User Entity Behavior Analytics (UEBA)

A gentle introduction to Advanced Persistent Threats (APT) and why detection, rather than prevention, is key to a robust cyber security system

What is User Entity Behavior Analytics?

Simply put, UEBA is a type of cyber security process that uses machine learning to model normal user behavior on corporate systems and detects anomalous behavior that could signify a security breach. UEBA solutions have three main components.

  1. Data Analytics: Gathers information on the expected behavior of users, which is then processed to establish a baseline of user behavior through patterns. After this, UEBA solutions continuously monitor and compare user behavior to baseline, using machine learning and statistical analyses to detect any abnormal behavior which could be indicators of a cyberattack. For example, a user regularly downloads 20 MB of files every day but suddenly downloads terabytes of data, the system would detect this anomaly and alert the user immediately.

  2. Data Integration: With existing security systems, UEBA systems can aggregate and compare data from diverse sources – logs, packet capture data, and other datasets. They can also analyze file, flow, and packet information.

  3. Data Presentation: UEBA systems communicate their findings via issuing a request for a security analyst to investigate unusual behavior.


Let’s begin with understanding Advanced Persistent Threat (APT)- these represent the most threatening attack to modern organizations. APTs are attacks where motivated and knowledgeable cyber attackers target an organization and spend a significant amount of time customizing the attack to be successful. The goal of an APT attack is to steal information from an organization while remaining undetected, thus allowing continuous exfiltration of data over a long period of time. Attackers often bypass the Current Intrusion Detection System (IDS) by performing surveillance and targeting users, rather than the systems the IDS focus on protecting.

With the rise in APTs, today’s cyber security tools are fast becoming obsolete, and cyber attackers can now bypass the security systems that most companies use. Web gateways, firewalls, and intrusion prevention tools provided sufficient security in the past. It is no longer the case in today’s complex and interwoven threat landscape. This is especially true for giant corporations that are proven to have very permeable IT perimeters that are also difficult to monitor and oversee.

In UEBA, you do not track devices or security events; instead, you monitor all the users and entities in your system. As such, UEBA focuses on insider threats- devious employees, compromised users, and people who already have access to your system, who then carry out targeted attacks and fraud attempts. It also tracks servers, applications, and devices working within your system.

In conclusion? Preventive measures are no longer enough. Firewalls will not be 100% foolproof- hackers and attackers will breach the system at one point. Then, detection becomes equally essential: when attackers do get into a system, their presence has to be detected quickly to minimize the damage.

“The value of UEBA, then, is not that it prevents hackers or insiders from accessing critical systems. Instead, UEBA systems can quickly spot when this has happened and alert you to the risk.”- Varonis


Many use cases could benefit from UEBA- e-commerce, finance, and banking applications and services using Personal Identifiable Information (PII) are good examples. As such, UEBA is a crucial component of IT security, allowing you to:

  • Identify insider access abuse or malicious insiders performing risky activities outside their normal behavior. It also helps detect lateral movement of adversaries who have gained low-level employee credentials within the environment.

  • Detect threat activities across multiple domains, such as servers and network devices, not just user accounts.

  • Prioritize incidents by reducing false positives.

  • Be alerted when proprietary data is being moved within the environment or transferred out through Data Loss Prevention (DLP) and Data Exfiltration Detection.

  • Identify unusual usage via Executive Asset and IoT Entity Monitoring which automatically set up baseline behavior models for sensitive executive systems and an unlimited number of IoT devices

Machine Learning and User Entity Behavior Analytics

UEBA relies on statistical modeling and machine learning (ML) techniques. These solutions can provide a great deal of support to cybersecurity or IT teams. While current Machine Learning needs to advance much farther before it can be used for threat detection autonomously without human intervention, there are many tasks it can handle to strengthen security.

UEBA is focused on modeling behaviors to improve confidentiality, integrity, or availability within cybersecurity contexts. It is usually addressed like a classification problem. In particular, it is tackled as an outlier detection problem (using ML terminology) or as an anomaly detection problem (using cybersecurity terminology).

History of Machine Learning research on UEBA

To date, the works can be categorized according to the analyzed subject- a user or an entity. The first group of works, proposing new ways of analyzing users’ behavior, can be categorized depending on the used device- the most common means to obtain up-to-date and accurate human behavior features. These devices are, typically, personal computers or smartphones, but any device from which behavioral metrics could be extracted (e.g., smartwatches or tablets) works. Keystroke or mouse dynamics are used to model the behavior of personal computers, while sensors information (e.g., gyroscope, accelerometer, and touchscreen) are selected when using portable devices.

