User and Entity Behavior Analytics

Uncovering unknown threats in an enterprise environment might be one of the most significant challenges that security operations centers have to handle. To target possible attack vectors and fraudulent activities, arising in connection with malicious user behavior, companies usually employ a variety of different security tools, covering threats emerging from different locations (e.g., endpoint or network communication). For defeating massive campaigns and gaining a general overview of all activities happening within the enterprise, however, the ability to combine all relevant security data across all products and systems employed has become a crucial task for modern SOCs.

With the implementation of SIEMs, it is possible to create a dedicated, unified system for log correlation and event analysis tasks. Still, even in an extensive, but orderly security environment, common security platforms lack the functionality to contextualize events and discover previously unknown threats–. Ultimately, most current IT security solutions only react based on already known risks. In a recent trend that promises to bypass the typical boundaries in static setups, attention has shifted to security algorithms that actively learn a user’s behavior (in the context of human users, machine accounts, and further assets) in order to reliably detect diverging activities. Products that incorporate the relevant functions are summarized under the term UEBA (User and Entity Behavior Analytics).

Information Sources

To achieve a contextualization of single data points, UEBA solutions require the acceptance of entity information coming from dissimilar sources. A mapping of separate entities across multiple sources is crucial for the successful operation of a UEBA solution. Still, data sources do not necessarily need to include security products, since HR systems or physical access control systems, among others, can provide valuable context for analysis.

The most comprehensive data source is an enterprise directory service, as it encompasses the creation and management of unique identities, their email accounts and access to network assets. Connecting a UEBA system to a directory service allows for an analysis of peer groups and the structure of employees under the assumption that such data are included and maintained. Thus, the individual baseline of behavior calculated per user is compared to users in a similar position.

Besides user account and authentication information, UEBA products can often incorporate and leverage network data to gain insight into actions carried out after access to certain assets or to inspect a single user’s traffic for suspicious behavior. Usually, already-in-place network monitoring and control solutions provide that information, such as proxy infrastructures, firewalls, and VPN gateways. For an in-depth inspection of traffic, UEBA products require logs that include the corresponding information, for example, obtained from SSL-intercepting proxy configurations. In most cases, UEBA products leverage exposed APIs of SaaS applications; usually, those are the same as those used by CASBs (Cloud Access Security Brokers). The logs provided can deliver insight into the accessed information, manipulated documents and the removal of assets stored in the cloud. That information is crucial regarding data-loss-use cases, threats emerging on account take-over and malicious insider activities.

Data gathered can often be related to a malware infection of the user’s endpoint. As a result, the ingestion of information from endpoint security tools, either anti-virus products or Endpoint Detection and Response (EDR) solutions, can augment previous or ongoing malicious activities of single entities. The ingestion of such data provides the advantage of gathering broad information on a single device without the need for additional agent installations.

Even though the installation of additional endpoint agents is not favorable during the rollout of UEBA solutions, there are products that either provide this mode of operation as a further measure or that strictly require the deployment of those agents to operate successfully. That way, the products can directly gain information from monitored assets and can compute the risk of each connected account. In addition, by leveraging agents, the systems can point out to the user the policy-violating behavior or prevent and block malicious actions entirely. The traceability of alerts is as well enhanced generally, as malicious activities are proved through the taking of screenshots or video captures. Those features might be restricted, however, due to local law.

Analytical Approaches

Traditional SIEM solutions only leverage statically-defined sets of rules for identifying and alerting about potential threats. The basis for anomaly detection in modern UEBA solutions typically combines two dissimilar technologies: a) detection through pre-trained models with thresholds set by baselining and b) detection through static content (e.g., known-bad domains, malicious domains or traffic patterns). The two mentioned detection technologies are combined to assess an individual entity’s risk level.

While static-content-based detection has matured and evolved over the years (for example by combining live threat intelligence feeds and fuzzy matching), detection approaches with modeled behavior are different from previously known methods. A common misconception is that UEBA solutions are generic machine-learning engines that search for patterns across all entity attributes. Such an approach would lead to unacceptably long baselining durations and, potentially, high false-positive rates. Instead, vendors ship their products with pre-trained machine-learning models, often classified in categories like “Insider Threat”, “Compliance Violation” or “Malware Detection”. Those models only correlate a subset of ingested indicators and analyze them on the basis of a pre-modeled and known-bad behavior. In a productive application of a UEBA system, the products usually require a determined timeframe for adapting the model’s configuration parameters according to the individual environmental conditions. As a result, a set of configured parameters is generated for different entities, peer groups, and business units. Eventually, these models are applied to subsequent events for threat detection. During operation, the systems continuously refine their detection results based on frequently-observed user actions, leading to automatic parameter adjustments within the leveraged threat model. Customers can moreover influence the weighting of single models to the cumulative entity risk score.


The successful implementation of a UEBA system depends on multiple preconditions. The quality and quantity of available enterprise data sources are the primary influencers for the achievable detection results. Especially logs from Active Directory, proxy and firewall systems provide great insight into entity behavior.

Further log sources, like endpoint protection and DNS logs, can improve detection capabilities significantly. The more log sources that are available, the more vendor-supplied models that may be used for detection. Since UEBA products can ingest a massive amount of data, it is necessary to provide consolidated and rehashed logs to achieve an optimized signal-to-noise ratio. Customers may also benefit from an already-in-place SIEM system that pre-filters and summarizes incoming information and can be used as the single source of information. To allow for peer group assignments and a detailed depiction of the company’s corporate structure, access to a well-maintained directory service or HR management system is required.

Challenges during implementation, especially on the German market, may arise with regard to the protection of employee privacy. Also, in a plug-and-play scenario, UEBA products will not surpass the detection rates of in-place SIEM solutions, since they require tailoring of the incorporated models towards enterprise environments on multiple levels. Even though the systems offer capabilities for replacing SIEMs with a more flexible approach, the often-promoted image of general machine learning applications to uncover unknown threats does not hold in the end.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.