Best User and Entity Behavior Analytics (UEBA) Tools

Kyle Guercio | esecurityplanet.com

Organizations that want to add advanced analytics or machine learning capabilities to their IT security arsenal are turning to user and entity behavior analytics (UEBA). UEBA solutions identify patterns in typical user behavior and pinpoint anomalous activities that do not match those patterns and could correspond with security incidents.

UEBA: Anomaly-based intrusion detection

Attackers are constantly developing new and complex ways to penetrate networks, especially with the use of artificial intelligence (AI). This has made legacy signature-based systems – which solely detect threats whose signatures and patterns have already been identified – far less effective in securing modern networks.

In contrast, UEBA solutions use anomaly-based intrusion detection. These tools track and recognize what’s considered normal behavior for users, endpoints, data repositories and other network entities. This creates a baseline for standard network activity. The software can then monitor the network and identify anomalous activities that deviate from the baseline. This allows UEBA products to identify new methods of intrusion and malicious behavior, even if it’s not clear what kind of attack it is. UEBA solutions typically do their work after other perimeter-focused security solutions have failed, detecting threats inside the network, including insider threats.

If someone accesses sensitive data they usually don’t, that alone could be enough for a UEBA system to issue an alert. Throw in an odd location, time or device and it begins to look like a potential attack, perhaps through stolen credentials. While it’s possible to limit access through tools like zero trust, malicious behavior on a limited basis is still damaging, so behavior analytics adds an important layer of security on top of access tools.

More and more, behavior analytics is beginning to show up in other security tools like SIEM, network traffic analysis, identity and access management (IAM), EDR, data loss prevention (DLP) and employee monitoring tools, but some standalone products remain. We’ll cover this market trend further in the future of UEBA section following the list of top vendors.

What to look for in a UEBA product

When shopping around for a UEBA solution, there are a few key considerations to look for.

• Scalability: Large enterprises collect and store terabytes of data every day. The machine-learning functionality in UEBA solutions uses this data to model behavior patterns and detect anomalies. Only a UEBA solution with an architecture that was designed to support scalability and elasticity will be equipped to monitor and configure this endless stream of Big Data behavior patterns. Otherwise, you could end up spending a lot of money and time scaling with additional deployments and new builds.
• Multiple data classes: An efficient UEBA solution should be able to analyze multiple classes of data to gain a contextual understanding of normal and anomalous behaviors. For example, if a solution can identify badge logs, network packets and endpoint logs, it can understand when and how frequently a user is active, how much information they’re accessing, as well as what sensitive information they’re attempting to download. This holistic picture of behavior allows security specialists to confidently take measures to remedy threats.
• Streamlined and secure deployment: The most efficient UEBA solutions come with built-in use cases and can be stood up in a matter of days without the need for offsite services to help with configuration and deployment. Not only does this save time and money, but these offsite services often require VPN access to your network, which can itself create security risks or regulatory compliance issues.

Top UEBA solutions

This buying guide includes standalone UEBA products as well as other more comprehensive security solutions. In order to be included in the buying guide, the UEBA solutions had to provide the following capabilities:

• Monitor and analyze the behavior of users and other entities
• Detect anomalous behavior that could indicate an insider attack or compromise of user credentials
• Use advanced analytics to detect multiple kinds of threats
• Offer the ability to correlate multiple anomalous activities that could be related to a single security incident
• Provide real-time or near-real-time performance

At the bottom of this article is a chart breaking down some of the features of these top UEBA products.

Jump ahead to:

• Aruba IntroSpect
• Cynet 360
• Exabeam Advanced Analytics
• Forcepoint
• Fortinet FortIinsight
• Gurucul Unified Security Analytics
• LogRhythm UserXDR
• Microsoft Azure Advanced Threat Analytics (ATA)
• One Identity Safeguard
• Palo Alto Networks
• Rapid7 Insight IDR
• RSA NetWitness
• Securonix Security Analytics
• Splunk User Behavior Analytics
• Varonis
• Veriato Cerebral
• UEBA best practices
• The future of UEBA
• UEBA features compared

Aruba Introspect

From Aruba (a Hewlett Packard Enterprise company), IntroSpect integrates AI-based machine learning, pinpoint visualizations and instant forensic insight into a single security solution. Aruba Introspect can detect, prioritize, investigate and respond to stealthy inside attacks that have evaded traditional perimeter-based security defenses.

