User behavior analytics

Last updated May 24, 2024

User behavior analytics (UBA) or user and entity behavior analytics (UEBA),^[1] is the concept of analyzing the behavior of users, subjects, visitors, etc. for a specific purpose.^[2] It allows cybersecurity tools to build a profile of each individual's normal activity, by looking at patterns of human behavior, and then highlighting deviations from that profile (or anomalies) that may indicate a potential compromise.^[3]^[4]^[5]

Purpose of UBA

The reason for using UBA, according to Johna Till Johnson from Nemertes Research, is that "security systems provide so much information that it is tough to uncover information that truly indicates a potential for a real attack. Analytics tools help make sense of the vast amount of data that SIEM, IDS/IPS, system logs, and other tools gather. UBA tools use a specialized type of security analytics that focuses on the behavior of systems and the people using them. UBA technology first evolved in the field of marketing, to help companies understand and predict consumer-buying patterns. But as it turns out, UBA can be extraordinarily useful in the security context too."^[6]

Distinction between UBA and UEBA

The E in UEBA extends the analysis to include entity activities that take place but that are not necessarily directly linked or tied to a user's specific actions but that can still correlate to a vulnerability, reconnaissance, intrusion breach or exploit occurrence.^[2]

The term "UEBA" was coined by Gartner in 2015. UEBA tracks the activity of devices, applications, servers and data. UEBA systems produce more data and provide more complex reporting options than UBA systems.^[1]

Difference with EDR

UEBA tools differ from endpoint detection and response (EDR) capabilities in that UEBA is an analytic focus on the user behavior whereas EDR has an analytic focus on the endpoint.^[3] Cybersecurity solutions, like EDR and XDR, typically prioritize detection and response to external threats once an incident has occurred. EUBA and IRM solutions are looking for prevent potential risks internally by analyzing employee behavior.

Related Research Articles

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface. Its software helps capture, index and correlate real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards and visualizations.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

<span class="mw-page-title-main">Sqrrl</span> Cyber security company

Sqrrl Data, Inc. is an American company founded in 2012 that markets software for big data analytics and cyber security. The company has roots in the United States Intelligence Community and National Security Agency. Sqrrl was involved in the creation of, and actively contributes to Apache Accumulo and other related Apache projects. Sqrrl’s primary product is its threat hunting platform, designed for active detection of advanced persistent threats.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Interactive application security testing is a security testing method that detects software vulnerabilities by interaction with the program coupled with observation and sensors. The tool was launched by several application security companies. It is distinct from static application security testing, which does not interact with the program, and dynamic application security testing, which considers the program as a black box. It may be considered a mix of both.

Privileged Access Management (PAM) is a type of identity management and branch of cybersecurity that focuses on the control, monitoring, and protection of privileged accounts within an organization. Accounts with privileged status grant users enhanced permissions, making them prime targets for attackers due to their extensive access to vital systems and sensitive data.

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities.

Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

References

1 2 "What is User (and Entity) Behavior Analytics (UBA or UEBA)?". Security. Retrieved 2023-05-05.
1 2 Mike Chapple, James Michael Stewart, Darril Gibson (June 2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (9th ed.). Wiley. p. 49. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
1 2 Mike Chapple, James Michael Stewart, Darril Gibson (June 2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (9th ed.). Wiley. p. 1009. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Market Guide for User Behavior Analytics
↑ The hunt for data analytics: Is your SIEM on the endangered list?
↑ User behavioral analytics tools can thwart security attacks

External links

ABC's Of UBA

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 "What is User (and Entity) Behavior Analytics (UBA or UEBA)?". Security. Retrieved 2023-05-05.

[:1-2] 1 2 Mike Chapple, James Michael Stewart, Darril Gibson (June 2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (9th ed.). Wiley. p. 49. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)

[:2-3] 1 2 Mike Chapple, James Michael Stewart, Darril Gibson (June 2021). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (9th ed.). Wiley. p. 1009. ISBN 978-1-119-78623-8.{{cite book}}: CS1 maint: multiple names: authors list (link)

[4] Market Guide for User Behavior Analytics

[5] The hunt for data analytics: Is your SIEM on the endangered list?

[6] User behavioral analytics tools can thwart security attacks

[1]

[2]

[3]

[4]

[5]

[6]