User and Entity Behavior Analytics Tools: Why They Fall Short for Insider Threat Management

A successful insider threat can cause a lot of harm to a business of any size, costing a company thousands if not millions of dollars in lost assets, downtime, compromised customer assets, and expending resources to mitigate the breach. Therefore, businesses of all sizes should seek ways to mitigate insider threats, like an insider threat detection program, so that they can increase the chances of stopping one before it happens.

One method of managing an insider threat detection program is by using user and entity behavior analytics (UBA and EBA, or UEBA). These tools allow project managers, business owners, and management to track a user’s behavior, and, of course, the behavior patterns of an entity, to try to identify a sort of common pattern or trend. Therefore, when that trend is disrupted, those monitoring the users can potentially do something to protect their business against an insider threat. 


While UEBA tools can be effective at mapping user and entity behaviors, they fall short at stopping insider threat or acting as a catch-all for insider threat management. Why is this the case? In this blog, we will discuss what UEBAs are, how they work, how they are effective at preventing an insider threat, and the ways that UEBAs can be implemented to protect a company against insider threats. 

What are User and Entity Behavior Analytics (UEBAs)?

User and entity behavior analytics (UEBAs) is a cybersecurity process that notates the conduct of users, categorizing behaviors as abnormal. UEBA software will collect data for a period of time before it establishes which behaviors are normal. 

From this data, the software will provide managers the peace of mind in knowing that their employees are workly soundly as they should. However, whenever an “abnormal” behavior is detected, the software can do something with this information. What it does will depend on several factors, but the point of this tool is enabling admin and managers to keep tabs on abnormal behaviors and the employees that commit these behaviors. 

User Behavior Analytics (UBAs) is distinctly different from Entity Behavior Analytics (EBAs) in what the software monitors. UBAs, for example, will refer to the behavior tracking of individual users and it was originally designed to be focused on data theft (security) and stolen information (fraud). 

As both of these markets grew, major brands like Gartner wanted to scale with this shift (which is why we see the introduction of DecSecOps and chaos engineering).  EBAs (also referred to as Event Behavior Analytics) will look at all the entities on an access control list (ACL), such as the routers, endpoints, and servers, but it will also look at the events on those entities in order to approach cybersecurity from the perspective of the IT network. 

In a way, UEBAs go beyond the typical UBAs by extending the analysis to cover machine entities, non-human processes. This can also represent protection over external data attacks rather than insider attacks. And ultimately, this means that while UEBAs are user-centric, they are not user-exclusive, and therefore they analyze things in addition to humans. 

And again, by focusing on the behaviors of these individuals (and not their roles) within an organization, the software is able to find interesting and malicious behavior that signals a potential threat. Finally, the UEBA system is able to report this behavior using a rule-based matching method within advanced analytics.

How Do UEBA Tools Work?

UEBA tools work through machine learning and deep learning algorithms. Both of these practices learn what certain computer events mean (for example, moving a file from one folder to another) based on the configuration of the administrator. 

So if an employee who has access to download a program, downloads a program, the software will recognize that that employee has already been approved to download files. It will then search for the type of program that was downloaded and categorize it based on insider risk. 

As an overview, UEBAs will:

  • Use data analytics to track behaviors and to build a profile that dubs “normal” behavior as a baseline. Statistical models are then used to detect unusual behavior, and in turn, send an alert to administrators. 
  • Integrate and compare data from various other sources, including logs, packet capture data, and datasets that exist in other security systems to again determine abnormality vs normality. 
  • Finally, present the data in a clear and communicable manner, which usually entails issuing a request for someone like an analyst or admin to investigate the unusual behavior that was tracked. 

UEBA analysis works on an ongoing basis in order for the system to learn behaviors and accurately report once abnormal behavior is detected. 