Introspect starts by looking at a comprehensive set of IT data sources. Aruba Introspect applies hundreds of machine learning models across users, host and application behaviors to determine high-priority alerts. By coupling this with a comprehensive set of IT data resources, it then delivers full context forensic evidence so security teams can act quickly.

Additional Features:

• Collects and analyzes everything from packets and flows to logs and alerts
• Detects gestating attacks from malicious, negligent or compromised users, IoT devices, and systems
• Machine learning models tuned for attack families such as ransomware
• Stops attacks by integrating with Aruba ClearPass NAC to automatically take policy-based enforcement actions (quarantine, port block, etc.)

Markets and use cases: Large organizations in healthcare, education, finance, legal, oil & gas, government, technology and retail

How Delivered: Appliance and software-only versions

Scalability: No limit

Throughput/bandwidth restrictions: None, scales horizontally

Pricing: Based on the number of entities monitored

Cynet 360

Cynet 360 is an Autonomous Breach Protection Platform. This comprehensive solution monitors and analyzes behavioral and interaction indicators across endpoints, users, network traffic and files. It then assigns risk rankings to identify attackers. UEBA capabilities are included as a native node in the Cynet 360 system. It utilizes machine learning and heuristic analysis to establish a baseline for normal network behavior so it can hone in on malicious activity.

Additional Features:

• Endpoint Detection and Response
• Network monitoring and control
• Response orchestration
• Network analytics
• Vulnerability scanning

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

Exabeam Advanced Analytics

Exabeam offers a SIEM platform that integrates with its standalone products for log management, UEBA, incident response, querying and cloud integration. Exabeam Advanced Analytics, its UEBA solution, is designed for advanced threat detection, rapid incident investigation and efficient threat hunting. Its analytics dashboard provides an overview of threats in the environment, including open cases and related high-risk users and assets.

Headquartered in San Mateo, Calif., it has raised $65 million in funding, including a $30 million round that closed earlier this year. The company’s lead investors include Lightspeed Venture Partners and Cisco Investments. According to the firm, Exabeam Advanced Analytics is “the world’s most deployed behavioral analytics platform.”

Additional features:

• Integrates with other Exabeam products and most SIEM products
• Accepts data from hundreds of different sources
• Patented session data model
• Risk scoring
• Ransomware detection and prevention
• Session timelines
• Alert prioritization

Markets and use cases: Any large organization. Exabeam has a special advisory board and programs for federal government agencies.

Delivery: Physical appliance or cloud-ready virtual machine

Endpoints: Unlimited

Throughput/bandwidth limits: None; scales horizontally

Pricing: Quotes available on request

Forcepoint

Forcepoint claims that its user behavior monitoring technology has been protecting governments and other organizations for more than 15 years. It was previously known as Websense, which was founded in 1994. It was renamed Forcepoint in 2016 after Raytheon bought the company for $1.9 billion and combined it with the Raytheon Cyber Products and Stonesoft organizations. Forcepoint currently claims more than twenty thousand customers.

Forcepoint enables security teams to learn from existing data and proactively monitor for high-risk behavior. It provides context by fusing structured and unstructured data to identify and disrupt malicious, compromised and negligent users. The platform can collect and analyze data from a wide array of data types, including communication platforms and security devices, to establish intent for different user behaviors. With the entity timeline, you can reconstruct the series of events that led to an elevated risk score.

Additional features:

• Distributed architecture
• Daily consolidated risk scores for individuals
• Risk prioritization
• Customizable policies
• Visualizations
• Video replay of users’ screens
• Timelines
• Forensics
• Agent-based

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Fortinet FortiInsight

Fortinet’s UEBA technology protects organizations from insider threats by continuously monitoring users and endpoints with automated detection and response capabilities. Leveraging machine learning and advanced analytics, FortiInsight identifies non-compliant, suspicious, or anomalous behavior and rapidly alerts any compromised user accounts.

