Drew Robb | esecurityplanet.com
User and entity behavior analytics (UEBA) tools burst onto the scene a few years ago. Some vendors still call it by that term. But others use user behavior analytics (UBA), threat analytics, and security analytics. Many others have simply packaged UEBA into larger suites, such as security information and event management (SIEM) and extended detection and response (XDR). Regardless of what it is called, UEBA continues to be relevant in the world of security as a way of identifying and alerting IT teams about potentially malicious activity on networks.
What is UEBA?
UEBA brings advanced analytics and machine learning (ML) to the world of security. It can identify strange patterns in user behavior. Anomalous activities and potential malicious actors stand out once the system has been trained to recognize standard and usual user patterns.
This technology is needed in response to the fact that threat actors have progressed rapidly in the sophistication of their attacks. Many now harness artificial intelligence (AI) as part of their operations to fine-tune their nefarious deeds to increase results. Their tools can now recognize when one strain of malware has lost its virulence and suggest adjustments to improve results. UEBA tools help enterprise IT detect the latest tactics of cyber criminals and react faster to new attack vectors.
In some ways, UEBA can be looked upon as the latest evolution of traditional intrusion prevention and detection systems (IPS/IDS/IDPS). The addition of analytics makes it far easier to distinguish between normal and abnormal user behavior and detect endpoints, storage repositories, and systems that are operating as outliers from baselines created of standard network and system activity. Hence, UEBA can spot new methods of possible intrusion or malicious behavior even though no one knows what kind of attack is underway.
Like much of the security space, UEBA is a volatile area with plenty of changes being introduced year upon year. Anyone attempting to closely define UEBA, then, is dealing with a moving target.
There are a great many factors, drivers, and technologies influencing the direction and evolution of UEBA. According to Fortinet, some of the key trends impacting UEBA include:
- UEBA is rapidly transitioning to become one facet of a larger system and will probably not be sold as a stand-alone product for much longer.
- Products such as endpoint detection and response (EDR) and SIEM must be able to profile and detect anomalous activity for the endpoint and the user, generally with an agent, but also include the capability to mitigate (such as isolate) and even repair. Thus, they are incorporating UEBA tools.
- Similarly, insider risk management solutions will require UEBA at their core and will require many similar technologies to SIEM and SOAR (security orchestration, automation, and response), but there’s always a concern around whether it is appropriate for a security operations center (SOC) analyst to interface with sensitive HR and legal issues. This seems like the real evolution of UEBA in a pure sense.
UEBA is also being regarded as an important component of the zero trust framework. According to Gurucul, behavioral analytics can check if a trusted user or entity is behaving inappropriately or if zero trust policies are being broken. In addition, UEBA complements zero trust by detecting attacks that abuse legitimate user credentials, which zero trust policies are not built to address.
Top UEBA Solutions
eSecurity Planet evaluated many of the UEBA products on the market to arrive at this list. Here are the top UEBA solutions based on our analysis of everything from features to user opinions.
FortiSIEM with the Advanced Agent for UEBA Telemetry add-on is a full-featured SIEM that also includes UEBA and more. This lightweight, kernel-level agent collects only what is required to profile normal behavior of the endpoint it’s installed on and the users who log in. It securely caches and then streams back the telemetry it collects whenever the user is connected, including to cloud-based collectors if desired, and provides a method of monitoring users working remotely.
- The solution detects anomalous endpoint behavior that may reflect a compromised system or account or user behavior that may reflect a negligent or even malicious insider.
- FortiSIEM uses active and passive means to detect and classify assets, assign risk scoring, and track configurations for unauthorized change.
- Real-time correlation engines can run hundreds of active correlation rules on the fly as events are collected and historically for investigations and threat hunting.
- The solution provides MITRE ATT&CK Framework, visual relationship graphing, and dashboards.
- The FortiInsight agent and the AI module are integrated and embedded in FortiSIEM.
Gurucul UEBA detects and responds to threats based on an understanding of normal activity that continuously learns and adjusts to characterize suspicious and anomalous activity. Combined with threat content and other analytical capabilities, Gurucul UEBA can help security teams quickly distinguish malicious activity from false positives.
- The solution can detect threats immediately upon deployment with 1,500+ behavior-based ML models for the most popular use cases and industries that adapt to each organization.
- The risk engine combines telemetry, analytics, and behavioral modeling into a unified risk core that helps security teams prioritize investigation and response actions.
- A case management capability allows users to track incidents.
- Masks any data attribute using roles or individual users to support data privacy requirements.
