User behavior analytics (UBA) is the tracking, collecting and assessing of user data and activities using monitoring systems.
UBA technologies analyze historical data logs -- including network and authentication logs collected and stored in log management and SIEM systems -- to identify patterns of traffic caused by user behaviors, both normal and malicious. UBA systems are primarily intended to provide cybersecurity teams with actionable insights. While UBA systems don't take action based on their findings, they can be configured to automatically adjust the difficulty of authenticating users who show anomalous behavior.
Uses of user behavior analytics
Behavior analysis systems first appeared in the early 2000s as tools to help marketing teams analyze and predict customer buying patterns.
Today, user behavior analytics tools have more advanced profiling and exception monitoring capabilities than SIEM systems and are used for two main functions. First, UBA tools can be used to determine a baseline of normal activities specific to the organization and its individual users. Second, they can also be used to identify deviations from normal. UBA uses big data and machine learning algorithms to assess these deviations in near-real time.
While applying user behavior analytics to just one user may not be useful for finding malicious activity, running it on a large scale can give an organization the ability to detect malware or other potential cybersecurity threats, such as data exfiltration, insider threats and compromised endpoints.
How user behavior analytics works
UBA collects various types of data, such as user roles and titles, including access, accounts and permissions; user activity and geographical location; and security alerts. This data can be collected from past and current activity, and the analysis takes into consideration factors such as resources used, duration of sessions, connectivity and peer group activity to compare anomalous behavior to. It also automatically updates when changes are made to the data, such as promotions or added permissions.
UBA systems don't report all anomalies as risky. Instead, they evaluate the behavior's potential impact. If the behavior involves less-sensitive resources, it receives a low impact score. If it involves something more sensitive, like personally identifiable information, it will receive a higher impact score. This way security teams can prioritize what to follow up on while the UBA system automatically restricts or increases difficulty of authentication for the user showing anomalous behavior.
Machine learning algorithms enable UBA systems to reduce false positives and provide clearer and more accurate actionable risk intelligence to cybersecurity teams.
User and entity behavior analytics
In 2015, analyst firm Gartner published a market guide for what it coined as user and entity behavior analytics (UEBA). User and entity behavior analytics technologies have the same capabilities as traditional UBA, with the addition of being able to track not just user activity, but also the activity of devices, applications, servers and data. Instead of analyzing user behavior data, this technology combines user behavior data with behavior data from entities. While UBA is designed to track insider threats, UEBA is designed to use machine learning to look for all types of anomalies that could represent threats. Enterprises often use UEBA in conjunction with SIEM technologies to better analyze the information gathered.
User behavior analytics tools
The market for user behavior analytics tools has grown since the technology was first introduced. Major vendors for UBA technology include Splunk, Rapid7, Gurucul, Fortscale, Exabeam, Hewlett Packard Enterprise, Niara (acquired by HPE in 2017) and many others.