Fortinet acquired ZoneFox, which was covered in an earlier UEBA guide, and that technology is an integral part of FortiInsight. When integrated with FortiSIEM as part of the Fortinet Security Fabric, it provides visibility into data activity and reduces the risk of insider threats or to compliance issues with the likes of GDPR and HIPAA. It includes endpoint behavioral monitoring of devices even when they are off the corporate network and any resources accessed. A rule-based engine identifies policy violations, unauthorized data access, data exfiltration, whether data is being moved to the cloud or onto a local USB device, and compromised accounts.

Additional features:

• Data streamed securely from the endpoint to the Fortinet datastore
• 5-factor data identification model
• Lightweight Agent-Based Protection
• Windows OS support
• Native file system drivers
• Forensics
• Network monitoring
• Federated security

Key markets and use cases: Security operations teams, especially banks, manufacturers and game developers.

Delivery: Hosted solution

Endpoints: Scales well: In 15 days inside one organization, it recorded 130,000 events, 6.4 million user actions, and detected three cloud services used by 16 users, five tools associated with hacking and 14 high-risk users making use of removable storage.

Throughput/bandwidth limits: Consumes less than 0.5% of CPU, 20 MB of RAM memory and 5 KB/s of network traffic.

Pricing: Licensed based on the number of endpoints protected, whether the endpoint is a server, desktop, laptop, database server or SharePoint server.

LogRhythm UserXDR

LogRhythm UEBA detects known and unknown user-based threats via analytics, applying machine learning and scenario analytics to the surface and then prioritizes critical events. It offers a full spectrum of security analytics using both scenario-based and behavior-based techniques. This augments organizational security environments, functioning either as a standalone UEBA product or as an add-on to existing SIEM or log management solutions.

Additional features:

• Evidence-based starting points for investigation
• Scoring and prioritizing of risk associated with anomalous user behavior
• LogRhythm TrueIdentity builds comprehensive behavior profiles
• Automated user baselining and risk analysis
• Embedded security orchestration, automation, and response (SOAR)

Markets and use cases: Detection of insider threats, compromised accounts, privilege abuse and misuse, brute-force attacks, new privileged accounts, and unauthorized data access and exfiltration, especially in banking and finance, energy and utilities, healthcare, the federal sector, retail and hospitality.

Delivery: Appliance, software, cloud

Number of Endpoints: Up to millions of endpoints

Throughput/bandwidth limits: Can analyze hundreds of thousands of evidence points per second and store petabytes of data

Pricing: Begins at $115/Identity per year

Microsoft Azure Advanced Threat Analytics (ATA)

Part of Microsoft’s cloud platform, Azure Advanced Threat Analytics (ATA) is a cloud-based security solution. It leverages on-premises active directory signals to identify, detect and investigate advanced threats, compromised users and insider threats.

In November 2014, Microsoft announced its acquisition of Aorato, a security intelligence startup based in Israel. Before its acquisition, Aorato had received $11 million in equity funding. In 2015, Microsoft added Advanced Threat Analytics to its Enterprise Mobility Suite and also made it available as a standalone product. Somewhat confusingly, Microsoft considers Advanced Threat Analytics part of its Cloud Platform, but the product is available only for on-premises deployment.

Additional features:

• SIEM integration
• Attack timelines
• Mobility support
• Organizational security graph
• Email alerts
• Deep packet inspection
• Agentless

Markets and use cases: Small businesses

Delivery: On-premises software

Endpoints: Hundreds of thousands supported

Throughput/bandwidth limits: None

Pricing: Quotes available on request and negotiable under various licensing strategies. Estimated price for a standalone license is $80 per user, $61.50 per operating system per year.

One Identity Safeguard

One Identity Safeguard delivers identity governance, access management, and privileged account management solutions. One Identity Safeguard for Privileged Analytics identifies high-risk privileged users, monitors questionable behaviors and uncovers threats using user behavior analytics technology.

It provides full visibility into privileged account users and their activities. Organizations can identify risky users, keep a constant lookout for new internal and external threats, and detect unusual privileged behavior. If suspicious activity is discovered, Safeguard enables IT security managers to take immediate action and be well-positioned to prevent potential data breaches.

