingly.
  • System integration - UEBA can compare data from a variety of tools, such as data loss prevention (DLP), and combine alerts for streamlined service across the security stack.
  • Risk detection and mitigation -  Should UEBA recognize peculiar or suspicious behavior it can be programmed to either send or automatically disconnect a user from the network based on rules.

The UEBA threat model

Protecting against a trusted user gone rogue is perhaps the hardest of all security challenges, especially in a typical environment, where the bulk of cyber defenses are on the network perimeter. Even harder, is protecting against a rogue user with administrative privileges. 

Should an attacker get ahold of an administrator's identity it is nearly impossible to counter the threat with traditional methods. Despite strong access controls and other defense-in-depth paradigms, an attacker can do some serious damage with administrative authorization. 

With increasing sophistication of ransomware, we have seen how even normal users can inflict extreme damage. Consider how easy it is to launch a ransomware attack from the inside: the only requirement for ransomware to succeed is to have write access to sensitive files.  And as if that wasn't challenging enough, there's a new, very chilling trend where criminal cyber gangs are offering six-figure bribes to company insiders with the right kind of access to download and launch attacks. 

We have to contend with masquerade attacks that obtain user credentials through phishing, compromised websites (watering hole attacks), password guessing and the like. Stolen credentials are usually stored on a hidden tor network on the dark web and then sold inexpensively to cyber criminals. 

The best defense against any unauthorized access is, of course, strong security hygiene and access control. DLP solutions are continually improving, allowing the enterprise to restrict how and by whom data are copied. Security teams have traditionally relied on rules-based alerts but as environments gets more complex, the conventional threat detection model is no longer sufficient.

UEBA takes a different approach. It collects data to model what "normal" behavior is for every individual user to analyze and detect any abnormalities. As opposed to a rule-based alerting system, which is deterministic, this system is probabilistic, measuring risk versus right and wrong. 

UEBA provides another layer to protect data by tracking the usual types of data a user accesses, as well as how and when; it also detects unauthorized data access as an anomalous event. The activity data replaces the need to set up and manage a hefty list of alert triggers. Instead of reacting to problems by creating new rules, this approach frees security teams to focus on proactively investigating unusual behavior on the individual level.

UEBA solutions

The case for UEBA is a pretty compelling one, so deciding to integrate it into your environment is the easy part. Deciding which UEBA solution to integrate may take some investigation. But that's a specialty of WWT, so you're in the right place. 

This is a fairly new solution in the commercial market, but all of the major security players already have a strong position, offering a range of UEBA functionalities, either as separate products or integrated into standard security controls (firewall, IDS, IPS, etc.).  Other options include open source solutions, either fully baked (, for example), or as a framework upon which to build a UEBA engine (think big data components like Kafka, Hadoop, MongoDB and Cassandra). 

The way we see it, this really isn't a matter of which solution we think is best, but rather which solution is best for your organization. Some factors to consider are the arrangement of your current security stack, the skill level of your security team and how extensive of a solution you require.

Let's take open source solutions for example. Open source solutions will typically be better suited for teams with substantial development experience, since maintenance teams will be responsible for more in-depth troubleshooting. They will need a strong background in data science, and be willing and able to go deep into the full spectrum of the following analytical methods:

  • ML supervised learning - yields a more powerful statistical model but difficult to curate the data used for training, depending on human expertise.
  • ML unsupervised learning - less powerful in general than supervised, but makes it easier to assemble training data and helps avoid dependence on human SMEs.
  • Basic Bayesian analysis - robust generalization; effective combination of multiple models.
  • Expert systems - rule-based functionality; currently the norm in SIEMs.

Regardless of the type of UEBA solution your environment requires, Gartner recommends selecting one that meets the following criteria:

  • Clear and easily accessed information on user and entity behavior in the network.
  • Strong capabilities in monitoring, especially in the detection and alerting of anomalies.
  • Should cover multiple use cases (improper network access, copying or destroying data, etc.).
  • Should be easy to configure consumption of data from general repositories like data lakes, other big data components (i.e. Kafka) or via SIEM.


In general, UEBA and SIEM should be viewed as complementary technologies, although some may prefer to implement UEBA-like controls with analytics on their SIEM platform. 

For it to be effective, a UEBA solution needs to be tightly integrated into the organization's monitoring and analytics environment. At the very least, this should entail feeding relevant user and entity events from a SIEM or other logging solution into the UEBA. 

For organizations with mature security environments, a UEBA solution will be part of a larger security orchestration, automation and response (SOAR) platform, capturing events and context from multiple sources and feeding results into automation and alerting tools. A holistic approach to user analytics works best for deciding what data to send to the UEBA solution – a minimal set would include Active Directory and LDAP events, VPN access, IDS alerts, and connections to websites, as monitored by a perimeter firewall. 

To get a better understanding of the relationship between SIEM and UEBA, let's compare how two industry leaders are offering these solutions:

Splunk's User Behavior Analytics (UBA): Splunk offers a powerful SIEM analytics solution, with UEBA-like "add-on" feature that naturally integrates into the Splunk Enterprise Security module.

Exabeam's Security Management Platform: The Exabeam solution is a big data platform with next-gen SIEM capabilities that incorporates UEBA functionality into its core.

These different approaches are both designed to statistically profile and track user and entity behavior for anomalous activity, and can be consumed as a cloud service or as an appliance-based platform in the enterprise data center.

UEBA in Zero Trust environments

For many organizations, returning back to the office has manifested into a hybrid workforce model. This means the security threats from malicious actors and insider imposters are present and steadfast. 

Let's look at how UEBA and zero trust are a symbiotic duo for addressing the many different and complex security challenges that remote working presents.

Zero trust is an IT security framework that provides secure access to applications and services based on defined access control policies, whether a user is inside or outside an organization's network. Besides being authenticated, authorized users must be continuously validated for their security configurations and postures before being granted access to data and applications.   

Applying UEBA to a zero trust model would mean that the continuous validation would be complemented by automated intelligence that recognizes and analyzes behavioral patterns across the network to detect and alert unusual and therefore possibly malicious behavior.

The dynamic identity event monitoring capability of UEBA makes it a key component of implementing a most optimal zero trust approach in defending a complex and intricate technology ecosystem. 

How can WWT help?

We understand the importance of cyber resiliency and can bring our expertise to assist in protecting technology and, ultimately, your business. Our security consultants provide a formal yet flexible method of evaluating enterprise cyber resiliency maturity based on foundational building blocks across a variety of industry security frameworks. 

Utilizing a holistic approach when evaluating an organization's control and risk mitigation environment, WWT is able to provide a level of detailed analysis that will be used as a roadmap to maximize the use of people, processes and technology to optimize cyber resiliency, reduce risk, increase efficiency and save money.

And as always, if you need a vendor-neutral perspective, we're here to help you find the answers you seek. Let us know how we can help.

To learn more, visit our network security community