What is user behavior analytics (UEBA)?

User behavior analytics (also known as UEBA or entity behavior analytics) is cybersecurity technology that uses monitoring tools to gather and assess data from user activity, with the goal of proactively finding and flagging suspicious behavior before it leads to a data breach. By relying on machine learning to learn how users normally interact with corporate resources, user behavior analytics can immediately recognize anomalous behavior to stop bad actors from accessing sensitive information. This threat intelligence enables continuous risk assessment without complicating the end-user experience.

Much like SIEM (Security Information and Event Management), UEBA is an approach to information security that relies on the automated analysis of data to detect and stop potential cyberattacks in real time. While traditional security tools like SIEM analyze events that occur behind firewalls, UEBA focuses on data generated by user behavior. Examples of data analyzed by UEBA include network traffic, login times, geographic locations, session duration, file downloads, and authentication logs. This information enables the UEBA solution to identify typical patterns of activity, and then take action if users deviate from these patterns in ways that indicate malicious behavior.

Explore additional UEBA topics:

Why are user behavior analytics important?

The average data breach can cost a company millions and often involves internal threats. This makes it important to recognize suspicious activity before bad actors can steal sensitive data like health records or intellectual property. However, perimeter-facing enterprise security technology like firewalls or encryption do nothing to stop malicious actors who have already gained access to an organization’s data through phishing, malware, or credential theft.

What’s more, the widespread adoption of SaaS, cloud, and mobile apps has made risk management more difficult. It’s especially challenging for IT teams to identify and address potential threats across hybrid cloud architectures. Many of these apps and services may not even be officially sanctioned by IT, making it tougher to detect bad actors using them. This creates a need for continuous visibility across apps, users, networks, cloud services, and devices to eliminate security blind spots and help security teams identify, analyze, and respond to data exfiltration attempts proactively.

User behavior analytics address this challenge by continuously monitoring the activity of every user, using threat detection to find and flag anomalous behavior before it leads to a breach. This enables organizations to protect sensitive data inside their systems instead of only protecting the perimeter. 

How do user behavior analytics work?

At a high level, user behavior analytics work by establishing benchmarks or rules for normal user behavior and alerting IT when a user deviates from these benchmarks. For example, if normal working hours are defined as 7 am to 8 pm, the UEBA solution would flag an attempt to sign on and access sensitive files at 3 am as unusual—and either halt access immediately or alert IT admins. If the user’s credentials had been stolen and used by a hacker, this would prevent a serious breach.

More sophisticated UEBA solutions contain dynamic rule-making features that create specific risk profiles for each user. These profiles are created by monitoring how each user in an organization works: what apps they use, their preferred devices and networks, and how they access and share files for projects. If a user exhibits anomalous behavior, such as unusual usage of an application or excessive file sharing activity, the UEBA solution can autonomously take action to block the user’s device or access before data is compromised. This advanced rule-making capability in user behavior analytics is possible through machine learning.

How does machine learning work with UEBA?

Machine learning (ML) is similar to artificial intelligence (AI) in that it enables software to self-improve by analyzing and learning from relevant data. AI and machine learning are transforming many business processes, and user behavior analytics are no exception. ML-capable user behavior analytics solutions can create user-specific rules and risk scores. Here’s a high-level view of how machine learning works in user behavior analytics:

  1. The organization provides the machine learning engine access to a lake of user data drawn from IT events, application usage, logons, network activity, and more. By integrating security analytics with the enterprise IT environment, organizations can fill their big data lake to improve the machine learning process.
  2. After an organization’s behavioral analytics platform has filled its data lake, it then correlates this data to distinct users inside the organization. This is the foundation for risk profiles and associated behavioral patterns that the machine learning engine will develop.
  3. Once data is correlated to individuals inside the organization, the machine learning engine begins to understand how those users work and behave at their jobs. This enables the machine learning engine to acquire actionable insights into each user’s everyday behavior and work styles—ones the organization would otherwise not be able to get.

After developing these actionable insights, the machine learning engine creates dynamic risk profiles for each user inside the organization. This allows the platform to assign a risk score to each individual user session. If a user starts to behave in an odd or suspicious way that does not match their normal work activity, the security analytics platform immediately recognizes this abnormal behavior. Once the engine recognizes abnormal behavior, it will either notify IT to take action, or log out the user and make them re-authenticate, depending on IT configuration.

Citrix solutions for UEBA

To protect sensitive company data, you need to keep users secure in real time. Citrix Analytics for Security uses machine learning to assess, detect, and prevent risks at the individual user level. This cloud-delivered UEBA tool helps organizations identify suspicious behaviors and stop internal threats long before they lead to breaches.

Additional resources