Additional features:

• Detect threats in real-time
• Pattern-free operation
• Screen content analysis
• Behavioral biometrics
• Reduce Alert Noise
• Automated Response

Markets and use cases: Organizations having their privileged accounts targeted such as financial services, healthcare, utilities and government

Delivery: Appliance

Endpoints: The focus is on safeguarding a small number of privileged accounts rather than all endpoints.

Throughput/bandwidth limits: Each node can support thousands of hosts.

Pricing: Sold by the number of users or number of systems.

Palo Alto Cortex XDR

Palo Alto Networks developed Cortex XDR as a detection, investigation and response app that natively integrates network, endpoint and cloud data. It uncovers threats using behavioral analytics, accelerates investigations with automation, and stops attacks before damage is done through tight integration with existing enforcement points.

After modeling billions of data points from the network, endpoint and cloud sensors, Palo Alto Cortex XDR automatically groups related alerts into incidents to provide a holistic view of attacks. It accelerates investigations by stitching together data so that IT teams can get to the bottom of any threat with a single click. They can even immediately stop threats with built-in instant response options.

Additional Features:

• Targeted attack detection
• Malware and fileless attack detection
• Insider threat detection
• Risky user behavior analysis
• Malware, ransomware, and exploit prevention
• Automated alert investigation with root cause analysis
• Supervised and unsupervised machine learning
• Custom rule-based detection of attack behaviors
• Incident response and recovery
• Post-incident impact analysis
• Threat hunting
• IoC and threat intelligence searches

Markets and use cases: Security operations teams

Delivery: Cloud

Endpoints: Can scale to support a virtually unlimited number of endpoints

Throughput/bandwidth limits: Virtually unlimited throughput and bandwidth

Pricing: Based on the amount of data stored for 30 days

Rapid7 InsightIDR

Rapid7 InsightIDR is a cloud-based intrusion detection and response system. With 20 years in the cybersecurity industry, Rapid7 has proven itself to be a legacy leader in the space. InsightIDR is a powerful and reliable comprehensive security solution that includes UEBA capabilities.

What makes InsightIDR unique is that its detection mechanisms are based on common attack vectors as well as anomalous behavior. This is possible by combining UEBA with the platform’s threat intelligence capabilities, gathering insights about security risks from all around the world.. And thanks to its cloud architecture, InsightIDR is scalable so it can maintain your growing security data.

Additional Features:

• Endpoint detection and visibility
• Centralized log management
• Network traffic analysis
• Attacker behavior analytics
• File Integrity Monitoring (FIM)
• Visual investigation timeline

Markets and use cases: This platform is ideal for organizations that have moved much of their system to the cloud.

Delivery: Software, cloud

Pricing: Licensing is based on the number of assets and the number of days the log will be retained in the cloud.

RSA NetWitness

RSA NetWitness is a purpose-built, Big-Data-driven, user and entity behavior analytics solution integrated as a central part of the RSA NetWitness Platform. By leveraging unsupervised statistical anomaly detection and machine learning, it provides detection for unknown threats based on behavior, without the need for analyst tuning.

RSA NetWitness combines visibility with threat intelligence, business context and advanced analytics to assign risk scores to alerts based on how likely they are to be an actual attack. Business context reduces false positives by making it easy to distinguish false alerts from real threats to help teams prioritize remediation tasks. The platform also incorporates full security automation, orchestration and response capabilities, making it easy for teams to collaborate on investigations.

Additional Features:

• Leverages user, network and endpoint behavior profiling
• Detects abuse and misuse of privileged accounts, brute force attacks, account manipulation and other malicious activities
• Requires no customization, ongoing care, or rule authoring, creation or adjustment

Markets and use cases:

• Key markets include financial, retail, local and federal government, higher education and critical infrastructure
• Use cases include insider threat, brute force, account takeover, compromised account, privilege account abuse and misuse, elevated privileges, snooping user, data exfiltration, abnormal system access, lateral movement, malware activity and suspicious behaviors.

