Hi there, you have definitely come across the word UEBA if you are a cybersecurity professional, then I believe it's an everyday term that you use or may be discussing every now and then. In this article, we will discuss what UEBA is and focusing the term on SIEM technologies.
The term can be classified into two categories, "User and Entity," which focuses on the discussion of an analytical technology to discover abnormal or risky behaviour, by users and machines.
UEBA or User Entity Behavior Analytics became a new norm as it sees what other technologies may not cover, because UEBA is enabled with other technologies like machine learning, deep learning, and advanced analytics decision capabilities.
![User Entity Behavior]()
Now, before we get into detail about what UEBA really is or more, let's get an understanding through three use cases.
1. Insider threat detection
How it helps
UEBA identifies abnormal user behavior by developing a normal behavior baseline for each user. When a worker suddenly accesses sensitive documents they would not otherwise access, or accesses them outside of a different time or location, the SIEM identifies this as abnormal.
Example Scenario: A member within the HR department begins to download large quantities of personnel data after work. UEBA detects this abnormal behavior and warns security teams prior to data leakage.
2. Compromised Account Detection
How it helps
UEBA can identify when legitimate user credentials are being misused by tracking activities such as device fingerprinting, login locations.
Example Scenario: A user logs in from one IP address in New York, then later, within a matter of 15 minutes, from Asia. Correlations made by UEBA identify the behavior, alerting to impossible travel and triggering a potentially compromised account alert.
3. Privileged Access Abuse
How it helps
Privileged accounts are a high-risk target. Anomalous high-privilege use, e.g., unexpected config modifications or lateral movement between systems, is detected by UEBA. Example Scenario: An admin account suddenly accesses a fresh new system it had never visited previously and tries to disable security. The UEBA recognizes this as abnormal behavior and responds accordingly.
Now, since you have got the essence of UEBA in functionality to SIEM, let us understand it in depth.
![UEBA in functionality]()
UEBA, as defined, works mainly on three major pillars.
- Use Cases
- Data Sources
- Analytics
- Use Cases: UEBA-enabled solutions provide baseline information, such as behaviour of users and other entities, and added functionality such as monitoring, detection, and alert.
- Data Sources: They ingest data from a large data lake, a general data repository, or through SIEM directly.
- Analytics: Solutions enabled with UEBA detect anomalies using a variety of statistical models, machine learning, threat signatures, and many more.
![Statistical models]()
Understanding UEBA Analytics Method(s)
Earlier solutions were defined with just predefined rules, which were absolutely good until something came into existence which were not added as a rule or outside the defined rules. Thus, a system or solution is required that can learn, relearn, and reinforce, including the following analytical methods.
1. Supervised Machine Learning
- What it does: It uses labeled sets of known malicious and known benign behavior.
- How it applies in SIEM: It references past events and applies them to categorize new behavior (e.g., lateral movement, phishing).
Some SIEMs use ML to detect behavior similar to past insider incidents.
2. Unsupervised Machine Learning
- What it does: It learns what "normal" is without the use of labeled data.
- How it applies in SIEM: Tracks users/entities over time and notifies when anomalies appear.
Some SIEM-enabled UEBA notifies when the user has downloaded 5 times their typical quota.
3. Bayesian Networks
- What it does: It applies probability to tie activities and events together over time.
- How it uses it: Merges rules and ML; provides threat confidence scores.
Some UEBA-enabled SIEMs use risk chaining, for instance, successful login → privilege escalation → data access, → exfiltration.
4. Peer Groups and Behavioral Baselines
- What it does: It defines users/devices' normal behavior, or it compares behavior against peers.
- How it employs SIEM: It detects anomalies that would not trigger global rules.
A finance user looks at the R&D information highlighted since peers might not.
5. Statistical models and anomaly detection
- What it does: It applies thresholds, z-scores, and moving averages.
- How it is utilized by SIEM: Indicates statistical anomalies in behavior and event logs.
The above-mentioned are a few of the many ways, and are thus mentioned to understand the basics of how and a few of the many factors that UEBA takes care of.
![UEBA]()
Conclusion
UEBA (User Entity Behavior Analytics) is one of the technologies that is available as a standalone; when it integrates with solutions like SIEM, it creates Impact, helping professionals to get more insights that will help them to make decisions, as well as helps to stitch incidents.