About UsBlog

UEBA - User and Entity Behavior Analytics

UEBA - User and Entity Behavior Analytics

Developments in UBA technology led Gartner to evolve the category to user and entity behavior analytics (UEBA). In September 2015, Gartner published the Market Guide for User and Entity Analytics by Vice President and Distinguished Analyst, Avivah Litan, that provided a thorough definition and explanation. UEBA was referred to in earlier Gartner reports but not in much depth. Expanding the definition from UBA includes devices, applications, servers, data, or anything with an IP address. It moves beyond the fraud-oriented UBA focus to a broader one encompassing "malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP." The addition of "entity" reflects that devices may play a role in a network attack and may also be valuable in uncovering attack activity. "When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats."

Particularly in the computer security market, there are many vendors for UEBA applications. They can be "differentiated by whether they are designed to monitor on-premises or cloud-based software as a service (SaaS) applications; the methods in which they obtain the source data; the type of analytics they use (i.e., packaged analytics, user-driven or vendor-written), and the service delivery method (i.e., on-premises or a cloud-based)." According to the 2015 market guide released by Gartner, "the UEBA market grew substantially in 2015; UEBA vendors grew their customer base, market consolidation began, and Gartner client interest in UEBA and security analytics increased." The report further projected, "Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve. It will be—and in some cases already is—much easier to discover some security events and analyze individual offenders in UEBA than it is in many legacy security monitoring systems."

The most popular products in category UEBA - User and Entity Behavior Analytics All category products

Rapid7 insightIDR
7
14
IBM QRradar UBA
IBM
6
5
Palo Alto Networks LightCyber
1
7
Microsoft Advanced Threat Analytics
1
20
Forcepoint User and Entity Behavior Analytics (UEBA)
4
12
Forcepoint SureView Analytics
10
8
Amazon Pinpoint
0
0
Rhebo Industrial Protector
18
16
Dragos Industrial Cybersecurity Platform
5
0
Securonix Enterprise
2
3
Fortscale UEBA
17
2
DNIF User Behavior Analytics
2
8

Compare of products in the category UEBA - User and Entity Behavior Analytics

Please turn the screen for optimal content display

Compare: UEBA - User and Entity Behavior Analytics

Characteristics

Hadoop

Clouds

On-premises software

Advanced Analytics

Incident Response

Machine Learning

Deep Learning

Visibility into users via reports and dashboards

Near real-time alerts

Forensic Tools

Customizable notification

Role based reports

Threat Intelligence reports

Licensing model all based on identity

Technologies integration

Log collection from SaaS apps

Logs and User context data from Active directory

Logs from endpoint security solutions

Network flow/Packet data

Unstructured contextual data

Log collection from OS, apps, services

Meta data from electronic communications

Statistical models

Modelling based rules and signatures

Catching users with anomaly behavior on start by baselining model

System adaptation to user's dynamic role changes

  • N/A
  • N/A
  • N/A
  • N/A
  • Yes
  • N/A
  • Yes
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • Yes
  • Yes
  • N/A
  • Yes
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • N/A
  • Only HP UEBA
  • Yes
  • N/A
  • N/A
  • Yes
  • N/A
  • SIEM
  • IAM
  • DLP
  • SIEM
  • IAM
  • DLP
  • N/A
  • N/A
  • SIEM
  • N/A
  • N/A
  • IAM
  • DLP
  • SIEM
  • SIEM
  • DLP
  • SIEM
  • IAM
  • SIEM
  • SIEM
  • SIEM
  • IAM
  • SIEM
  • IAM
  • DLP
  • N/A
  • SIEM
  • IAM
  • DLP
  • SIEM
Found mistake? Write us.

