What is UEBA?

User and entity behavior analytics (UEBA) helps reduce risks by identifying atypical, suspicious behaviors.

Learning Objectives

After reading this article you will be able to:

  • Define ‘UEBA’
  • Understand how UEBA works
  • Identify the key use cases and benefits for UEBA

Copy article link

What is UEBA?

User and entity behavior analytics (UEBA) is a set of cyber security capabilities that employs data analytics and machine learning (ML) to detect unusual, potentially dangerous behavior by users, devices, and other entities. Coined by Gartner in 2015, the term expands the concept of user behavior analytics (UBA), adding the behavior of devices and entities, which might range from servers and routers to smartphones and Internet of Things (IoT) devices.

UEBA determines typical user and device behavior, identifies deviations from that behavior, and scores deviations according to their security risk. So, for example, an employee might typically log into cloud email every morning at 8:00 am PT from San Francisco. If that same employee logs into a customer database from London just a few hours later, and starts downloading large amounts of sensitive and proprietary information, UEBA would identify this as anomalous and potentially high-risk behavior.

By scrutinizing a full range of behaviors and spotlighting divergences from what is typical, UEBA can play a vital role in an organization’s threat-hunting and risk management efforts. UEBA can augment existing security capabilities, support a Zero Trust security model, and help organizations maintain compliance with regulatory requirements.

How does UEBA work?

UEBA capabilities first establish a baseline for typical user and device behavior by looking at a wide range of data, such as:

  • user activity — login attempts, file access, application usage, and system commands
  • network traffic — like source and destination IP addresses, ports, and protocols
  • authentication data — login successes and failures

That data can come from a variety of platforms or tools, including: secure web gateways, Zero Trust Network Access services, data loss prevention (DLP) services, firewalls, routers, VPNs, identity and access management (IAM) solutions, intrusion detection and prevention systems (IDPS), antivirus software, and authentication databases, among other sources. These security services and solutions might be part of secure access service edge (SASE) and security service edge (SSE) platforms.

ML capabilities learn from continuously ingested data and refine the baseline of behavior over time. (Cloudflare uses a similar approach for bot management, measuring typical behavior on a web application and then comparing new interactions against that baseline to identify bots.)

While collecting and analyzing data, UEBA models can detect any behavior that deviates from normal patterns or an organization’s security policies. For example, these capabilities would notice if a user logs in from a different location than normal, at an atypical time. This behavior might indicate that an employee’s credentials have been stolen.

When UEBA capabilities identify any unusual or suspicious behavior, they assign a user risk score based on the risk the behavior represents to the organization. A few failed login attempts during the workday might receive a low score — a user probably forgot a password. But other deviations in behavior could signal account compromise, company policy violations, or a data breach. Examples of risky behaviors that could set into motion UEBA-related risk mitigation actions include:

  • Impossible travel: When a user completes a login from two different locations in a period of time that is not physically possible (e.g., employee “Alice” in New York logs into her organization’s payroll system, but a few minutes later logs into their cloud productivity suite from Sydney)
  • Data loss prevention (DLP) violations: When confidential business information, personally identifiable information (PII), or other sensitive data moves are mishandled (for instance, if an employee uploads proprietary company data into a third-party AI chatbot)
  • Use of risky devices: Such as remote employees using laptops that don’t have the latest OS updates, or the use of routers with unpatched vulnerabilities

UEBA use cases

UEBA can support several tactical and strategic use cases.

