User and entity behavior analytics, or UEBA, is a kind of cyber security process that takes note of users' normal behaviour. In addition, when there are anomalies from such "natural" patterns, they detect any anomalous activity or instances.
UEBA uses machine learning, algorithms, and statistical analysis to decide when there is a deviation from existing trends, showing which of those deviations may lead to a possible, real hazard. UEBA will also summarize the data you have in your reports and records, and analyze information about files, flows and packets.
In UEBA, you are not monitoring security events or devices; rather, you are tracking all the users and entities inside your network. As such, UEBA focuses on insider risks, such as workers who have gone rogue, workers who have already been compromised and individuals who have already access to the network and then conduct targeted attacks and alleged fraud, as well as servers, applications, and devices that are working within your system.
UEBA is a very important component of IT security, allowing you to:
1. Detect insider threats. It is not too far-fetched to imagine that an employee, or perhaps a group of employees, could go rogue, stealing data and information by using their own access. UEBA can help you detect data breaches, sabotage, privilege abuse, and policy violations made by your own staff.
2. Detect compromised accounts. Sometimes, user accounts are compromised. It could be that the user unwittingly installed malware on his or her machine, or sometimes a legitimate account is spoofed. UEBA can help you weed out spoofed and compromised users before they can do real harm.
3. Detect brute-force attacks. Hackers sometimes target your cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute-force attempts, allowing you to block access to these entities.
4. Detect changes in permissions and creation of super users. Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that were granted unnecessary permissions.
5. Detect breach of protected data. If you have protected data, it is not enough to just keep it secure. You should know when a user accesses this data when he or she does not have any legitimate business reason to access it.