How UEBA (User and Entity Behavior Analytics) Works

[chushpan]

UEBA (User and Entity Behavior Analytics) is a technology for analyzing the behavior of users and entities (such as devices, applications, or network nodes) that is used to identify anomalies and potential threats in information systems. UEBA is used in cybersecurity to detect suspicious activity that may be related to internal threats, compromised credentials, fraud, or external attacks.

Let's look at how UEBA works, step by step:

1. The main idea of UEBA​

UEBA focuses on analyzing user and entity behavior to identify deviations from the norm. Instead of relying solely on pre-defined rules or threat signatures, UEBA uses machine learning (ML) and statistical analysis to understand what is “normal” behavior and then detect anomalies.

2. How is data collected?​

UEBA requires a large amount of data about user and entity actions. This data may include:

• User activity logs: logins, uptime, application launches, file access.
• Network activity: connections to servers, data transfer, DNS queries.
• Device data: information about connected devices, their configurations and activity.
• Contextual data: user location, device type, role in the organization.

This data is collected from various sources such as:

• SIEM systems (Security Information and Event Management).
• Network monitoring systems.
• Application and database logs.
• Antivirus solutions.

3. Stages of UEBA work​

a) Creating a behavior profile​

UEBA builds a unique behavior profile for each user or entity. This is done based on historical data:

• How often does the user typically log in?
• What time of day does the activity occur?
• What devices and IP addresses are used?
• What files or resources are being requested?

The profile is created automatically using machine learning algorithms. For example:

• If a user always logs in from the same IP address and during business hours, this becomes part of their "normal" profile.

b) Anomaly detection​

Once a profile is created, the system starts comparing current activity with the profile. If deviations are detected, they are marked as potential threats. Examples of anomalies:

• The user logs into the system at an unusual time (for example, at night).
• Files are requested that the user has never accessed before.
• A new device or IP address is being used.
• A mass data download is taking place (possibly to steal information).

c) Risk assessment​

Not all anomalies are threats. UEBA uses risk assessment systems to determine how suspicious an activity is. This is done based on:

• Frequencies of anomalies.
• Criticality of actions (e.g. access to confidential data).
• Context (for example, the user is on vacation, but his account is active).

If the risk exceeds a certain threshold, the system generates a warning.

d) Response​

UEBA integrates with other security systems to automatically respond to threats. Possible actions:

• Account blocking.
• Sending notifications to administrators.
• Isolate a device or network.
• Run additional checks (e.g. two-factor authentication).

4. Advantages of UEBA​

• Insider Threat Detection: UEBA helps identify abnormal behavior of employees who may be acting for selfish purposes.
• Data leak protection: The system can detect attempts of unauthorized access to confidential information.
• Detecting compromised credentials: If an attacker has gained access to an account, their behavior will differ from the user's normal behavior.
• Adaptability: UEBA continually learns and adapts to changes in user behavior.

5. Example of using UEBA​

Scenario: Identifying the threat from within​

1. Normal behavior:
   • The employee usually logs into the system from 9:00 to 18:00 from a work computer.
   • He rarely downloads large amounts of data.
2. Anomaly:
   • At 23:00, an employee logs into the system from a new IP address.
   • It downloads thousands of files containing confidential information.
3. Reaction:
   • UEBA detects an anomaly and sends a signal to the security system.
   • The administrator receives a notification and blocks access.

6. Technologies used in UEBA​

• Machine Learning (ML): For data analysis and profiling.
• Statistical analysis: To identify deviations from the norm.
• Big Data: For processing large amounts of data.
• SIEM Integration: To obtain data from various sources.

7. Conclusion​

UEBA is a powerful tool for detecting threats that traditional security methods may miss. It helps protect organizations from internal and external threats by providing deep insight into user and entity behavior. However, it is important to remember that UEBA is not a panacea. It should be used in conjunction with other security measures, such as antivirus, firewalls, and employee training.

If you have a specific question about UEBA or a use case, write to me - I will try to help!

 

[Man]

How does UEBA (User and Entity Behavior Analytics) work?​

UEBA is a technology for analyzing the behavior of users and entities (devices, services) to identify anomalies and cyber threats. Unlike traditional systems, UEBA does not rely on predefined rules, but uses machine learning and a base of normal activity to find deviations.

1. Basic principles of UEBA​

(1) Data collection​

The system collects information about:

• User actions (logins, transactions, file access).
• Device behavior (activity time, geolocation).
• Context (IP addresses, applications used).

Examples of data sources:

• Active Directory logs, SIEM systems (Splunk, IBM QRadar).
• Data from network devices (VPN, proxy).
• Indicators from CRM, ERP, banking systems.

(2) Baseline​

UEBA builds a "template" of normal behavior for each user/device, taking into account:

• Hours of activity (for example, an accountant usually works from 9:00 to 18:00).
• Geography (typical entry locations).
• Frequency of actions (how many times a day a certain file is opened).

(3) Anomaly Detection​

Compares current actions with the baseline and calculates the risk using algorithms:

• Statistical models (deviation from the mean).
• Machine learning (clustering, time series analysis).
• Graph relationships (identifying suspicious interactions between entities).

Examples of anomalies:

• The manager suddenly downloads the entire customer database at 3:00 am.
• From the same IP they log in under different accounts at intervals of 2 minutes.

2. Where is UEBA used?​

(1) Finance and Banks​

• Insider Detection: Employee suddenly copies credit card details.
• Fraudulent transactions: The user usually pays from an iPhone in Moscow, but here it is a payment from an Android in Nigeria.

(2) Corporate Security​

• Data Leaks: Engineer Opens Patent Files En Masse Before Leaving Office
• Account compromise: Login from a new device without MFA.

(3) Critical infrastructure​

• Attacks on SCADA systems: Unusual commands to industrial equipment.

3. Technologies inside UEBA​

• Self-learning algorithms:
  • LSTM networks for analyzing action sequences.
  • Support Vector Machines (SVM) for Threat Classification.
• Graph Databases (Neo4j): Building Relationships Between Users and Objects.
• Risk Scoring: Each event is assigned a threat score (e.g. 85/100 → urgent investigation).

Example of UEBA work in a bank:

1. The user usually logs in via VPN from the Russian Federation.
2. Sudden login from German IP → system checks:
   • Does he use the same browser?
   • Have there been similar logins before?
3. If the risk is high, it requires MFA or blocks the session.

4. Advantages over traditional systems​

Detect unknown threats: No need for pre-written rules.
Reduce false positives: Takes into account the context (e.g., an employee on a business trip).
Identify insiders: Notices suspicious behavior of “their own”.

5. UEBA Restrictions​

• Requires time for training (1-3 months to build a baseline).
• Complex integration with legacy systems.
• False positives during sudden changes (for example, switching to remote work).

Conclusion​

UEBA is a powerful tool against carding, insiders, and APT attacks. JPMorgan and other banks use such systems to protect their clients.

Want to dive deeper into cases or technologies? Ask!