Trellix logo
Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Critical Flaws in Widely Used Building Access Control System
Critical Flaws in Widely Used Building Access Control System

At Hardwear.io 2022, Trellix researchers disclosed 8 zero-day vulnerabilities in HID Global Mercury access control panels, allowing them to remotely unlock and lock doors, modify and configure user accounts and subvert detection from management software.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

What Is UEBA?

UEBA stands for User and Entity Behavior Analytics and was previously known as user behavior analytics (UBA). UEBA uses large datasets to model typical and atypical behaviors of humans and machines within a network. By defining such baselines, it can identify suspicious behavior, potential threats and attacks that traditional antivirus may not detect. This means UEBA can detect non-malware-based attacks because it analyzes various behavioral patterns. UEBA also uses these models to assess the threat level, creating a risk score that can help guide the appropriate response. Increasingly, UEBA uses machine learning to identify normal behavior and alert to risky deviations that suggest insider threats, lateral movement, compromised accounts and attacks.

What is defined as an 'entity'?


The term 'entity' in the context of cyber security can refer to IT systems, critical infrastructure, business processes, organizations, and nation-states. For UEBA this means analysis of the behavior of these entities as well as individuals - though individuals are often able to act as or through such entities.

How user and entity behavior analytics work


UEBA monitors the behavior of users and entities of an organization. It processes this information and decides whether a particular activity or behavior could result in a cyberattack. It is able to know what a threat or attack is and what is normal use because while a hacker might be able to steal an employee’s password to log in, once inside, the hacker will not be able to mimic ‘normal’ behavior and UEBA can detect this anomalous behavior.

UEBA can process data from general data repositories such as a data lake or data warehouse or through SIEM, which aggregates data from various sources. It integrates information such as logs, packet capture data and other datasets with existing security monitoring systems. Therefore, UEBA and SIEM are often used together as UEBA relies on cross-organizational security data which is typically collected and stored by SIEM.

The analytics component detects anomalies using a variety of analytics approaches including statistical models, machine learning, rules, and threat signatures. More than just tracking events and devices, UEBA uses machine learning to monitor possible threats from insiders. This is done by creating a ‘baseline’: where an end-user logs in from, files and servers they frequently use, privileges they have, frequency and time of access as well as devices used for access. Advanced analytics should be used in tandem with traditional rule and correlation-based analytics available in traditional SIEMs.

As such UEBA can detect a broad range of attack types from simple to complex, unlike specialized tools for employee monitoring, trusted hosts monitoring and fraud.

Because UEBA can detect anomalous behaviors in real-time, it can issue an alert and request for a response to security analysts quickly, allowing them to react to potential threats before they become breaches. Normally security teams would have to sift through alerts to see which are real threats, but with UEBA this analysis is automated, only prioritizing genuine threats.

There is a close relation between UEBA and SIEM technologies, because UEBA relies on cross-organizational security data to perform its analyses, and this data is typically collected and stored by a SIEM.

Difference between UEBA and UBA security


UBA stands for User Behavior Analytics. UEBA includes the word ‘entity’ because it can model the behavior of humans as well as machines - networked devices and servers - within the network. The move from traditional UBA to UEBA has been driven the recognition that other entities besides users are often profiled to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior. This is becoming more pertinent due to the rise of connected devices - the Internet of Things - which provide new potential points of entry to the network.

How UEBA works with SIEM


SIEM stands for security information and event management and provides organizations with next-generation detection, analytics, and response. SIEM software combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.

Legacy SIEM did not include behavioral analytics which meant they couldn’t monitor threats in real-time. And so UEBA was developed to address this. With the addition of UEBA, SIEM allows security teams to monitor threats in real-time and respond quickly to avoid attacks and address vulnerabilities making it much more effective at threat detection and analysis. It gives security teams the power to use sophisticated quantitative methods to gain insight into and prioritize efforts.

Best practices in using UEBA


UEBA does not replace other systems or solutions, but rather it offers unique capabilities that can be used in tandem with other solutions to offer comprehensive cybersecurity. For example, SIEM uses the analytics aspects of UEBA to model behavior in real-time. In fact, most enterprise security systems - use SIEM, UEBA and SOAR (Security Orchestration Automation and Response) together.

Follow the four points below for a successful UEBA implementation:

  • Consider both internal and external threats when creating new policies, rules, and baselines
  • Ensure that only the appropriate members of the security team receive UEBA alerts
  • Remember that non-privileged user accounts can be a threat as hackers can use standard accounts to upgrade their privileges to increase access
  • Remember that UEBA processes should complement the traditional monitoring infrastructure and tools. They are not a substitute for basic monitoring systems such as Intrusion Detection Systems (IDS)