Delivery: Appliance and virtual formats

Endpoints: 100,000 users per server

Throughput/bandwidth limits: As above

Pricing: Based on the total number of employees that have corporate network access. For example, 1,000 to 2,500 users are licensed at $1.50 per user per month, with pricing dropping to a fifth of that for large deployments.

Securonix Security Analytics

Securonix’s Security Analytics platform incorporates SIEM, UEBA and fraud detection capabilities. The company’s patented machine learning algorithms earned them a spot in Gartner’s SIEM magic quadrant and the top spot on our top SIEM vendors list. By analyzing and storing logs from all data sources as well as other security platforms, such as firewalls and Data Loss Prevention (DLP) tools, Securonix uses AI-driven analytics, not just to send out alerts of possible threats, but to build cases that deliver insightful threat scores. It also chains together anomalies to create and assign confidence scores alongside the risk scores. Securonix Security Analytics helps IT teams maintain a secure and regulatory compliant data environment.

The company was founded in 2008 and has offices in the U.S., the UK and India. Securonix says one-third of the Fortune 500 companies use its products.

Additional features:

• More than 1,000 one-click deploy threat models
• 350 connectors
• Visualizations
• Investigation and response capabilities
• Fraud reporting
• Trade surveillance
• Patient data analytics
• Threat Model Exchange library
• Predictive and adaptive learning
• Integrates with SNYPR Security Analytics Platform
• Agentless

Markets and use cases: Corporate security operations teams, especially very large enterprises

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

Splunk User Behavior Analytics

Splunk’s “Data-to-Everything” platform is designed to make IT, security, and many other parts of an organization work more efficiently by helping manage massive amounts of data. Its security solution uses machine learning, automation and orchestration to process billions of events and analyze historical and real-time data to build behavior baselines so teams can quickly make decisions and take action.

Founded in 2003 to support the open source Splunk software, the company now claims most of the Fortune 100 as customers and more than $2 billion in revenue.

Additional features:

• Security dashboard
• Hadoop-based
• Multi-dimensional behavior baseline
• Integration with Splunk Enterprise and Splunk Enterprise Security
• Anomaly exploration
• Agentless

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or as an AWS service

Endpoints: 500,000 on a single node (additional scaling possible with additional nodes)

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Varonis

Founded in 2005, Varonis offers a variety of data management, governance and security products, including its UBA offering called DatAlert. Its focus is primarily on securing companies against insider threats. The Varonis Data Security Platform in general gets very high marks from users for deployment, product capabilities and support.

Additional features:

• Predictive threat models
• Security time machine
• Integration with other security solutions
• Web-based dashboards
• Alert scoring and prioritization
• Custom alert criteria
• Agents for some platforms, agentless for others

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Not applicable; UEBA occurs on servers rather than endpoints

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Veriato Cerebral

Headquartered in Palm Beach Gardens, Fla., Veriato specializes in employee monitoring solutions, including Cerebral, its UEBA product. This AI platform integrates UEBA with User Activity Monitoring (UAM) to improve rapid data breach response. From the GUI, users can quickly see all individual users; with elevated risk score, which helps security teams hunt threats proactively. Founded in 1998, the company was formerly known as Spectorsoft. It boasts more than 50,000 customers in more than 100 countries.

Additional features:

• Simple tuning
• Behavioral groups
• Alerting
• Integration with SIEM and other security solutions
• Psycholinguistic analysis
• Screen snapshots
• Keystroke recording
• Agent-based

Markets and use cases: Corporate security operations teams and HR departments

Delivery: On-premises software

Endpoints: 200,000 with a single instance

Throughput/bandwidth limits: None

Pricing: Quotes available on request

UEBA best practices

While UEBA software is a powerful tool, it is not an all-encompassing network security solution. It will take some work for it to operate effectively. Here are a few best practices to keep in mind:

• Customized alerts: When anomalies are detected, the UEBA system will send out an alert. It’s important to configure these alerts to only be sent to the relevant team members. Having too many cooks in the kitchen can convolute the remediation process. This also prevents unnecessary panic.
• Integrate with other solutions: While UEBA solutions can collect a lot of information on their own, they should not be your only source of data. Integrating them with other monitoring tools such as Intrusion Detection Systems (IDS) and applications like  Customer Relationship Management (CRM) systems will provide valuable contextual insight for identifying behavior.
• Review reports: Even if you have a lot of trust in your UEBA solution, it’s important to regularly review anomalous activity reports. If there are certain activities that are continuously being incorrectly flagged by your system as anomalous, then you could be wasting valuable time and effort digging into issues that don’t exist and some fine-tuning may be in order.

