UEBA in Enterprise SecOps

User and Entity Behavior Analytics (UEBA) is the analysis of user and entity behavior data to detect suspicious behaviors associated with security threats. UEBA tools establish baselines where ‘normal’ behavior can be defined and from which unique behavior can be quantified and tracked.

Source: 20th Century Fox Film Corporation
Imagine the black box as ‘normal’ behavior.

Okay — can you give me an example?

Let’s provide some very basic hypothetical context to show why User and Entity Behavior Analysis tools can help security operations. Typically in a SIEM, account logins are tracked but not logically correlated. For instance, when account user Erika Baker logs into her workstation, this event is recorded in a log, which is collected, ingested, and stored by the SIEM. A security analyst could search for this login, or any stored login event, by searching for user=‘erika.baker’ or similar depending on the search language used.

Who Uses UEBA tools?

If you haven’t yet heard of the 20 CIS Controls, they are frequently used in enterprise to guide the growth of internal security programs. These controls serve as “ a short list of high-priority, highly effective defensive actions that provide a ‘must-do, do-first’ starting point for every enterprise seeking to improve their cyber defense.” (CIS, 2019)

UEBA Use Cases

UEBA tools typically seek out the same or similar trends in data for unusual behavior anomalies or trends indicative of a security event or compromise. The following are a list of 10 common UEBA Use Cases (Gartner, Mar 2017):

I write about DFIR, GRC, and defensive security topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store