User behavior analytics (also known as UEBA or entity behavior analytics) is cybersecurity technology that uses monitoring tools to gather and assess data from user activity, with the goal of proactively finding and flagging suspicious behavior before it leads to a data breach. By relying on machine learning to learn how users normally interact with an organization’s technology, user behavioral analytics can immediately recognize anomalous behavior to stop bad actors from accessing sensitive information. This threat intelligence enables continuous risk assessment without complicating the end user experience.
Much like SIEM (Security Information and Event Management), UEBA is an approach to information security that relies on automated analysis of data to detect and stop potential cyberattacks in real time. While traditional security tools like SIEM analyze events that occur behind firewalls, UEBA focuses on data generated by user behavior. Examples of data analyzed by UEBA include network traffic, login times, geographic locations, session duration, file downloads, and authentication logs. This information enables the UEBA solution to identify typical patterns of activity, and then take action if users deviate from these patterns in ways that indicate malicious behavior.
Explore additional UEBA topics:
The average data breach can cost a company millions, and often involves internal threats. This makes it important to recognize suspicious activity before bad actors are able to steal sensitive data like health records or intellectual property. However, perimeter-facing enterprise security technology like firewalls or encryption do nothing to stop malicious insiders who have already gained access to an organization’s data through phishing, malware, or credential theft.
What’s more, the widespread adoption of SaaS, cloud, and mobile apps has made risk management more difficult. It’s especially challenging for IT teams to identify and address potential threats across hybrid cloud architectures. Many of these apps and services may not even be officially sanctioned by IT, making it tougher to detect bad actors using them. This creates a need for continuous visibility across apps, users, networks, cloud services, and devices to eliminate security blind spots and help security teams identify, analyze, and respond to data exfiltration attempts proactively.
User behavior analytics address this challenge by continuously monitoring the activity of every user, then using threat detection to find and flag anomalous behavior before it leads to a breach. This enables organizations to protect sensitive data inside their systems instead of only protecting the perimeter.
At a high level, user behavior analytics work by establishing benchmarks or rules for normal user behavior and alerting IT when a user deviates from these benchmarks. For example, if normal working hours are defined as 7 am to 8 pm, the UEBA solution would flag an attempt to sign on and access sensitive files at 3 am as unusual—and either halt access immediately or alert IT admins. If the user’s credentials had been stolen and used by a hacker, this would prevent a serious breach.
More sophisticated UEBA solutions are capable of more dynamic rule making that creates specific risk profiles for each user. These profiles are created by monitoring how each user in an organization works: what apps they use, their preferred devices and networks, and how they access and share files for projects. If a user exhibits anomalous behavior, such as unusual usage of an application or excessive file sharing activity, the UEBA solution can autonomously take action to block the user’s device or access before data is compromised. This advanced rule-making capability in user behavior analytics is possible through machine learning.
Get a detailed look at user behavior analytics (UEBA)—and learn how you can use it to protect sensitive corporate data.
Machine learning (ML) is similar to artificial intelligence (AI) in that it enables software to self-improve by analyzing and learning from relevant data. AI and machine learning are transforming many business processes, and user behavior analytics are no exception. ML-capable user behavior analytics can create user-specific rules and risk scores. Here’s a high-level view of how machine learning works in user behavior analytics:
After developing these actionable insights, the machine learning engine creates dynamic risk profiles for each user inside the organization. This allows the platform to assign a risk score to each individual user session. If a user starts to behave in an odd or suspicious way that does not match their normal work activity, the security analytics platform immediately recognizes this aberrant behavior. IT would be alerted to take action, and the user would automatically receive a message to verify their identity and stop a breach in its tracks.
To protect sensitive company data, you need to keep users secure in real time. Citrix Analytics for Security uses machine learning to assess, detect, and prevent risks at the individual user level. This cloud-delivered UEBA tool helps organizations identify suspicious behaviors and stop internal threats long before they lead to breaches.