User Behavior Analysis 101

Published January 4, 2021 by 6 min read

A data security breach might terrify CISOs and other corporate executives, but with user behavior analytics (UBA)—also sometimes known as user and entity behavior analytics (UEBA)—organizations can easily track the types of activities that might indicate a breach of cybersecurity. 

In this post, we’ll give you an introductory course in user behavior analysis: what it does, how it works, how it can benefit your organization, and how to select the right UBA software.

What is UBA?

User behavior analytics are software programs that use algorithms to analyze log and event data from applications, endpoint controls, and network defenses; and gain a better understanding of how people are interacting with your IT systems. 

With UBA, businesses can use big data techniques to determine “normal” patterns of employee behavior, so that anomalies can be detected more easily and breaches traced back to the unusual behavior.

What is SIEM?

Security identity event management (SIEM) combines security information management (SIM) and security event management (SEM), to deliver real-time analysis of security alerts triggered by software, hardware, and network activity. 

SIEM programs have six main attributes: 

  • Retention
  • Dashboard
  • Correlation
  • Alerting
  • Data Aggregations
  • Compliance 

How Do UBA and SIEM Differ?

SIEM software works by identifying and analyzing threats using intelligence aggregated across the entire organization’s technology stack. This provides security teams the visibility needed to assure compliance and risk management.

UBA, meanwhile, focuses more on individuals. It allows the organization to look at a variety of data sources, such as individual files and emails, that are accessed and created daily. 

UBA software allows the aggregation of information so that anomalies among all the users in an organization can be analyzed in real-time. The UBA engine creates a baseline of individual user activity to recognize differences in use. These differences in use may be anything from deleting an unusually high number of files in a short time to launching rarely used apps.

Despite their different approaches, UBA and SIEM can work in tandem to assess behavioral analytics, detect malware, and prevent potential threats. 

How do UBA and SIEM Work Together?

Because SIEM and UBA approach security from different directions, they provide different insights into an organization’s information security environment. The distinction between the value each provides is best explained by Johna Till Johnson, who said:

“An event may be benign in one context and prove nefarious in another. For example, an accountant accessing a tax system at midnight on April 14 may be behaving in a perfectly reasonable manner but not when he accesses that system on, say, August 14.”

SIEM notices that the actions themselves are out of context; UBA notices that the user is behaving out of context. This can signal one of two things: either the individual has malicious intent, or an unauthorized user accessed the individual’s credentials. 

Either way, SIEM and UBA solutions together create a trail that allows the CISO to determine the cause of the breach and limit the damage of cyber-attacks.

Choosing a User Behavioral Analytics Software

As more organizations seek out UBA software, understanding how to evaluate those services becomes more important. According to Gartner, security analysts and risk managers should evaluate UBA solutions according to the following criteria:

  • Choose UBA vendors aligned to the threats you want to detect, such as malicious insiders and external hackers; and those with solutions that align with your use cases. 
  • Select software that fills a gap in your existing security tools (for example, security event monitoring).
  • Define use cases clearly and be prepared to confirm those use cases through extensive proof-of-concept scenarios before choosing a vendor.
  • Identify required data sources that can be provided to UBA solutions, which is critical for successful implementation and use in production.
  • Favor UBA vendors that profile multiple entities (including users), their peer groups and devices, and those who use machine learning to detect anomalies. These features enable better detection of insider threats that might otherwise go unnoticed.
  • Don’t expect UBA to replace the need for people with domain and organizational knowledge. Resources are still required to configure and tune the UBA tools, and to validate potential incidents detected by the tools.

Different Types of UBA Software

It’s also important to note that UBA software can be offered in two different ways:

First, UBA can work as a standalone product that focuses solely on UBA. It looks at the user’s data, IP address, app, and network behaviors. After setting a baseline, the UBA application continues to analyze, detect, prioritize, and respond to those behaviors that are outside of the norm. 

UBA can also work as a product feature added to SIEM. In this way, it looks at security information and event management within the normal process of network traffic. It then analyzes employee behavior within the identity, access governance, and privileged access management realms to detect and respond to anomalies. 

