How UEBA helps increase cybersecurity

Organisations that want to add advanced analytical capabilities or machine learning capabilities to their IT security arsenal have a relatively new solution: a system for analyzing user behavior and entities — User and Entity Behavior Analytics (UEBA).

UEBA products define patterns in typical user behavior, and then detect abnormal actions that do not match these patterns and can pose as security problems. In addition, UEBA systems detect atypical events in various entities, which include workstations, software, network traffic, storage, etc., and a variety of analytical methods, including machine learning, are used to determine deviations. By the way, there is also a class of UBA-systems, which, as I'm sure you can guess, analyse only the information that is associated with users and their roles. Data sources for UEBA-systems are log files of server and network components, security systems and local logs from final working PCs.

Usually, UEBA solutions start working after other cyber security tools have failed to detect threats within the network.

Although UEBA solutions have not been around very long, they quickly became popular within large corporations. According to Gartner, the sales volume of specialized UEBA solutions doubles every year. In addition, many vendors include UEBA functionality in other security tools, such as Security Information and Event Management (SIEM), network traffic analysis, Identity and Access Management (IAM), endpoint protection, or tools preventing data leaks. Gartner analysts predict that within five years, individual UEBA products, which will remain on the market in that time, will become the new generation SIEM solutions, while the rest of the UEBA solutions will find their niche in other security technologies.

The three pillars of UEBA. Source: Gartner
Below is a brief description of the most popular products in the UEBA segment. More detailed information about the products can be found in the UEBA comparison table at ROI4CIO, based on a comparison of leaders (according to Gartner's research).

Exabeam Advanced Analytics

Exabeam provides security and management solutions that help organizations of all sizes protect their most valuable information. Exabeam products use machine learning and behavioural analytics technologies in their work.

According to Gartner experts, the Exabeam Advanced Analytics product is one of the best in the UBA category. Compared to competitors, this solution is very easy to learn for system administrators or analysts, and therefore, its implementation time is much shorter. Analysts do not have to spend days or weeks collecting evidence and scheduling incidents based on information obtained from the SIEM. Thanks to the advanced analytics feature, the timeline for pre-built incidents marks anomalies and displays details to fully capture the event and its context. What used to take weeks, can now be done in seconds. The user interface of the product is convenient and navigation and viewing of historical data can be carried out extremely fast. The solution contains hundreds of built-in models, some of which are unique and cannot be found among competitors, which is the main advantage of the product. The company offers qualified technical support for its solutions.

But the reporting tool, unfortunately, is practically absent. The user has the ability to print/export the contents of the browser window, send alerts about abnormal sessions to the SIEM system, or just take screenshots. If you need more tools, you have to use an alternative tool. Viewing more than a dozen events on a timeline requires a high-resolution monitor, although even in this case, no more than 20 events fit. There is a custom search feature using the “Threat Hunter” search panel, which offers some nice functionality.

Micro Focus Security ArcSight UBA

ArcSight User Behavior Analytics provides companies with detailed information about their users, which greatly simplifies the generation of behavioral data to help mitigate threats. It helps to detect and investigate malicious user behavior, internal threats and abuse of accounts. Thus, it allows organizations to detect violations before they cause significant damage.

ArcSight User Behavior Analytics helps customers reduce the risk of cyber attacks and detect abnormal behavior by matching the logs of user identity management systems with other IT logs generated by applications and networks. In addition, the product provides a faster response to identified threats through deep integration with SIEM, as well as faster incident investigation. The fact is that UBA analyzes data associated with users, identifies deviations and compares them with analogues, historical activity and/or violations of predetermined expected behavior.

Thus, ArcSight UBA detects abnormal user behavior, which is very important for detecting hacking or account abuse. Micro Focus offers the most sophisticated and certified security uses in UBA and symbiotic seamless integration with SIEM.

Forcepoint UEBA

Forcepoint User and Entity Behavior Analytics (UEBA) allows security teams to proactively track anomalous, high-risk behavior within an organization. The analytical protection platform creates an unmatched context, combining structured and unstructured data to identify and block malicious, compromised and careless users. Forcepoint detects various critical issues, such as compromised accounts, corporate espionage, theft of intellectual property and fraud.

Assessing the nuances of the interaction of people, data, devices and applications, Forcepoint UEBA determines the timing priorities for security groups. The software solution from Forcepoint is built on four principles:

Rich context. The product combines content collected from disparate data sources into a single whole. Thereby, complementing the capabilities of SIEM solutions and other IS solutions, to identify and prevent undesirable user actions.

Behavioural analytics. Forcepoint UEBA uses several types of strict behavioral and content analytics focused on detecting changes, patterns and anomalies in order to better detect complex attacks.

Search and detection. Provides powerful forensic investigation and detection tools through a contextual user interface for continuous monitoring and in-depth research.

INTUITIVE WORKFLOW. Provides proactive reporting that integrates fully with the system administrator’s workflow and existing client information architecture to optimize operational efficiency.

Splunk User Behavior Analysis

One of the main advantages of Splunk User Behavior Analysis is the detection of unknown threats and abnormal behavior using machine learning.

Splunk User Behavior Analysis offers the following features:

Advanced threat detection. The product detects deviations and unknown threats that traditional security tools miss.

Higher performance. Automates the merging of hundreds of detected anomalies into a single threat, greatly simplifying the life of a security analyst

Powerful incident investigation. The solution uses deep investigative capabilities and powerful basic behavioral characteristics for any entity, anomaly, or threat.

Improved visibility and detection. Automates the detection of threats using machine learning, which allows you to spend more time eliminating the threats themselves and enhancing security.

Accelerated threat hunt. Splunk User Behavior Analysis quickly identifies anomalous objects without human involvement. The solution contains a wide range of different types of anomalies (over 65) and threat classifications (over 25) for users, accounts, devices and applications.

SOC supplemented resources. Automatically combines hundreds of anomalies observed in multiple entities — users, accounts, devices and applications — into one common threat for faster response.

Securonix UEBA

The Securonix UEBA solution provides advanced analytics capabilities based on machine learning. The product has some of the following advantages:

Reducing the risk of insider threats. Securonix creates a comprehensive risk profile for each user in a company environment, based on information about identity, employment, security breaches, IT activity and access, physical access and even phone records.

The product identifies the true areas of risk by comparing the activity of users with their individual baselines, baselines of the groups in which they belong and known indicators of threats. Results are evaluated and presented in interactive evaluation tables.

Clearer visibility in your cloud. It is worth noting such functions as monitoring "from cloud to cloud" with built-in API-interfaces for all major cloud infrastructures and application technologies; detection of malicious activity by analyzing user rights and events; correlation of cloud and local data in order to add information about the context of the object. In addition, a cross-cutting analysis of threat patterns giving rise to a response should be indicated.

Proactive fraud detection in the enterprise. The product is able to identify complex fraudulent attacks, which usually avoid signature-based detection methods, using advanced no-signature behavior and anomalous-value analysis methods based on peers. Also worth noting are the functions of detecting account seizure, abnormal user behaviour, transaction fraud and money laundering violations.


UEBA/UBA class systems are an important element in identifying unknown types of threats, APT attacks, as well as employees who violate information security rules within the company. UEBA products are aimed at solving four basic problems. First, simple and advanced analytics of information from various sources using machine learning methods, periodically or constantly, in real time. Secondly, UEBAs are designed for the online detection of attacks and other anomalies that are usually not detected by classical information security tools. Thirdly, this is the determination of the significance of events collected from different sources (systems like SIEM, DLP, AD, etc.) with the aim of a quick response from the information security administrators. Fourth, a powerful response to events, ensured by the fact that the information security administrators possess comprehensive and detailed information about the incident.

The review contains only 4 UEBA products and their main characteristics. More UEBA products and more detailed information on them can be found in the UEBA comparison table on ROI4CIO.

Author: Oleg Pylypenko, for ROI4CIO

No comments

Powered by Blogger.