An Introductory Guide to User Behavior Analytics


There has been a lot of discussion regarding User Behavior Analytics (UBA) lately, but the actual usefulness of UBA sometimes gets lost in the sea of hype. Behavior analytics have numerous advantages that can be tapped into once a system is in place, and it works in tandem with other security measures to help prevent potential attacks.

To put it simply, UBA is a method of analyzing user behavior and using that analysis to help safeguard against attackers. By tracking user activities and taking note of certain patterns, it’s possible to detect potential data breach and prevent the damage before it happens. However, all of these capabilities, and the ways in which it can be implemented, requires a bit more explanation.

What is UBA?

User Behavior Analytics (UBA)  is a cybersecurity process that uses behavioral analytics, algorithms, and big data to track user behavior. UBA looks past tracking security events or devices and monitors user trends. 

Many modern forms of UBA make use of both machine learning and big data methods to perform analyses that are more accurate and, thus, more useful. These modern security solutions are referred to as Entity Behavior Analytics (UEBA) and they use machine and deep learning to identify user activity and entity behavior on a corporate network. 

The kinds of data that is tracked and analyzed with UBA includes apps opened, files accessed, emails sent and read, network activity, and much more. All of this data is on a per-user basis, as well, so it’s always possible to figure out who did what and when.

UBA is one of many tools in any security team toolset. It is a powerful way to enact insider threat detection, to prevent a targeted attack, and to mitigate fraud. However, it didn’t necessarily start this way. 

In the early 2000s, UBA began as an analytics tool for marketing teams as a way to examine consumer behavior, to develop buying patterns, and then use that information to help figure out a way to get more people to purchase their product.

Eventually, the process was redirected to identify user behavior in terms of security. It is now an invaluable tool for detecting abnormal behavior and investigating it for potential security risks. Many now advocate for its usage and, once you’ve learned about it, it’s easy to see why.

How is UBA Used in Cybersecurity?

UBA in cybersecurity

The main use of UBA in security analytics is to predict a potential threat before it happens, as well as support incident response for a security threat already underway. Many security professionals have found that by focusing on the predictive capabilities of UBA, they are able to direct actionable insight into potential security threats rather than taking a generalized approach. 

Using UBA technology as a part of a company’s security involves collecting vast amounts of data on how users behave while on a company network or otherwise accessing company data. 

Once this data has been collected, it needs to be analyzed in order to determine what behavior is normal and what isn’t. With this figured out, it is possible to quickly identify abnormal user behavior and continually monitor these user behaviors as a potential security risk.

In general, UBA solutions look for: abnormal behavior, risky behavior, malicious behavior, and anomalous behavior among other things. This behavioral data is then amalgamated into the behavioral analysis system for more distinct threat intelligence. UBA technology provides less risk for security intelligence and has less chance for false positives.

UBA is able to help prevent damage caused by both outsider and insider attacks. Whether it’s a hacker trying to gain access to the network or an employee who has become an insider threat, UBA technology is capable of detecting their malicious behavior and alerting those in charge of monitoring the company’s security.

A few important use cases for UBA include the following:

  • Compromised user accounts – one of the most common use cases for UBA is in the event that a user has their account compromised. In this case, UBA can detect that the account is performing abnormal activities, such as accessing sensitive information that the user doesn’t normally try to access and then alert a security analyst for investigation.
  • Data theft – UBA is also good at preventing, or at least minimizing, data theft. It is capable of detecting when a user is downloading information that they normally shouldn’t be allowed to. In this case, the alert typically won’t be sent until the attacker has already accessed and downloaded data, but after it has triggered, an admin will be able to shut the account’s access down and prevent any further theft.
  • Compromised hosts – not only can UBA detect a compromised user account, but it can detect when a host (such as a server or a personal device) is compromised, such in the case of a malware infection. If the compromised host starts behaving abnormally, an alert will go off for a cybersecurity person to investigate.
  • Insider threats – this is one of the cases in which UBA really shines. Many employees have access to crucial data as part of their normal job function. This means that if an employee decides to “go rogue,” it’s difficult to stop them from accessing this crucial data. However, UBA is able to detect when their behavior differs from the norm (such as the user accessing the data for longer than normal or at strange times of the day), and from there, the damage they cause can be minimized.