Moreover, the devices considered are usually connected to a network. The characteristics of the sent or received packages and information regarding network protocols at different layers or metadata can help when modeling users’ behavior. This can be observed in works focused on identifying users while surfing the Internet, which have as their primary objectives personalized advertising or security.

Works analyzing Users vs. Works analyzing Entities

This first group analyzing users relies on some kind of behavioral fingerprint– a detailed, nearly unique, difficult to fake, and durable over time identifier or marker. These fingerprints are typically used in research focused on intrusion detection or other application domains requiring comparing users or normal/abnormal behaviors. On the other hand, additional works focusing on authentication or continuous authentication do not need to build this identifier.

The second group analyses the behavior of entities, and its popularity is growing due to the Internet of Things (IoT). Again, different groups in this category attend to the considered device. In this case, a sensor, an actuator, a hub, and a controller. Various behavior features can be analyzed, although in this case, they are always related to network traffic, protocols, load, etc. Some works rely on a fingerprint characterizing each device’s behavior, while others do not need this kind of identifier.

A significant difference with the first group of works is the resource constraints of the devices. This prevents, in many cases, UEBA techniques from executing on their device. Processing and computation need to be subsequently offloaded to a full-resource external server (which is not usual in works focused on UEBA).

However, the two groups, those who analyze users and those who study entities, have more aspects in common. Firstly, the application domains already mentioned, such as identification, authentication, or intrusion detection. Secondly, the revisited works are primarily based on specific technological stacks and significant assumption sets. In other words, they are not very portable or reproducible in contexts different from which they were initially proposed.

UEBA Workflow


UEBA is applied to use cases requiring fine-tuned context and analytics, including:

  • Malicious Insiders

  • User Account access monitoring

  • APT groups leveraging zero-day vulnerabilities

  • Data exfiltration involving novel channels

Because they involve a shifting attack surface, US-based research company Gartner notes that machine learning is crucial to formulate a baseline derived from “interactions between all users, systems, and data.” But as ML researchers have often said, there’s no simple approach to calculating these baselines.

But as even the biggest ML-based analytics boosters show- there are limits. They are difficult to optimize and can lead to too many false positives. This means the algorithms are too sensitive- they alert in situations that may be unusual but are not abnormal or indicative of an attacker or insider breach.

For instance, perhaps a banker had to work overtime to close a deal and accessed hundreds of documents. And UEBA clustering algorithms found this employee’s actions abnormal and locked his account- causing a critical project to be delayed.

A sample clustering algorithm used in UEBA


Security Information and Event Management uses a complex set of tools and technologies that provide an exhaustive view of the security of an IT system. It uses data and event information, lets you see normal patterns and trends, and alerts you when anomalous events and trends occur. UEBA functions on the same principles – it also uses user (and entity) behavior information to identify what’s normal and not.

SIEMs typically lack intelligent and effective threat detection and response. They focus more on real-time attacks than extended threats and can be bypassed by ATPs easily. In contrast, UEBA solutions can detect threats that may occur over a much more extended period and be markedly more dangerous. By using both these solutions in conjunction, organizations are capable of defending against attacks much more effectively.

By focusing more on specific user activities and less on system events, UBA builds an employee profile based on their usage patterns and sends out an alert in case of abnormal behavior. Typically UEBA alerts can be sent via SMS, email, or even be piped into your SIEM.


  • Compliance reporting

  • Event Monitoring– data access, access activity, application activity, and event management

In conclusion, SIEM and UEBA both have significant use cases to help an organization meet its security and business needs. Because insider attacks are real and costly, UEBA becomes a critical complement to SIEM.


  • Organizations should use UEBA tools and processes to complement earlier monitoring systems and enhance a company’s overall security

  • Another great practice is to harness the computational and storage powers of big data, using statistical analysis combined with machine learning to prevent getting an avalanche of unactionable alerts and becoming overwhelmed with the large data volumes

  • By gaining insights into user and entity behavior and taking a more proactive approach to security, enterprises can build a more robust security solution and fully harness the power of machine learning to mitigate threats and prevent security breaches effectively.


UEBA can be a powerful complement to a cybersecurity solution. It provides a novel way to perform threat detection and complement intrusion protection systems. UEBA systems also demonstrate the patterns of suspicious activity – becoming a valuable tool for training new security engineers. Ultimately, however, UEBA systems are not an elixir for cybersecurity. When incorporated within a fully-featured Threat Detection solution, UEBA systems can exponentially increase detection rates and responses to cyberattacks, along with spotting threats that traditional products miss.