What is User Behavior Analytics?

User behavior analytics (also known as UBA or entity behavior analytics) is cybersecurity technology that uses monitoring tools to gather and assess data from user activity in order to proactively find and flag suspicious behavior before it leads to a data breach. By relying on machine learning to learn from how users normally interact with an organization’s technology, apps, and sites, user behavioral analytics can immediately recognize anomalous behavior to stop bad actors from accessing sensitive information. This enables continuous risk assessment and threat detection without complicating the end user experience.

Much like SIEM (Security Information and Event Management), UBA is an approach to information security that relies on automated analysis of big data to detect and stop potential cyberattacks in real time. While SIEM primarily analyzes events that occur behind firewalls, UBA focuses on data generated by user behavior. The data analyzed by UBA can include (but is not limited to) network traffic, login times and geographic locations, session duration, file downloads, and authentication logs. This enables the UBA solution to identify typical user patterns of activity, and then take action if users deviate from these patterns in ways that indicate malicious behavior.

Why are user behavior analytics important?

With the global average cost of a data breach at nearly $4 million, data protection is crucial—and 34% of data breaches involve internal actors. This makes it important to be able to recognize insider threats before these bad actors are able to steal sensitive data like health records or intellectual property. However, perimeter-facing enterprise security technology like firewalls or encryption do nothing to stop malicious insiders who have already gained access to an organization’s data through phishing, malware, or credential theft.

What’s more, the widespread adoption of SaaS, cloud, and mobile apps has made risk management more difficult. It’s especially challenging for IT teams to identify and address potential threats across hybrid architectures. Many of these apps and services may not even be officially sanctioned by IT, making it tougher to detect bad actors using them. This creates a need for continuous visibility across apps, users, networks, cloud services, and devices in order to eliminate security blind spots and help IT identify, analyze, and respond to security events proactively.

User behavior analytics address this challenge by continuously monitoring the activity of every user, then using anomaly detection to find and flag anomalous behavior before it leads to a breach. This enables organizations to protect sensitive data inside their systems instead of only protecting their perimeter. Citrix Analytics for Security is a user behavior analytics tool that helps to proactively safeguard the entire Citrix Workspace - a complete digital workspace with Gartner recognized industry-leading capabilities. It is a cloud-delivered add-on service that consumes both cloud-based and on-premises data to automatically take action when certain events occur, understand which users pose the greatest risk to the organization, and ultimately increase security posture.

Citrix Analytics for Security protects sensitive data
Citrix Analytics for Security uses machine learning to proactively identify suspicious
activity and stop breaches in real time.
Learn now

How do user behavior analytics work?

At a high level, user behavior analytics work by establishing benchmarks or rules for normal user behavior and alerting IT whenever a user deviates from these benchmarks. One example of such a rule is defining normal working hours as 7 AM to 8 PM; that means if a user attempts to sign on and access a sensitive file at 3 AM, the UBA would flag that behavior as unusual and either halt access immediately or alert IT admins. If that user’s credentials had been stolen and used by a hacker, this would have prevented a serious breach.

More sophisticated UBA solutions are capable of more dynamic rule making that creates specific risk profiles for each user. These profiles are created by monitoring how each user in an organization works: what apps they use, their preferred devices and networks, and how they access and share files for their projects. If a user exhibits anomalous behavior, such as unusual usage of an application or excessive file sharing activity, the UBA solution can autonomously take action to block the user’s device or access before data is compromised. This advanced rule-making capability in user behavior analytics is possible through machine learning.

How does machine learning work with user behavior analytics?

Machine learning is similar to artificial intelligence in that it enables software to self-improve its performance at a specific task by analyzing and learning from relevant data. Nearly 70 percent of IT leaders believe that AI and machine learning are transforming their business, and user behavior analytics are no exception. ML-capable user behavior analytics can create the user-specific rules mentioned earlier by adapting to big data and using it to dynamically transform their capabilities to deliver better results. Here is a high-level view of how machine learning works in user behavior analytics:

  1. The organization provides the machine learning engine access to a lake of user data drawn from IT events, application usage, logons and network activity, and other work data. By integrating security analytics with a unified workspace that contains all the data sources mentioned above, organizations can fill their big data lake with relevant data and improve the machine learning process.
  2. After an organization’s behavioral analytics platform has filled its data lake, it then correlates this big data to distinct users inside the organization. This is the foundation of the risk profiles and associated behavioral patterns that the machine learning engine will develop.
  3. Once this data is correlated to individuals inside the organization, the machine learning engine begins to understand how those users work and behave at their jobs. This enables the machine learning engine to acquire actionable insights into each user’s everyday behavior and work styles that the organization would otherwise not be able to get.
  4. After developing these actionable insights, the machine learning engine creates dynamic risk profiles for each user inside the organization. This allows the user behavior analytics platform to continually score an individual user’s session to dynamically determine their risk. If a user starts to behave in an odd or suspicious way that does not match their normal work activity, the security analytics platform immediately recognizes this aberrant behavior using the risk indicators developed by the ML engine. IT would be alerted to take action, and the user would automatically receive a message to verify their identity and stop a breach in its tracks.

How to choose a user behavior analytics solution

All UBA technology aims to prevent data breaches from insider threats, but it’s important to choose security analytics tools that fit your organization’s infrastructure, users, and security operations. Key factors to consider when choosing a UBA solution include:

  • Dynamic rule making
    You want a UBA solution that uses machine learning to analyze activity across your users and create dynamic rules for normal user behavior instead of relying on broad predefined benchmarks. Because all your users are unique and will have their own personal activity patterns, adopting a UBA solution capable of continuously learning from your users will make it more difficult for a hacker to mimic their behavior.
  • Integration with all infrastructure
    The average large company uses 129 applications, with smaller firms relying on 73 apps. You need to choose a UBA solution capable of learning from and analyzing user behavior across all applications, cloud services (such as Microsoft Azure or AWS), and devices that your employees access. If a UBA solution fails to integrate with any of the technology you already have in place, you will face an IT blind spot that a bad actor can take advantage of. This is why many organizations prefer behavioral analytics that work inside a secure workspace that contains all work data and applications.
  • User experience
    Protecting your sensitive data is essential, but so is delivering a high quality work experience for all your employees. If your UBA solution is too aggressive in flagging user behavior as suspicious, your employees can lose access to essential apps and data whenever they slightly deviate from their normal activity. This makes it important for your UBA solution to have sophisticated risk profiles and risk scores for each employee to prevent unnecessary disruptions to their work experience that could hurt productivity.

How to get started with user behavior analytics

To begin implementing user behavior analytics in your organization, you need your security team to understand how UBA can learn from user behavior to determine risk profiles and identify potential threats inside your expanding network environment. With this e-book, you can get a closer look at how user and entity behavior rules are defined, how malicious activity is detected, and how incident response can isolate attacks before they turn into breaches.

Additional resources