UEBA - definition & overview

UEBA is a security technology that uses advanced analytics, machine learning and artificial intelligence (AI) to identify a potential security threat based on user and entity behavior. UEBA is an analytics-based approach that enables security teams to detect and respond to a potential security threat by identifying patterns of behavior that could indicate a security threat.

Security teams rely on detecting what is known by writing correlation rules to detect threats with security information and event management (SIEM). Correlation rules are based on predefined relationships within the log data to look for known threat signatures. Traditional SIEMs have difficulty contextualizing normal behavior. SIEMs can tell you when an entity does something terrible, but they cannot tell if that is typical for the entity, i.e., entity baselining.

Common challenges of a rules-based approach include:

• Very high false positive rates caused by the ever-changing IT landscape
• Huge blind spots where unknown attack patterns go unnoticed
• Constant rule maintenance and tuning to keep rules up to date

In recent years, UEBA has gained greater adoption for advancing SIEM capabilities beyond event correlation rules. UEBA can detect what was previously undetectable.

UEBA can analyze data from a wide range of sources, including:

• Network logs capture activity across an organization's network, including traffic flow, protocols and ports.
• Endpoint logs capture activity on individual devices, including logins, file access and software installation.
• Identity and Access Management (IAM) logs capture activity related to user and group permissions, password changes and login attempts.
• Cloud logs capture activity in cloud environments, including configuration changes, API calls and user activity.

UEBA uses various sensitive data sources, including logs, network traffic and endpoint data, to build a baseline of normal behavior. It then monitors an activity timeline across an organization's network, looking for suspicious behavior, i.e., deviations from this baseline.

A UEBA system typically operates in several stages:

Data collection: An UEBA system collects data from various sources, including network logs, endpoint logs and identity and access management logs. This data is then processed and normalized to create a baseline of normal behavior.

Baseline creation: An UEBA system uses machine learning algorithms to analyze the data and create a baseline of normal behavior. Organizations can customize this baseline, which is constantly updated as new data is collected.

Anomaly detection: An UEBA system monitors network activity for deviations from the baseline of normal behavior. These anomalies, enriched with context from known alerts or threat intelligence, could indicate a security threat and are prioritized based on the severity of the deviation.

Alerting and reporting: An UEBA system can generate alerts and reports to inform security teams of potential threats when detecting an anomaly. These alerts can be customized based on the organization's needs and sent to various stakeholders, including security analysts, IT staff and senior management.

UEBA offers several benefits to organizations looking to improve their cloud security posture:

Reduced false positives: a UEBA system uses machine learning algorithms to reduce false positives generated by traditional security tools, ensuring that your security operations team focuses on the most significant cyber security threats.

Advanced threat detection: a UEBA system can identify a potential threat that other security measures may miss. By analyzing user and entity behavior, UEBA can detect cyber threats that may be hidden in normal network traffic. UEBA can also identify suspicious behavior or anomalous behavior of employees, contractors and other insiders with authorized access to the system. This can help organizations prevent data theft, fraud and other malicious activities by insiders.

Improved incident response: a UEBA system provides real-time alerts and reports, allowing security teams to respond quickly to potential threats. This can reduce the time it takes to detect and contain a security incident, minimizing the impact on the organization.

Context: UEBA offers an activity timeline for a particular user or entity. It allows your security analyst to investigate the indicators of compromise and provides insight into the extent of malicious activity and security breach damage after receiving an alert.

Threat hunting: UEBA can be used for proactive threat hunting by analyzing historical data and identifying potential cybersecurity threats that another security tool may have missed.

Compliance: UEBA can help organizations meet compliance requirements by providing detailed user and entity behavior reports. This can help organizations demonstrate compliance with regulations such as GDPR, HIPAA and PCI-DSS.

Overall, UEBA provides great context around alerts and security threats and doesn't require having a clear definition of what to look for.

Network Traffic Analysis (NTA) is a security technology that analyzes network traffic to detect and respond to threats. NTA systems use machine learning algorithms to analyze network traffic and identify patterns of behavior that may indicate a security threat. Deep packet inspection examines the payload of a particular data packet to see if it matches up with its executable. A mismatch would indicate an anomaly.

In contrast, a UEBA tool can detect abnormal user and entity behavior. So, you don’t have to limit your detection to one particular executable, e.g., an email or a file transfer. As soon as something unusual happens, it triggers an alert.

By analyzing user and entity behavior, a UEBA solution also provides more context around security events than NTA, which may provide less context around security events.

UEBA and UBA (User Behavior Analytics) are often used interchangeably, but there is a subtle difference between the two.

UBA is focused solely on analyzing user behavior patterns, whereas UEBA analyzes both user and entity behavior patterns. Entities include devices, applications and other non-human entities on the network. UEBA goes beyond user behavior and considers the context in which the behavior occurs, which can help to identify more sophisticated threats.

In other words, UEBA is an extension of UBA that considers the behavior of both users and entities, providing a more comprehensive view of the network and its potential threats. UEBA also typically employs more advanced machine learning algorithms and analytics techniques, allowing it to detect more complex and subtle patterns of behavior that could indicate a security threat.

UEBA is an evolution of UBA that provides greater visibility and insight into security threats across the network, making it a more powerful tool for detecting and responding to potential security incidents.

With the help of machine learning, detection algorithms and automation, first-generation UEBA solutions provide a risk-ranked view of entities to help security teams prioritize what alerts to investigate first.

However, some first-generation UEBA has disadvantages:

• UEBA generates more complex data than the average, traditional security solution. Therefore, a trained professional must implement, run and monitor the system.

• Although it is a security system, it is not enough to protect a system entirely. Remember, it only tracks the human and entity behaviors and nothing more.

• Data sources are the lifeblood of UEBA. The solution must have strong integrations to get the right data to function properly.

• First-generation UEBA solutions are difficult to implement and tune, often taking three to six months.

Sumo Logic UEBA is part of our Cloud SIEM platform designed for organizations needing anomaly detection in addition to their existing SIEM correlation rules. With Sumo Logic, security analysts can create historical baselines and timelines from historical records.

Through our signal clustering algorithm built into our Cloud SIEM, Sumo Logic suppresses noisy alerts and provides a rules-based approach to behavior modeling and tuning within our existing SIEM rules engine.

Any security engineer can create behavior models without needing support or professional services to address their use case needs.

Sumo Logic’s UEBA enables customers to:

• Leverage pre-built anomaly detection content rules and models in less than fifteen minutes, including customer-customized models, to normalize baseline behavior and detect unknown threats. Plus, there’s no need to create support tickets for new data models.

• Gain deeper insight into entities and entity relationships, such as contractors, service accounts and off-boarded staff and get a risk-ranked prioritized view for investigations.

• Improve visibility into entity activity and view a detailed entity activity timeline.

You can learn more about modern SIEM in our ultimate guide.