Search
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection

What Is UEBA?

User and Entity Behavior Analytics (UEBA) is used to detect abnormal behaviors of users and network entities — such as network devices, processes, and applications — determine whether the abnormal behaviors pose security threats, and alert O&M personnel in a timely manner. By building on the existing network security systems or solutions of enterprises, UEBA can enhance enterprise security, address weaknesses of traditional security systems or solutions, and reduce security risks. In actual applications, UEBA is deployed with other security systems or solutions for better security and detection performance.

Principles of UEBA

As its concept implies, UEBA can detect abnormal behaviors both for users and entities. The following two examples will walk you through the functions of UEBA.

An enterprise employee typically works from 8:00 a.m. to 5:00 p.m. every day, sending dozens of files less than 100 MB. However, on one occasion, the employee worked until 11:00 p.m, and sent files that exceeded 100 GB. This behavior was considered as abnormal by UEBA, which then generated an alarm. If automatic response and handling functions are deployed to automatically isolate office devices, the employee can be prevented from connecting to the network, and all account permissions of the employee are then locked. The employee can be granted permissions again after the O&M personnel handle the exception.

Compared with abnormal behaviors of users, abnormal behaviors of entities are not easy to detect, and are even ignored after being detected. For example, an enterprise server that provides services for external users usually receives very few access requests during early morning hours. However, the number of requests unexpectedly surged one day, causing the server to transfer files with other servers on the network. In this case, it is likely that UEBA would generate an alarm. Without UEBA, this abnormal behavior would neither trigger alarms nor be intercepted. This is because traditional security devices mainly focus on the security of network borders, which brings great risks to enterprises' network security.

Using artificial intelligence and machine learning algorithms, UEBA can detect abnormal behaviors of users and entities on the network. Specifically, UEBA first collects data about user and entity activities and analyzes the data to establish a baseline of user and entity behavior patterns. Then UEBA continuously monitors user and entity behaviors, compares current behaviors against the baseline, calculates a risk score, and determines whether behavioral deviations are acceptable. If the risk score exceeds a certain threshold, UEBA sends an alarm to the user in real time.

The risk score is based on factors such as threat severity and urgency, helping O&M personnel identify threats that need to be preferentially handled and thereby improve threat handling efficiency. For example, if a user fails to log in multiple times, a low risk score is assigned; if a user sends files larger than 10 GB and containing sensitive words in their names, a high risk score is assigned.

To ensure the accuracy of the generated baseline, UEBA obtains data from as many sources as possible, including:

  • Log information from devices such as firewalls, routers, and servers.
  • Data from other security solutions, such as SIEM, or tools.
  • User account and authorization information from the access control and identity authentication system.
  • Employee information from the enterprise's management system.
  • User information from social platforms and software.

After the baseline is generated, UEBA proves to be particularly effective in identifying internal threats that are often difficult to detect. If attackers obtain the account permissions of enterprise employees or the employees themselves engage in malicious activities, they may not require malicious software. In such cases, UEBA is crucial as it can detect the malicious behaviors by attackers or enterprise employees that inevitably deviate from the normal behavior baseline. For example, if an attacker or enterprise employee intends to steal key internal data of the enterprise, they would require access to a highly-confidential system or file. This behavior may be assigned a high risk score by UEBA, which would immediately generate an alarm upon detecting this anomaly.

Functions of UEBA

Similar to many emerging security technologies, UEBA has emerged mainly because encryption products (such as VPNs) and traditional security products, such as web gateways, firewalls, and intrusion detection, fail to protect enterprises from intrusions. Malware is no longer the sole means to attack victims' networks and devices. Social engineering and phishing methods are also used to deceive victims to click malicious links, download malware, and enter personal account passwords. Once the attack is successful, the attacker can access the victim's network, steal key data, and launch a series of attacks, causing huge losses. This is where UEBA provides a solution to the issues. Although UEBA cannot prevent attackers from accessing critical systems, it can quickly detect abnormal behaviors and generate alarms. O&M personnel quickly respond to the alarms to prevent threat spreading. Without UEBA, O&M personnel need to analyze massive alarm information and identify behaviors or events that may bring real risks.

However, UEBA is not designed to replace early security systems or solutions. Instead, it is used to enhance existing security capabilities of networks and address weaknesses of traditional security systems or solutions. Its typical functions include:

  • Identifying a wider range of network threats: As user access modes and access device types increase, network attacks become more sophisticated. UEBA focuses on the behaviors of both users and entities and can cover a wider range of network threats.
  • Improving network security: UEBA can identify internal threats and other risks that are difficult to detect by traditional security systems or solutions, reducing cyber attack risks and improving cyber security.
  • Reducing enterprise costs: By using machine learning and artificial intelligence technologies, UEBA can help enterprises reduce a lot of manual analysis workloads, or the required manpower of analysts. Then, enterprises can transfer surplus manpower to other positions to generate more value.

Comparison Between UEBA and UBA

UBA and UEBA are largely the same, with one important distinction: an additional "E" in UEBA. In fact, UEBA actually evolves from UBA. UEBA goes beyond analyzing user behaviors, which is the main analysis focus of UBA, to include the behaviors of entities. This makes abnormal behaviors easier to detect and threat identification results more accurate. In addition, UEBA can analyze more complex data and produces a higher volume of data, thereby providing more complex and detailed analysis result.