  • Zero Trust security: Zero Trust is an IT security model that verifies the identity of every person and device trying to access apps or data on a corporate network. UEBA capabilities could supplement — or be a component of — a Zero Trust Network Access (ZTNA) solution. With UEBA capabilities, security teams can see who is accessing the network, what devices they are using, and whether the users and devices are violating any policies. Teams can grant access based on the context of a request and the assessment of whether a request aligns with typical user behaviors.
  • Compromised endpoints: Attackers might find ways to infiltrate mobile or IoT devices, which are often less protected than enterprise servers or apps. By monitoring device behavior, UEBA can uncover compromised devices before attackers can penetrate deeper into the corporate network.
  • Insider threats: Behavior analytics can help identify malicious insiders — such as users attempting to attack a corporate network or steal sensitive data. At the same time, UEBA can help determine when a user’s credentials or devices have been compromised: for example, through a phishing attack or device theft. UEBA can spot atypical behavior, even when legitimate credentials have been employed.
  • Regulatory compliance: An organization could implement UEBA to help maintain compliance with standards or regulations, such as the regulations that govern IT security and data privacy for financial services or healthcare organizations. By identifying user and device behaviors that deviate from established policies or norms, UEBA could spot issues before the organization jeopardizes compliance with critical rules and regulations.

What are the benefits of UEBA?

Implementing UEBA can benefit organizations in multiple ways.

  • Reduced risk: Because UEBA can be applied to any users and devices connected to a network, it can help reduce risks even as an organization’s attack surface expands. UEBA can analyze user behaviors whether employees are working from home, the office, or elsewhere. Meanwhile, it can also potentially monitor the behavior of devices anywhere: for instance, servers and routers in corporate data centers, IoT devices in factories, or medical devices in hospitals.
  • Improved threat detection: UEBA can help identify and stop multiple types of threats, including insider threats, compromised accounts, brute force attacks, distributed denial-of-service (DDoS) attacks, and others.
  • Less need for manual analysis: ML and automation capabilities help reduce the time-consuming security operations (SecOps) team work of analyzing log data to identify legitimate threats. IT and security team members can focus on other tasks.
  • Sustained compliance: UEBA enables organizations to maintain compliance by identifying problematic behaviors quickly, before they lead to large-scale breaches. Through continuous monitoring and analysis, organizations can also streamline auditing and potentially avoid expensive, large-scale remediation efforts.
  • Lower costs: By identifying threats early, organizations can avoid the high costs of breaches.

What are the drawbacks of UEBA?

Though there are many potential benefits from implementing UEBA, organizations should also be aware of possible drawbacks. For example:

  • Costs: Some standalone UEBA solutions might be too expensive for small and medium-sized businesses.
  • Complexity: While ML and automation capabilities reduce the need for human analysis of event logs, setting policies and fielding alerts still requires security analysts.
  • Limitations: UEBA can identify a wide range of threats, but it still should be integrated with other capabilities for more comprehensive, unified risk management.

How UEBA complements SIEM

UEBA capabilities complement security information and event management (SIEM) solutions by offering:

  • Focus on users: While SIEM analyzes events, UEBA examines the behavior of users and devices, which can help assess user risks and detect insider threats.
  • Long-term threat tracking: SIEM identifies security events in real time. UEBA complements that work by identifying long-term, evolving threats through monitoring and scoring ongoing behavior.
  • Continuous learning and adaptation: UEBA uses behavioral analytics and ML to facilitate learning and adaptation over time. As a result, UEBA models can enhance SIEM capabilities by identifying new and emerging threats without requiring human intervention.

Combining SIEM and UEBA capabilities can improve visibility into security and strengthen an organization’s ability to identify and stop threats while also maintaining compliance. Several SIEM solutions incorporate UEBA capabilities.

UEBA vs. EDR

UEBA and endpoint detection response (EDR) solutions have several similarities. Both monitor a range of endpoints, including desktops, laptops, smartphones, and IoT devices. In addition, EDR solutions, like UEBA, can use behavioral analytics and ML to detect atypical, suspicious behavior.

However, UEBA can also complement and expand the functionality of EDR solutions by analyzing endpoint users’ behaviors.

Does Cloudflare support UEBA?

UEBA is a key component of Cloudflare for Unified Risk Posture — a suite of capabilities that converges SASE and web application and API (WAAP) security solutions through a single platform.

Cloudflare enables enterprises to implement automated, dynamic risk posture evaluation, exchange, and enforcement across their expanding attack surface — while reducing management complexity.

Learn more about Cloudflare for Unified Risk Posture.