The future of UEBA

Although UEBA solutions have only been around for a few years, they quickly became popular among large enterprises. However, just as quickly, there is a major shift happening that may eliminate the existence of stand-alone UEBA products altogether.

UEBA market analysis

According to Gartner’s Market Guide for User and Entity Behavior, they predict that the UEBA market will cease to exist as a stand-alone product in the near future. In fact, by 2022, Gartner predicts that as much as 95 percent of all UEBA deployments won’t be as standalone products, but as features of broader security platforms. Gartner currently doesn’t plan to even track UEBA revenue beyond 2020 due to the stark increase in acquisitions, pivots into specific markets or the development of additional features to evolve into a modern SIEM.

There are a few reasons for this major shift:

Use cases: stand-alone pure-play UEBA platforms were typically built to support a broad range of use cases for users, as well as entity behavior analytics. Vendors with embedded UEBA features in their solutions, such as SIEMs, are often tailored to more specific use cases. Most organizations prefer to use technologies that specifically cater to their unique security and business needs.

Deployment and maintenance: Buyers report that the deployment and ongoing maintenance of pure-play UEBA solutions has proven to be time-consuming and labor-intensive. When these capabilities are wrapped up in a more comprehensive solution, all of the time and resources needed to get it up and running and to maintain its operation are consolidated.

Rather than looking at standalone products, you may be better off looking at UEBA as part of a whole, more comprehensive security solution, or one that integrates well with other security tools. Before making a purchasing decision, check whether your existing security vendors already offer UEBA features and advanced analytics in its tools latest release.

UEBA product features comparison

Below is a chart comparing the top UEBA solutions:

UEBA Vendor	Use Cases	Special Features	Delivery
Aruba	High-risk and regulated industries	Integrated network traffic analysis	Appliance and software
Cynet	Security operations teams seeking broader app and device management	Integrates access control, application management and endpoint management	Cloud or on-premises
Exabeam	Large organizations, federal agencies	Ransomware detection and prevention	Physical appliance or cloud-ready virtual machine
Forcepoint	Security operations teams	Consolidated risk scores for individuals; video replays of users’ screens	On-premises software
Fortinet	Banks, manufacturers and game developers	Monitors endpoints even when off network	Hosted solution
Fortscale	Organizations of all sizes; security vendors	Darknet analysis; DLP integration	On-premises software or embedded in other security solutions
Gurucul	Corporate security operations	Large library of machine learning algorithms; fuzzy logic-based link analysis	Appliance, virtual machine, cloud or bare metal
LogRhythm	High-risk and highly regulated industries	Embedded orchestration, automation and response	Appliance, software and cloud
Microsoft ATA	Small businesses	Mobility support; deep packet inspection	On-premises software
One Identity	Aimed at high-risk privileged accounts	Real-time threat detection, behavioral biometrics	Appliance
Palo Alto	Security operations teams seeking broad protections	Automated alert investigation, impact analysis, threat hunting	Cloud
RSA	Security operations teams seeking automation	Unsupervised anomaly detection and machine learning	Appliance and virtual formats
Securonix	Security operations teams, especially in very large enterprises	Fraud reporting; trade surveillance; patient data analytics	On-premises software or cloud-based
Splunk	Security operations teams	Multi-dimensional behavior baseline; anomaly exploration	On-premises software or AWS service
Varonis	Security operations teams	“Security Time Machine” analyzes past data; ransomware detection	On-premises software
Veriato Cerebral	Security operations teams and HR departments	Psycholinguistic analysis; screen snapshots; keystroke recording	On-premises software

External Link: Best User and Entity Behavior Analytics (UEBA) Tools