UBA and SIEM comparison

UBA vs SIEM comparison

Many people tend to get confused about the differences between Security and Information Event Management (SIEM) and UBA. Quite a few even think that UBA is part of SIEM. While they can work in tandem to create a more secure environment, they are still very much separate systems.

What SIEM mainly does is it logs and analyzes things like antivirus events, authentication events, audit events, and intrusions. All of this data comes from a security system that is already in place, such as network switches, antivirus software, firewalls, and the various intrusion detection systems that are already being used. SIEM takes all of this data, analyzes it, and then monitors future events. It will alert a security analyst when an abnormal event occurs within the system.

However, while SIEM collects various event logs across the entire company, UBA is more focused on individual users. This typically entails keeping track of the regular activities and behavior of every user and developing a baseline for what their behavior typically is. If a user ever deviates from their normal behavior, a security officer is alerted.

It’s possible, and relatively commonplace, to have both SIEM and UBA systems interacting with one another. The usual method is to have UBA alerts piped into the SIEM system to aggregate along with all of the other events and alerts that it collects. In this way, they complement each other and work together to strengthen defenses against security threats.

Another reason to use UBA along with SIEM is that UBA works as a “catch-all” and can detect security breaches that were previously unable to be accounted for. This is because SIEM primarily works by setting up rules and use cases that cover expected behavior. So, since UBA can monitor everything a user does, it can detect unexpected events that SIEM won’t be looking for.

Implementing User Behavior Analytics

Implementing UBA

Implementing UBA to an already existing security system is rather simple, especially since it often works alongside such systems. However, the way in which UBA is implemented entirely depends on what kind of data needs to be tracked as well as the kinds of security breaches that need to be prevented.

For a general implementation, many security vendors use UBA software that covers most of the needs for the average company and is often customizable for companies that have more unique use cases. A lot of these UBA tools also make it incredibly easy to connect with current implementations of SIEM and other systems, such as network traffic, network analysis, and employee monitoring software that may already be in place. Some solutions offered are cloud based, and others are on-premise software.

It’s important to have a look at as many different brands of UEBA solutions as possible so that you can choose the one that will best cover your company’s security needs. The last thing you would want is to choose a UEBA solution that only monitors half of what you need it to or that won’t play well with another system that is already in place.

Once you’ve made a choice of UEBA tool, you can begin implementing it throughout your company and start monitoring your users. However, it’s always crucial to remember that monitoring is not the same as prevention. Just because you’re able to monitor a user and tell that they have malicious intent it doesn’t necessarily mean you can do anything about it. UBA only tells you what you need to know; it’s up to you to know what to do with that information.

Another thing to keep in mind is that most UBA solutions can take in data from other sources as well. The more data that the UBA tool has, the better it will function. A really good way to make use of this is to have employee monitoring software, such as our SoftActivity, installed on users’ workstations, and have the data from the monitoring software sent into your UBA or SIEM system. This way, the UBA software can make use of this data for even more accurate analyses and risk detection.

In conclusion

UBA is still a rather nascent technique. Improvements in the areas of AI and big data will only improve UBA’s capabilities. Once it has matured, UBA will no doubt become a staple for every company’s security.

However, just because it’s still somewhat new to the security scene doesn’t mean that it doesn’t already have plenty of useful features and benefits for any company that puts a priority on security. The true benefits of user behavior analytics are many. For example, it can help prevent numerous different kinds of attacks and other types of malicious behavior and it already works well in tandem with other security measures. No doubt, any IT security professional will find it to be an invaluable addition to their toolset.


By SoftActivity Team