5 Levels of User Behavior Monitoring and Analytics

Monitoring user behavior is an effective practice for early detection and prevention of insider threats. Identifying suspicious user behavior can help eliminate potential threats, data breaches, and policy violations. Thus, your organization will better meet the requirements of many industry standards such as NIST, HIPAA, PCI DSS, and more. But to get the most out of user behavior monitoring, you need to better understand its principles.

In this article, we explain what user behavior analytics (UBA) and user and entity behavior analytics (UEBA) are and what roles they play in cybersecurity. We also reveal the benefits user behavior monitoring and analytics can bring to your organization at different levels.

What is user behavior monitoring and analytics? 

UEBA in cybersecurity is a process of tracking, analyzing, and interpreting user interactions within a network. User behavior monitoring and analytics can help you gain insights into how your employees engage with your systems and data.

“User behavior analytics helps enterprises detect insider threats, targeted attacks, and financial fraud.”

 Gartner Market Guide for User Behavior Analytics (subscription required)

UBA and UEBA are two main approaches to user behavior monitoring and analytics. Solutions based on either of these approaches help you monitor and analyze user behavior within an organization’s network. Thus, you can detect potential insider threats like compromised accounts, malicious activity, lateral movement, and more.

However, UBA and UEBA have some differences. Let’s explore them in detail.

UBA vs. UEBA: What’s the difference?

UBA solutions monitor the patterns of human behavior and apply algorithms to detect anomalies in those patterns. They analyze event logs to detect unusual activity and identify human actors that may pose threats to your organization’s security. User behavior analytics is most effective when used as part of a comprehensive cybersecurity strategy that includes other security measures.

UEBA is the technology for profiling both user and entity behavior and detecting anomalies. While UBA solutions only analyze user behavior, UEBA extends the scope of user monitoring to activities performed by non-user entities: applications, servers, and devices. 

UEBA is based on machine learning, algorithms, statistics, and analysis to observe and interpret how individuals and devices interact with your assets and critical data. UEBA software goes a step further and provides more complex reporting options than UBA systems, allowing for more comprehensive threat detection.

Further down in this article, we explore the levels of user behavior monitoring and analytics offered by most UEBA solutions.

How UEBA enables effective threat detection 

UEBA can spot insider security threats (whether intentional or accidental) that traditional, rule-based security tools can miss. UEBA adapts to the dynamic nature of insider threats by analyzing user and entity behavior over time, understanding context, and employing advanced analytics. 

UEBA solutions use a high-fidelity risk scoring system and don’t necessarily report all anomalies as risky. If there is a deviation from the normal baseline, UEBA increases the risk score of the suspicious user or device — the more unusual the behavior, the higher the risk score. As suspicious activities accumulate, the risk score rises until it reaches a set threshold. Then, user behavior monitoring software alerts security officers about suspicious activity, allowing them to take further actions.

Since UEBA reduces false positives and provides more accurate actionable risk intelligence to security teams, it helps to:

• Reduce workload and boost the productivity of your security team
• Reduce the mean time of incident response
• Enhance protection against insider threats

Instead of spending time configuring rules for every possible scenario and constantly monitoring suspicious user behavior, your security team can focus on incident mitigation and response. In addition, UEBA can help you during post-incident investigations by providing detailed insights into the behavior patterns that led to a security incident. Your security team can further use these insights to revise and improve your insider threat program.

5 levels of user and entity behavior analytics

User behavior monitoring and analytics consists of five levels. These levels represent a progression from basic user behavior analysis to sophisticated methods of abnormal behavior detection. 

Level 1: Gathering helpful context

The first stage of user behavior tracking involves collecting data from the system, entities, and events the UEBA solution needs to analyze. 

Each UEBA solution records a unique dataset according to the use cases it covers. For example, UEBA software might collect the following information:

• Log in and log off times
• Requests to access sensitive assets
• Visited websites
• Started applications
• Connected USB devices
• Keystroke dynamics and more

The effectiveness of all other levels of behavior monitoring depends on the collected data at this stage.Some UEBA solutions can collect the necessary information by themselves. However, it’s best to use a comprehensive user activity monitoring platform with a built-in UEBA module.

Level 2: Detecting threats

Once a user behavior analytics solution has gathered information on normal user and entity behavior, it becomes capable of insider threat detection. By analyzing the previously gathered data, UEBA can establish patterns for various categories of users (ordinary employees, privileged users, third-party contractors, and security officers). 