In other words, this isn’t true UBA, but rather, UBA functionality within another analytics application that has UBA capability.

Gartner theorizes that standalone UBA platforms will ultimately overtake SIEM software that incorporates UBA as functionality. This is because standalone UBA can pinpoint threats and sound the alarm across multiple monitoring systems, so therefore it’s more likely to evolve along with the technology and algorithms that do this best.

Questions to Ask Your Software Vendor

Security software firm Rapid7 has a series of questions one should ask a UBA vendor before making a final decision. 

  • Is the solution standalone, or does it need another service to supplement? 
  • Can it detect cloud service attacks?
  • Does it include an option to deploy endpoint agents, or does it require additional hardware? 
  • Do the analytics run in real-time? 
  • Are statistical models for baselining and machine learning used? 
  • How does the software detect attacker tools? 
  • Can the alerts be customized?
  • When the software investigates and prioritizes information, how is additional context presented? 
  • Can customized dashboards and analytics be built? 
  • How does data search work? 
  • Does it allow integration with IAM, DLP, and Incident Response or Security Orchestration Automation and Response (SOAR) tools? This is especially important when considering your risk management environment holistically, which we’ll cover at the end of this post.

What Are The Drawbacks to UBA Software?

Privileged users. Privileged users such as system administrators or developers are a tricky challenge for UBA because their job functions often require irregular behaviors. This means it’s difficult for the algorithms to create a baseline. While statistical analyses are useful for most employees, it may not be effective for privileged users whose access needs to be monitored more carefully. 

Low and slow data breaches. UBA is less adept at tracking sophisticated, long-term “low and slow” attacks, where changes in behavior are more rare or subtle.

Built-in human bias. Moreover, UBA brings all the same drawbacks that any machine learning brings. Users don’t understand why the neural net determines a feature to be important. If there is a built-in human bias or corrupted data, then machine learning profiles will reflect this. 

UBA is more reactive than proactive. The purpose of UBA is to detect anomalous behavior. By definition, that makes UBA more reactive to something already happening, rather than proactive to prevent something from happening. So UBA may be more appropriate as a response to track a breach to its origin than as a prophylactic.

That doesn’t mean that user behavior data can’t be analyzed to find opportunities to strengthen defenses proactively. For example, UBA can be used to determine whether access and authentication policies work as intended or should be updated. It can also identify potential areas of risk around shadow IT assets so the security team can take action. It can help make user awareness education more targeted and impactful.

While these drawbacks are something to consider, also remember that machine learning is improving all the time. These drawbacks are likely to fade (and eventually vanish) over time.

The Top 10 UBA Software 

With so many different UBA products on the market, deciding on one may be difficult. Besides looking at how the algorithms work, security professionals need to understand the way that the program will integrate with the other security systems in your IT infrastructure, as well as the user experience they provide. Here are 10 of the most popular UBA tools available.

  1. Bottomline Technologies

  2. Cynet

  3. Dtex Systems

  4. Exabeam

  5. Forcepoint

  6. Gurucul Risk Analytics

  7. Microsoft Azure

  8. Preempt

  9. Rapid7

  10. Splunk

Holistic Risk Management

As we mentioned earlier, it’s important to evaluate your UBA software for integration potential. No one-size-fits-all solution exists, so it’s essential to choose a complementary set of tools that best suits your organization’s enterprise risk management needs and can protect you against the threats identified during your risk analysis.

ZenGRC for Enterprise Risk Management

ZenGRC helps you identify risks by analyzing your systems and filling information security and compliance gaps. It then helps you to prioritize those risks so your team can get to work defining the controls that will mitigate those risks. 

Its user-friendly dashboards allow you to see the status of each identified risk, as well as what must be done to mitigate it, in order of priority. It also creates an easy-to-understand audit trail of your risk management activities and retains all of your documentation in a central repository for easy access in the event of an audit. 

With ZenGRC, risk management is fast and efficient, which allows you and your team to focus on growing your business. Simplified risk management is the Zen way! 

Contact us now for a free consultation and demo of ZenGRC today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo