User behavior analytics (UBA) is the tracking, collecting and assessing of user data and activities using monitoring systems.
UBA technologies analyze historical data logs -- including network and authentication logs collected and stored in log management and SIEM systems -- to identify patterns of traffic caused by user behaviors, both normal and malicious. While UBA systems don't take action based on their findings, they are intended to provide security teams with actionable insights.
Behavior analysis systems first appeared in in the early 2000's as a tool to help marketing teams analyze and predict customer buying patterns.
Today, user behavior analytics tools have more advanced profiling and exception monitoring capabilities than SIEM systems and are used for two main functions. First, UBA tools determine a baseline of normal activities specific to the organization and its individual users. Second, they identify deviations from normal. UBA uses big data and machine learning algorithms to assess these deviations in near-real time.
UBA collects various types of data, such as user roles and titles -- including access, accounts and permissions -- user activity and geographical location, and security alerts. This data can be collected from past and current activity and the analysis of it takes into consideration factors including resources used, duration of sessions, connectivity and peer group activity to compare anomalous behavior to. It also automatically updates when changes are made to the data, such as promotions or added permissions.
UBA systems don't report all anomalous behavior as a risky. Instead they evaluate the behaviors potential impact. If the behavior involves less sensitive resources it receives a low impact score. If it involves something more sensitive, like PII, it will receive a higher impact score. This way security teams can prioritize what to follow up on while the UBA system automatically restricts or increases difficulty of authentication for the user showing anomalous behavior.
Machine learning algorithms allow UBA systems to eliminate false positives and provide clearer and more accurate actionable risk intelligence.
While running user behavior analytics on just one user may not be useful to finding malicious activity, running it on a large scale would give an organization the ability to detect malware or other potential threats. UBA is therefore most useful to larger financial or manufacturing companies.