Tony MasonVulnerability Management & SIEM

User and Entity Behaviour Analytics (UEBA)

What is UEBA?

What is the difference between UBA vs UEBA and how does it fit in with SIEM?

User and Entity Behaviour Analytics (UEBA) focuses on analysing activity. Specifically user behaviour, device usage, and security events ­within your network environment.  It helps companies detect potential insider threats and compromised accounts. The concept has been around for some time. It was first defined in detail by Gartner in 2015 in its Market Guide for User and Entity Analytics.

How Does UEBA Work?

In essence, UEBA solutions create a baseline of standard behaviour for users and entities within a corporate network.  Ultimately they look for deviations to the baseline. They alert network admins or security teams to anything that could indicate a potential security threat.

To do this, UEBA solutions collect live data that includes:

  • User actions. Such as applications used, interactions with data, keystrokes, mouse movement, and screenshots.
  • Activity on devices attached to the network. Such as servers, routers, and data repositories.
  • Security events from supported devices and platforms.

Advanced analytical methods are then applied to this data to model the baseline of activity. Once this baseline of behaviour has been established, the UEBA solution will continuously monitor behaviour on the network.  Then it compares it to the established baseline.  It looks for behaviour that extends beyond an established activity threshold to alert appropriate teams of the detected anomaly.


Initially this technology was referred to simply as User Behaviour Analytics (UBA). As the name implies, this concept focused exclusively on activity at the user level. This was to indicate potential threats. However, Gartner later added the “entity”. This was to reflect the fact that “other entities besides users are often profiled in order to more accurately pinpoint threats”. Gartner defined these other entities as including managed and unmanaged endpoints, servers, and applications. This included everything that was cloud-based, mobile-based, or on-premise based.

This expanded scope then includes looking for any “suspicious” or anomalous activity that may be based on network traffic. Or requests sent from a specific endpoint to unusual ports or external IP addresses.  It also looks at operating system process behaviour, privileged account activity on specific devices, the volume of information being accessed or altered, or the type of systems being accessed.

By broadening the scope of its focus to cover non-human processes and machine entities, Gartner’s UEBA definition means UEBA can analyse both sources of data. This helps to gain greater context and insight around activity.  As a result it can produce a more accurate profile of the baseline of activity within an IT network.

Therefore, the solution is able to more accurately pinpoint anomalies and potential threats.  This even includes things that would often have gone unnoticed by “traditional” security monitoring processes such as SIEM or DLP.

Do SIEM And UEBA Offer The Same Protection? 

With many corporate security teams having already implemented security information and event management (SIEM) solutions, a common question is whether UEBA and SIEM offer the same protection. After all, they both collect security-related information that can indicate a potential or active threat.

UEBA solutions typically include the following benefits:

  • The ability to use behavioural baselining to accurately detect compromised user accounts.
  • Automation to create improved security efficiency.
  • The use of advanced behavioural analytics helps to reduce the attack surface by frequently updating IT security staff and network admins about any potential weak points within the network.

The key difference is that SIEM solutions are traditionally more focused on log and event data. These wouldn’t allow you to create a standard baseline of overall user and network environment behaviour in the same way that a UEBA-focused solution would. However, it’s important to note, that similar to UEBA solutions, this information gathered by SIEM solutions comes from a wide range of different IT network endpoints. It is then collated and analysed within a central system.

Sound familiar? It should; the line between UEBA and SIEM can be rather thin, depending on the collection and analysis capabilities of a given SIEM solution.

With the right input data, the SIEM solution can process the collected data and combine it with real-time event analysis. It can then present it in a format that helps provide security analysts and system administrators with actionable insights into anomalies that may indicate a threat.

Successful SIEM

The use of SIEM solutions is becoming increasingly widespread within the corporate landscape. This is because they do offer organisations a number of important benefits, these include:

  • Improved handling of cybersecurity incident and response.
  • Improved security defences.
  • The ability to automate compliance reporting to help organisations achieve compliance with the relevant regulations for their industry ie GDPR, HIPAA, and PCI DSS etc.

To be able to more accurately predict potential threats through user and entity activity, SIEM solutions need to both:

a) Be able to collect needed and relevant activity and behavioural data.

b) Plus have the ability to accurately analyse that data in the context of finding anomalous threat-related activity to produce more targeted and actionable alerting.

As you can see, there are some differences between the two solutions. However, SIEM solutions become a viable option in an organisation’s journey to implement UEBA as long as SIEM solutions can:

  • Be set up to comprehensively collect enough similar data to provide the same value as a traditional UEBA solution.
  • Plus provide the needed conclusive analysis to identify leading and active indicators of threat activity.

By Nick Cavalancia Microsoft Cloud and Datacenter MVP for AT&T.

AlienVault USM – UBA vs UEBA and SIEM

Traditional SIEM software solutions promise to provide what you need, but the path to get there is one that most of us can’t afford. Traditional SIEM solutions collect and analyse the data produced by other security tools and log sources, which can be expensive and complex to deploy and integrate. Plus, they require constant fine-tuning and rule writing.

AlienVault USM provides a different path. In addition to all the functionality of a world-class SIEM, AlienVault USM unifies the essential security capabilities needed for complete and effective threat detection, incident response, and compliance management—all in a single platform with no additional feature charges. Their focus on ease of use and rapid time to benefit makes the USM platform the perfect fit for organisations of all shapes and sizes.  See here for more information.