The change of user access modes plays a major role in the evolution from UBA to UEBA. With the advent of the digital era, the network environment becomes more and more complex, blurring and even erasing network boundaries. Instead of simply using fixed office endpoints to access enterprise networks, employees work with the assistance of other endpoints, such as mobile phones, laptops, cloud hosts, and even personal endpoints. This poses great challenges to enterprise network security. Therefore, UEBA needs to analyze behaviors of both users and user-related entities. Then, it combines user behavior data with entity behavior data to detect complex attacks that cover multiple factors, such as users, devices, and IP addresses.

For example, a hacker does not rush to launch an attack after stealing an employee's account, but pretends to be the employee to perform some legal operations. In this case, it is difficult for UBA to detect abnormal behaviors. In addition, attacks are not launched at a time but irregularly. Few security devices can detect such attacks that are less frequent and last for a long time. However, the hackers' behaviors must be inconsistent with those of an employee, and related entity behavior data must be inconsistent with normal data. Based on this, UEBA collects and analyzes the behaviors of the hackers to identify potential threats earlier and more accurately, protecting attacked enterprises from infiltration.

Comparison Between UEBA and SIEM

Security Information and Event Management (SIEM) is a cyber security technology. It collects and analyzes log events and related data from various sources, such as hosts, applications, and networks, to monitor and manage security events in real time. SIEM uses security events to help users identify abnormal events, view security situations, and send alarms to users when abnormal security events and trends occur. UEBA works similarly as SIEM. The only difference is that UEBA determines whether security threats exist based on the behavioral information of users and entities.

In principle, both SIEM and UEBA use machine learning and data analysis technologies to identify threats, but they identify different threat types. Specifically, SIEM focuses on security events, while UEBA focuses more on behavior patterns. In addition, SIEM performs detection based on rules. Once the rules are cracked, attackers can easily bypass the detection. SIEM rules are mainly used to detect non-complex threats that occur in real time. It is difficult for SIEM to detect complex attacks (such as APT attacks) lasting for months or even years. However, UEBA mainly uses the risk scoring technology and complex algorithms for detection so that it can identify complex attacks implemented in a long period of time.

In recent years, many SIEM systems have included UEBA. The combination of the two technologies offers better user experience of security and detection functions and helps detect and defend against threats more effectively.

Comparison Between UEBA and NTA

Network Traffic Analysis (NTA) provides a convenient network monitoring and analysis method. Using machine learning, advanced analysis, and rule-based detection, NTA can monitor and analyze all communication traffic and traffic records on enterprise networks. Therefore, NTA focuses on data packets and flows, while UEBA focus on logs.

Apart from recorded abnormal events, NTA can display network-wide events, ensuring all-round coverage of attacks. However, NTA cannot trace local events or identify advanced security issues, but can only trace network-level events. In contrast, UEBA can detect local events and hidden security threats. In terms of deployment, NTA can be deployed in a relatively easy way, while UEBA is deployed in a more complex and time-consuming manner.

Just like SIEM, NTA can also be deployed with UEBA for users with more complex security requirements to obtain better security and detection functions.

How Does Huawei Implement UEBA?

Huawei security continuously focuses on five fundamental technologies and builds key security competitiveness in terms of traffic, files, events, vulnerabilities, and threat information. SIEM technologies (including UEBA) are used to collect, monitor, and analyze logs of network traffic, assets, and security devices, providing security analysis and continuous operation capabilities for zero-trust networks.

  • HiSec Insight Security Situation Awareness System

    Huawei is the only vendor in China positioned in the Gartner Magic Quadrant for its SIEM product HiSec Insight in 2022. This is the second consecutive year that Huawei has been listed in the Magic Quadrant. According to Gartner analysts, Huawei has the following advantages:

    • Threat analysis: Threat analysis has always been a key investment area of Huawei. The UEBA capability provides dynamic detection based on peer groups. The machine learning-based entity risk ranking reflects factors such as the asset value, vulnerability risk, and attack risk.
    • Rich product ecosystems: Huawei provides a series of product integration capabilities, including network detection and response, sandbox, deception, UEBA, orchestration and response, and threat information.
    • Flexible scenario adaptation: Huawei provides product in various forms, including software, hardware, and virtualized products, which can be selected for different scenarios. These products can be hosted on Huawei public cloud or private cloud as required.
  • Intelligent Zero-Trust Security Solution

    The intelligent zero-trust security solution provides the features required by the next-generation network security architecture and helps enterprises solve the remaining problems of the traditional security architecture during digital transformation. Currently, the solution has served customers in industries such as government, finance, and transportation. Based on the three-layer architecture of continuous verification, dynamic authorization, and global defense, the solution can assess risks in a multi-dimensional and accurate way, respond to dynamic authorization within seconds, and automatically handle global threats.

    • Continuous verification: Security risks of endpoints and users are continuously monitored. More than dozens of endpoint evaluation items can be monitored.
    • Dynamic authorization: Dynamic authorization is performed based on the authorization subject, object environment, and behavior risks to implement refined access control in the application, function, API, and data dimensions.
    • Global defense: End-to-end zero trust is built for devices, users, networks, and applications, implementing network-wide collaborative defense and threat handling within seconds.
Share link to