Suppliers UEBA - User and Entity Behavior Analytics

Amazon Web Services
ARE...
  • ARE
  • AUS
  • BHR
  • BRA
  • CAN
  • CHE
  • CHN
  • DEU
  • ESP
  • FRA
  • GBR
  • IDN
  • IRL
  • ISR
  • IND
  • ITA
  • JPN
  • KOR
  • NZL
  • SWE
  • SGP
  • THA
  • USA
Rapid7
ARM...
  • ARM
  • AZE
  • GEO
  • KGZ
  • KAZ
  • MDA
  • TJK
  • TKM
  • UKR
  • UZB
Softprom (supplier)
ARM...
  • ARM
  • AUT
  • GEO
  • KAZ
  • MDA
  • UKR
ANYSOFT
UKR...
  • UKR
  • USA
Claroty
AUS...
  • AUS
  • DEU
  • GBR
  • ISR
  • KOR
  • SGP
  • USA
Nozomi Networks
ARE...
  • ARE
  • AUS
  • BRA
  • CAN
  • CHE
  • DEU
  • DNK
  • ESP
  • GBR
  • ITA
  • NLD
  • PRT
  • SGP
  • USA
CUJO
AUS...
  • AUS
  • BRA
  • CHN
  • FIN
  • GBR
  • HUN
  • LTU
  • MYS
  • PHL
  • USA
Eurotech
FRA...
  • FRA
  • GBR
  • ITA
  • JPN
  • USA
Netskope
AUS...
  • AUS
  • GBR
  • IND
  • NLD
  • SGP
  • USA
Cofense
ARE...
  • ARE
  • AUS
  • GBR
  • IRL
  • ISR
  • IND
  • PHL
  • USA
BioCatch
AUS...
  • AUS
  • BRA
  • GBR
  • ISR
  • IND
  • MEX
  • SGP
  • USA
Cleafy
BRA...
  • BRA
  • DEU
  • ESP
  • ITA
  • NLD
  • SVN
  • USA
Kiteworks
AUT...
  • AUT
  • AUS
  • BRA
  • CHE
  • DEU
  • FRA
  • GBR
  • IRL
  • ISR
  • MEX
  • NZL
  • SAU
  • SGP
  • USA
Cloudera
ARE...
  • ARE
  • AUS
  • BRA
  • CAN
  • CHE
  • CHL
  • CHN
  • CRI
  • DEU
  • FRA
  • GBR
  • HUN
  • IDN
  • IRL
  • IND
  • JPN
  • KOR
  • NLD
  • SGP
  • USA

Vendors UEBA - User and Entity Behavior Analytics

Amazon Web Services
ARE...
  • ARE
  • AUS
  • BHR
  • BRA
  • CAN
  • CHE
  • CHN
  • DEU
  • ESP
  • FRA
  • GBR
  • IDN
  • IRL
  • ISR
  • IND
  • ITA
  • JPN
  • KOR
  • NZL
  • SWE
  • SGP
  • THA
  • USA
Barracuda Networks
AUT...
  • AUT
  • AUS
  • BEL
  • CAN
  • CHE
  • CHN
  • DEU
  • FRA
  • GBR
  • IRL
  • ISR
  • IND
  • ITA
  • JPN
  • LIE
  • LKA
  • LUX
  • MYS
  • NPL
  • NZL
  • PRT
  • SGP
  • USA
Rapid7
ARM...
  • ARM
  • AZE
  • GEO
  • KGZ
  • KAZ
  • MDA
  • TJK
  • TKM
  • UKR
  • UZB
Acronis
AUS...
  • AUS
  • BGR
  • CHE
  • DEU
  • FRA
  • ITA
  • JPN
  • KOR
  • ROU
  • SGP
  • TUR
  • USA
  • SRB
SAS
All countries
Aruba, a Hewlett Packard Enterprise Company
ARE...
  • ARE
  • AUT
  • AUS
  • BEL
  • CAN
  • CHE
  • CHN
  • DEU
  • DNK
  • ESP
  • FIN
  • FRA
  • GBR
  • IDN
  • IRL
  • IND
  • JPN
  • KOR
  • MYS
  • NLD
  • NOR
  • NZL
  • PRT
  • SWE
  • SGP
  • THA
  • TWN
  • USA
  • ZAF
Claroty
AUS...
  • AUS
  • DEU
  • GBR
  • ISR
  • KOR
  • SGP
  • USA
Nozomi Networks
ARE...
  • ARE
  • AUS
  • BRA
  • CAN
  • CHE
  • DEU
  • DNK
  • ESP
  • GBR
  • ITA
  • NLD
  • PRT
  • SGP
  • USA
CUJO
AUS...
  • AUS
  • BRA
  • CHN
  • FIN
  • GBR
  • HUN
  • LTU
  • MYS
  • PHL
  • USA
Eurotech
FRA...
  • FRA
  • GBR
  • ITA
  • JPN
  • USA
Netskope
AUS...
  • AUS
  • GBR
  • IND
  • NLD
  • SGP
  • USA
Cofense
ARE...
  • ARE
  • AUS
  • GBR
  • IRL
  • ISR
  • IND
  • PHL
  • USA
empow
All countries
BioCatch
AUS...
  • AUS
  • BRA
  • GBR
  • ISR
  • IND
  • MEX
  • SGP
  • USA
Cleafy
BRA...
  • BRA
  • DEU
  • ESP
  • ITA
  • NLD
  • SVN
  • USA
ARCON
AUS...
  • AUS
  • IND
  • USA