Each team that uses a UEBA must be able to configure the software so that it has baseline measures for both normality and risk. For example, it would need to know things like

  • Who has legitimate access to certain folders
  • Who has admin power or authorization
  • Which folders contain more sensitive information than others
  • Which information, folders, or data are encrypted and therefore pose a higher risk if caught

While it takes some time to set up, a UEBA tool can essentially watch your company’s IP environment, monitoring the behaviors of your users in a way that a productivity software can’t. It takes extremely complex algorithms to map out user events, categorize them, log them, and then, of course, learn from them. However, paired with a diligent and watchful manager, a productivity and time tracking manager, and other cybersecurity protocols, UEBAs can provide support in catching and mitigating a malicious insider threat. 

Can UEBA Tools Prevent an Insider Threat?

As previously mentioned, UEBA tools can provide support in catching and mitigating insider threats. However, UEBAs should be integrated into your Security Information and Event Management (SIEM) system. UEBAs require extensive training and control, collaboration with a number of other cybersecurity tools, IT knowledge, team members, and training, among others. 

Because UEBAs require extensive setup and vetting and doing so perfectly can be difficult, UEBAs unfortunately might signal too many false alarms. For example, if your IT department or team manager was alerted every time a file was moved from a certain folder but that folder is accessed every day let alone every hour, they would come to ignore those alerts (if the alerts weren’t categorized), and this could give off the perception that cybersecurity events are happening more often than it should. On top of that, the manager might ignore the alerts even if there was a true cybersecurity event happening. 

Extending the analysis and the amount of data collected from the user to the entity makes sense in terms of cybersecurity and insider threat prevention. Oftentimes a hacker might gain access to a company but they may be leveraging multiple users in order to launch a data extrapolation—equivalent to a lateral movement into other machines. Therefore, by broadening the scope from user to entity behavior, UEBA tools can identify behaviors through an IP address and look for common or unusual behaviors on the endpoint of a workstation. 

While ultimately this type of tool is effective at its task, and ultimately at learning behaviors, it does fall short when you consider the entire insider threat program. The insider threat does not rely on computer systems one-hundred percent of the time in order to steal from your company. 

One of the biggest components that a UEBA tool is lacking is critical context. Critical context clues a business or administrator into details and critical insight around what happened. Even if you’ve been alerted to a behavior, you won’t know why it happened and how exactly it happened. 

And truly at this point in the game, you might be too late to stop an insider threat. You may be alerted to the attack while it’s ongoing, and this does not help to protect your company against insider threats; instead, UEBAs would only help you minimize the damage!

How to Effectively Monitor Your Employees to Protect Against Insider Threats

A UEBA system is critical for protecting your company against insider threats. However, it should not be used alone. UEBA systems provide automatic detection from varied external and internal cybersecurity attacks, including both malicious and negligent insider threats. It also offers a comprehensive solution where only a few analysts are needed to operate, making UEBAs far more cost-effective. 

However, they are lacking when it comes to upfront cost. For many cases, small businesses won’t need a complex system, use this type of application, or understand its value. In most cases, a business would need to source a more complex analyst to interpret the data (for example, data engineers, data scientists, security operations (SOC) analysts, and incident response (IR) teams). 

Getting a UEBA system would not replace other cybersecurity systems and businesses should be putting up as many firewalls as possible in order to deter attackers. From actual firewalls to web gateways, encryption connection systems, and intrusion prevention tools, you must do everything that you can to protect your business from external attacks as well as insider attacks. 

Using Employee Monitoring for Comprehensive Insider Threat Management

In order to protect your company from insider threats, you should adopt a strong cybersecurity protocol complete with multiple layers of data protection, employee monitoring, UEBA tools, and cybersecurity technology. 

Employee monitoring software, for example, can integrate UEBA data and findings in order to provide a more comprehensive look at what your employees are doing. 

Consider merging an employee monitoring solution that already has UEBA tools included to provide more critical context to the types of behaviors that an admin would be alerted to. With this software, you can monitor things like “normal” and “abnormal” hours, tasks, and behaviors. You can also use additional surveillance features like webcam monitoring, screen recording, and keystroke logging. 
In addition to this context, cybersecurity teams will be able to adopt other types of security tools and monitoring needs, such as video surveillance for remote teams and keylogging on communication management systems. Consider SoftActivity to see how our monitoring solution can simplify your insider detection program!

By SoftActivity Team

November 2nd, 2020