User behavior analytics

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats.[1] Instead of tracking devices or security events, UBA tracks a system's users.[2] Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.[3][4]


The problem UBA responds to, as described by Nemertes Research CEO Johna Till Johnson, is that "Security systems provide so much information that it's tough to uncover information that truly indicates a potential for real attack. Analytics tools help make sense of the vast amount of data that SIEM, IDS/IPS, system logs, and other tools gather. UBA tools use a specialized type of security analytics that focuses on the behavior of systems and the people using them. UBA technology first evolved in the field of marketing, to help companies understand and predict consumer-buying patterns. But as it turns out, UBA can be extraordinarily useful in the security context too." [5]

Market developments[edit]

Developments in UBA technology led Gartner to evolve the category to user and entity behavior analytics ("UEBA"). In September 2015, Gartner published the Market Guide for User and Entity Analytics by Vice President and Distinguished Analyst, Avivah Litan, that provided a thorough definition and explanation. UEBA was referred to in earlier Gartner reports but not in much depth. Expanding the definition from UBA includes devices, applications, servers, data, or anything with an IP address. It moves beyond the fraud-oriented UBA focus to a broader one encompassing "malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP."[6] The addition of "entity" reflects that devices may play a role in a network attack and may also be valuable in uncovering attack activity. "When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats."[7]

Particularly in the computer security market, there are many vendors for UEBA applications. They can be "differentiated by whether they are designed to monitor on-premises or cloud-based software as a service (SaaS) applications; the methods in which they obtain the source data; the type of analytics they use (i.e., packaged analytics, user-driven or vendor-written), and the service delivery method (i.e., on-premises or a cloud-based)."[8] According to the 2015 market guide released by Gartner, "the UEBA market grew substantially in 2015; UEBA vendors grew their customer base, market consolidation began, and Gartner client interest in UEBA and security analytics increased."[9] The report further projected, "Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve. It will be—and in some cases already is—much easier to discover some security events and analyze individual offenders in UEBA than it is in many legacy security monitoring systems."[9]

See also[edit]


  1. ^ Market Guide for User Behavior Analytics
  2. ^ The hunt for data analytics: Is your SIEM on the endangered list?
  3. ^ Ahlm, Eric; Litan, Avivah (26 April 2016). "Market Trends: User and Entity Behavior Analytics Expand Their Market Reach". Gartner. Retrieved 15 July 2016.
  4. ^ "Cybersecurity at petabyte scale". Retrieved 15 July 2016.
  5. ^ User behavioral analytics tools can thwart security attacks
  6. ^ "Market Guide for User and Entity Behavior Analytics". Retrieved 2016-11-10.
  7. ^ Zurkus, Kacy (27 October 2015). "User entity behavior analytics, next step in security visibilty". CSO Online. Retrieved 2016-06-06.
  8. ^ "Detect Security Breaches Early by Analyzing Behavior - Smarter With Gartner". Smarter With Gartner. 2015-06-04. Retrieved 2016-06-06.
  9. ^ a b "Market Guide for User and Entity Behavior Analytics". Gartner, Inc. September 22, 2015. Retrieved June 6, 2016.

External links[edit]