F.A.Q. about UEBA - User and Entity Behavior Analytics

What is UEBA?

Hackers can break into firewalls, send you e-mails with malicious and infected attachments, or even bribe an employee to gain access into your firewalls. Old tools and systems are quickly becoming obsolete, and there are several ways to get past them.

User and entity behavior analytics (UEBA) give you more comprehensive way of making sure that your organization has top-notch IT security, while also helping you detect users and entities that might compromise your entire system.

UEBA is a type of cybersecurity process that takes note of the normal conduct of users. In turn, they detect any anomalous behavior or instances when there are deviations from these “normal” patterns. For example, if a particular user regularly downloads 10 MB of files every day but suddenly downloads gigabytes of files, the system would be able to detect this anomaly and alert them immediately.

UEBA uses machine learning, algorithms, and statistical analyses to know when there is a deviation from established patterns, showing which of these anomalies could result in, potentially, a real threat. UEBA can also aggregate the data you have in your reports and logs, as well as analyze the file, flow, and packet information.

In UEBA, you do not track security events or monitor devices; instead, you track all the users and entities in your system. As such, UEBA focuses on insider threats, such as employees who have gone rogue, employees who have already been compromised, and people who already have access to your system and then carry out targeted attacks and fraud attempts, as well as servers, applications, and devices that are working within your system.

What are the benefits of UEBA?

It is the unfortunate truth that today's cybersecurity tools are fast becoming obsolete, and more skilled hackers and cyber attackers are now able to bypass the perimeter defenses that are used by most companies. In the old days, you were secure if you had web gateways, firewalls, and intrusion prevention tools in place. This is no longer the case in today’s complex threat landscape, and it’s especially true for bigger corporations that are proven to have very porous IT perimeters that are also very difficult to manage and oversee.

The bottom line? Preventive measures are no longer enough. Your firewalls are not going to be 100% foolproof, and hackers and attackers will get into your system at one point or another. This is why detection is equally important: when hackers do successfully get into your system, you should be able to detect their presence quickly in order to minimize the damage.

How Does UEBA Work?

The premise of UEBA is actually very simple. You can easily steal an employee’s user name and password, but it is much harder to mimic the person’s normal behavior once inside the network.

For example, let’s say you steal Jane Doe’s password and user name. You would still not be able to act precisely like Jane Doe once in the system unless given extensive research and preparation. Therefore, when Jane Doe’s user name is logged in to the system, and her behavior is different than that of typical Jane Doe, that is when UEBA alerts start to sound.

Another relatable analogy would be if your credit card was stolen. A thief can pickpocket your wallet and go to a high-end shop and start spending thousands of dollars using your credit card. If your spending pattern on that card is different from the thief’s, the company’s fraud detection department will often recognize the abnormal spending and block suspicious purchases, issuing an alert to you or asking you to verify the authenticity of a transaction.

As such, UEBA is a very important component of IT security, allowing you to:

1. Detect insider threats. It is not too far-fetched to imagine that an employee, or perhaps a group of employees, could go rogue, stealing data and information by using their own access. UEBA can help you detect data breaches, sabotage, privilege abuse and policy violations made by your own staff.

2. Detect compromised accounts. Sometimes, user accounts are compromised. It could be that the user unwittingly installed malware on his or her machine, or sometimes a legitimate account is spoofed. UEBA can help you weed out spoofed and compromised users before they can do real harm.

3. Detect brute-force attacks. Hackers sometimes target your cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute-force attempts, allowing you to block access to these entities.

4. Detect changes in permissions and the creation of super users. Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that were granted unnecessary permissions.

5. Detect breach of protected data. If you have protected data, it is not enough to just keep it secure. You should know when a user accesses this data when he or she does not have any legitimate business reason to access it.

Materials