- Gurucul UEBA uses multiple threat hunting methodologies, including hypothesis-driven investigation, known indicators of compromise, and advanced analytics/ML investigations.
Splunk provides the data platform and security analytics capabilities needed for organizations to monitor, alert, analyze, investigate, respond, share, and detect known and unknown threats regardless of organizational size or skill set.
- Splunk offers security features such as detection of malware, advanced persistent threats, and hidden attacks.
- Numerous anomaly and threat models are focused toward external threat detection.
- Fully automated and continuous threat monitoring means there are no rules, no signatures, and no human analysis needed.
- Threats detected include account takeover (ATO), lateral movement, command and control activity, data exfiltration, browser exploits, and malware activity.
Cynet XDR is a complete breach protection service. It offers organizations a single, multi-tenant platform that can converge endpoint, user, and network security functionalities within one suite. As part of the services, the company provides the services of CyOps, Cynet’s 24/7 SOC team of threat researchers and security analysts.
- Cynet XDR prevents and detects threats on endpoints, networks, and users.
- Cynet Sensor Fusion provides integrated next-generation antivirus, endpoint detection and response, network analytics, deception, and user behavioral analytics.
- Cynet Response Orchestration includes a set of remediation actions to address infected hosts, malicious files, attacker-controlled network traffic, and compromised user accounts.
- CyOps assists with in-depth investigation, proactive threat hunting, malware analysis, and attack reports, ensuring every security event is handled and resolved.
LogRhythm UEBA is a cloud-native add-on to the LogRhythm SIEM Platform. It uses machine learning to detect anomalies related to potential user attacks, such as insider threats, compromised accounts, administrator abuse, and misuse.
- LogRhythm UEBA uses threat models of the LogRhythm SIEM AI Engine to deliver analysis and visibility into user activity and outliers.
- The solution detects changes in user behavior that signal potential threats.
- Analysts can use the individual anomaly scores and a summary user score to prioritize anomalies for investigation and response.
- LogRhythm UEBA integrates easily with LogRhythm SIEM to function as an advanced UEBA log source in the SIEM.
- SmartResponse automated actions can take care of routine remediation measures.
- Models analyze when an identity is anomalous in relation to its own baseline as well as in relation to its peers or anomalous in relation to all monitored identities.
InsightDR by Rapid7 continuously baselines normal user activity beyond defined indicators of compromise to detect hard-to-spot threats, such as attackers that are posing as company employees. This UEBA tool connects activity across the network to specific users. If a user behaves in a way that’s unusual, response and investigation is fast.
- InsightDR automatically correlates activity on the network to the specific users and entities behind them.
- The solution continuously baselines user activity, adapting to the users and entities on the network to define normal.
- Every alert in InsightIDR automatically surfaces notable user and asset behavior on a visual timeline to help IT decide how to invest its time.
- The dashboard has three boxes to show risky users, a watchlist to monitor users that can pose a potential higher risk, and ingress locations to see where in the world users are authenticating to your systems.
- The solution spots misconfigurations via visual log search and prebuilt compliance cards to detect anomalies.
Exabeam Advanced Analytics are now packaged within its Fusion SIEM offering. Fusion SIEM breaks down silos by combining weak signals from many products into high-fidelity threat indicators using behavior analytics. This approach detects complex, unknown, and insider threats to find attacks missed by purpose-built tools or other analytics tools that have been deployed.
- The solution unifies SIEM, UEBA, and XDR in one package.
- Fusion SIEM includes centralized data storage and compliance reporting as well as rapid search.
- Users can leverage existing tools in conjunction with Fusion SIEM.
- Prebuilt integrations are available with hundreds of third-party security tools.
- Behavior analytics combine weak signals from multiple products to find complex threats.
Microsoft Sentinel helps stop threats before they cause harm via a bird’s-eye security view across the enterprise. Its cloud operation means it eliminates security infrastructure setup and maintenance and can elastically scale to meet security needs.
- Microsoft Sentinel claims to reduce costs as much as 48% compared to traditional SIEM.
- The solution collects data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
- Microsoft Sentinel detects previously uncovered threats and minimizes false positives using analytics and threat intelligence.
- AI is used to investigate threats and hunt suspicious activities at scale.
- Users are enabled to respond to incidents rapidly with built-in orchestration and automation of common tasks.
- The solution avoids the storage limits or query limits that sometimes prevent on-premises systems from protecting the enterprise.
- Microsoft Sentinel automatically scales to meet organizational needs.
- The payment structure allows users to only pay for the resources needed.