User Behavior Analytics (UBA)

What is UBA?

At a Glance:

User behavior analytics is the process of gathering insight into the network events that users generate every day. Once collected and analyzed, it can be used to detect the use of compromised credentials, lateral movement, and other malicious behavior.

User behavior analytics (UBA), also known as user and entity behavior analytics (UEBA), security user behavior analytics (SUBA), and user and network behavior analytics (UNBA), deviates from traditional consumer behavioral analytics to focus on the behavior of systems and the user accounts on them.

Today’s networks gather endless amounts of information, especially with users moving seamlessly between IPs, assets, cloud services, and mobile devices. UBA focuses on user activity as opposed to static threat indicators, meaning it can detect attacks that haven’t been mapped to threat intelligence and alert on malicious behavior earlier in an attack.

As networks have become more complex, it’s become easier than ever to successfully infiltrate a corporate network and masquerade as an internal employee, circumventing external defenses. If an attacker is able to penetrate a network and remain there undetected, they can repeatedly steal sensitive data and cause monetary damage. User behavior analytics exposes stealthy, attacker activities by uncovering patterns in user behavior to identify what’s “normal” behavior, and what may be evidence of intruder compromise, insider threats, or risky behavior on a network.

How user behavior analytics works

User behavior analytics enables you to more easily determine whether a potential threat is an outside party pretending to be an employee or an actual employee who presents some kind of risk, whether through negligence or malice. UBA connects activity on the network to a specific user as opposed to an IP address or an asset. This means that if a user starts to behave in a way that’s unusual or unlikely, even if it isn’t flagged by traditional perimeter monitoring tools, you’ll be able to spot the behavior quickly, determine whether it’s anomalous, and start an investigation if needed.

For example, stolen credentials are a common attack vector used by penetration testers and real-world criminals alike. Whether the criminal obtains credentials via phishing attacks, malware, key logging, or even a third-party data breach, all they need is one correct username and password combination to work; once they’re able to login they can silently move within a network undetected. However, once an attacker is in, they usually start to act in ways unlike a normal user, such as by moving laterally between assets. The intruder moves from step to step in what’s often called the “attack” or “kill chain,” looking for increasingly interesting targets to raid and data to exfiltrate.

The ability to baseline what kind of user behavior is normal on a network and what isn’t is critical. User behavior analytics provides you with the data to identify trends and easily spot outliers, so you can more easily and quickly identify and investigate potential threats and break the attack chain.

Getting started with user behavior analytics

To spot trends and make connections, first you must have a way to gather key behavioral data in one centralized location, so it can be parsed by analytical tools later. Traditionally, user behavior analytics are added on as a layer to existing security information and event management (SIEM) deployments.

User behavior analytics are one part of a multilayered, integrated IT and information security strategy to prevent attacks and investigate threats. It can be an incredibly powerful tool to detect compromise early, mitigate risk, and stop an attacker from exfiltrating an organization’s data.