At this level, UEBA software can help you:

• Detect threats based on real-time user actions. For example, the Ekran System UEBA module analyzes the working hours of each employee and defines normal times for logging in and out. If a user tries to log in at an unusual time (e.g. in the middle of the night), Ekran System can notify your security officer or automatically block the login attempt.
• Prioritize security alerts. Based on analyses of user behavior, UEBA solutions can create a list of suspicious user actions. When integrated into an SIEM or threat detection system, UEBA can prioritize rule-based alerts and sort them from least to most dangerous. This functionality is especially useful for enterprises where a threat detection solution could produce hundreds of alerts per day.
• Improve investigation efficiency. Comparing normal user behavior with malicious actions leading to an insider threat saves a lot of time for security officers. Such a comparison allows you to determine which exact action turned a threat into an attack.

At the second level, a UEBA solution already makes your insider threat security tools more effective, but it still requires accurate descriptions of the violations it must detect, alert mechanisms, and tools for further investigation. 

Level 3: Creating an employee behavioral profile

In psychology, a behavioral profile describes the characteristics and behavioral patterns of individuals or groups. In insider threat detection, behavioral profiles are used to create a baseline of user behavior. This baseline helps the system detect abnormal user actions. Your security officer can also use this baseline to construct a portrait of a malicious insider.

A user profile contains a set of actions typical for a certain employee based on the collected data during the baseline period. If there’s a change in the behavior of a particular user, the solution compares it to the typical behavior of other users in the peer group and known patterns of insider threats. If UEBA detects any anomalies, it alerts a security officer.

Such functionality is useful for incident anticipation.

Portraits of insiders are based on investigations of previous security violations. By analyzing them, a UEBA figures out patterns that indicate malicious intent. These can be a useful addition to alert-based incident response.

How does behavioral profiling work?

A UEBA system analyzes collected data to determine normal user and entity behavior and establish patterns that indicate malicious activity.

Depending on the amount of data collected and the complexity of the analysis, establishing baseline user behavior may take from one week to several months. At this level, it’s best to combine automatic behavior analysis with input from your security officers, as manual investigation will help avoid false-positive alarms in the future.

Security officers need to consider legal and ethical issues. Since it may take years for a loyal employee to turn into a malicious insider, some companies monitor user activity on the network and even track social media activity. If you also do this, make sure it’s reflected in your cybersecurity policies and your employees are aware of it.

Level 4: Getting an early warning

Levels 4 and 5 of user behavior monitoring help predict serious cybersecurity violations based on collected data, using machine learning and statistical analysis. 

At Level 4, a UEBA solution detects anomalies in employee behavior that indicate malicious intent. An early warning means an incident is detected before data loss occurs — usually at the stage when an attacker is only planning malicious actions but hasn’t yet decided on the time, tools, scale, etc.

A UEBA solution can spot early signs of malicious intent by analyzing the following factors:

• Logging into corporate systems during non-working hours 
• Accessing sensitive data beyond the employee’s scope of responsibility
• Connecting suspicious USB devices, etc. 

Nonetheless, user and entity profiling and machine learning analysis can still produce false positives at this level. That’s why your security officers need to review behavior profiles manually to interpret the alerts correctly.

If a user consistently breaks cybersecurity rules (e.g. logs into a server outside work hours to work from home), the UEBA solution will mark such behavior as normal. However, such actions expose the network and may lead to a data leak. Therefore, it’s best to conduct an additional analysis before taking any action based on a UEBA alert. You should defer to your organization’s policies instead of purely relying on statistical analysis and profiling.

Level 5: Foreseeing insider threats

At the final level, a UEBA solution can create an insider risk score for users long before they commit an attack. An insider threat prediction is usually based on:

• A user’s behavior profile
• Patterns of insider attacks
• Predictive models for various types of attacks
• Performance assessment
• Data provided by HR, accounting, and legal departments

Though UEBA collects and analyzes this data without any input from security officers, your security team should closely check any alerts triggered by UEBA. False-positive results are highly likely at this level, and you can decrease them by:

• Constantly providing a UEBA solution with relevant monitoring data. The more corporate systems are integrated into this process, the better the results you’ll get.
• Allowing for gradual model growth. As you hire new employees and create new job positions, you need to make sure that UEBA creates new employee profiles and associates them with existing ones.
• Providing the software with automatic and manual feedback. The algorithm should always compare its predictions with real user actions, and your security team should correct this comparison as needed.
• Conducting long-term and short-term baselining. This practice teaches the algorithm to predict violations using both recent and past results.

Conclusion

User behavior monitoring is extremely effective for detecting and preventing insider threats. In combination with other cybersecurity solutions, you can construct a clear picture of your network.

Ekran System is a comprehensive insider risk management platform with a built-in UEBA module that can help you kill two birds with one stone. In addition to its user and entity behavior analytics functionality, Ekran System is equipped with a vast toolset for insider threat detection:

• Comprehensive user activity monitoring and user session recording
• Identity and access management
• Alerting and responding to suspicious activity
• Auditing and reporting functionality.

By leveraging Ekran System, you can fortify your cybersecurity posture and minimize potential threats coming from within.