September 11, 2022 HAWKEYE

Augmenting Traditional UEBA with ML and Deep Learning

User and entity behavior analytics (UEBA) is a threat detection technology that is based on analytics. UEBA employs machine learning and data science to gain an understanding of how users (humans) in an environment typically behave and then detect risky and anomalous activity that deviates from their normal behavior and may indicate a threat.


The detection of cyberattacks is becoming more and more difficult.
Previously, organizations would scan “normal” communications for anomalies, like looking for a needle in a haystack. Attackers are creating more traffic today to hide their actions. Such complex and advanced conduct cannot be detected by conventional rules and signature-based cyber protection systems that look for patterns or imprints associated with attacks. Organizations are subject to various attacks, from drive-by malware downloads to targeted attacks using more sophisticated and advanced methods. Most of the technologies currently in use address the issue of known and known-unknown threats. However, to identify unknown-unknown risks, sophisticated analytical equipment is needed.


Writing correlation rules for thousands of possible scenarios is no longer feasible given the ever-increasing volume of threats. Modern cyber defense necessitates specialized tools, such as UEBA, that use machine learning to detect anomalies. To combat advanced threats, organizations are increasingly deploying UEBA tools across the threat detection landscape. ML and AI are based on ‘big data,’ and their efficiency and accuracy improve as more data is fed into them. What matters is that you collect the correct information.

User and entity behavior analytics (UEBA) is a threat detection technology that is based on analytics. UEBA employs machine learning and data science to gain an understanding of how users (humans) in an environment typically behave and then detect risky and anomalous activity that deviates from their normal behavior and may indicate a threat.

UEBA examines the behavior of the network components that communicate with it, such as:

  • Users: The “insiders” or authorized people who use the software on a regular basis.
  • Entities: Third-party companies that you integrate with, or any outsider you connect to your networks, such as consultants, freelancers, and visitors who need to use the company Wi-Fi for a short period of time.
  • Endpoints: Devices that connect to the front end of your networks, such as privately-owned smartphones, tablets, laptops, and internet of things (IoT) devices.

Users can be more accurately monitored on an endpoint-by-endpoint basis by combining accurate and crucial user behavioral data with machine learning, giving comprehensive access to what they regularly get up to. UEBA has a lot to offer in terms of identifying new dangers. It establishes baselines for user and entity behavior (including that of devices, applications, servers, data, storage, file systems, or anything else with an IP address) and uses these in conjunction with peer group analysis to look for aberrant behavior in order to find unknown threats.

Principles of implementing UEBA solutions:

To realize the full potential of UEBA solutions, organizations need to
follow these principles:

  • Complimenting existing security operations center.
  • Leveraging data sources including, but not limited to, end-user
    computing and network data as well as system logs and application
  • Enriching the insights with contextual data considering both
    objectives as well as personal information. For instance, correlating
    user access, activities, and privileges with recent employee
    satisfaction survey responses.
  • Enterprise-wide implementation for monitoring and correlation of data, activity, and events.
  • Adopting risk score-based investigation with immediate ‘blocking’
    actions for high-risk and classified cases and analysis for other
    flagged cases. For instance, immediately blocking access of a
    high-risk user to a crown jewel application and reinstating it only
    after the risk has been investigated
  • Using security orchestration and automation along with UEBA to reduce dwell time.

Working of UEBA:

UEBA systems provide visibility into the network’s user end. When the UEBA system detects abnormal behavior, the information can be used to detect threats. For instance, if a user regularly downloads 3 MB of data but then starts downloading terabytes, there may be a problem. The UEBA will notify of the findings and highlight such aberrant activities. UEBA systems analyze patterns of typical behavior using algorithms, machine learning, and statistical technologies. The UEBA system does an analysis when it notices a deviation from a recognized pattern to assess if the anomaly constitutes a genuine threat or not. A thorough report can be generated as soon as an anomaly is labeled as a threat.

Machine learning algorithms can be designed to target the below five behavior areas which is not feasible to perform with the traditional signatures,

  • Behavior Analysis: Baseline & monitor the behavior and raise anomaly alert Ex. Access to sensitive data
  • Peer Group Analysis: Exceptional behavior within role group. Ex. Accessing records not allotted to a group.
  • Event Rarity Analysis: Alert at an unprecedented unusual event. Ex. User login at out-of-office hours.
  • Robotic Behavior: Detect repetitive machine-like behavior. Ex. Pinging server at the fixed interval with same bytes.
  • Sequence Analysis: Analysis of the sequence of actions. E.g. USB data transfer after accessing confidential data.

Benefits of UEBA:

Even while UEBA systems’ capabilities can differ, most of them offer user visibility through the following detection features:

  • Insider threats: For spotting unusual user behavior among your staff. This function can be used to stop malicious inside users or former employees from stealing confidential information or causing outages. You can choose which parts of cybersecurity should be reinforced through training and education modules in circumstances of well-intentioned but inexperienced people.
  • Spoofing: For spotting irregularities in the way your business accounts are used. This function allows you to identify fake accounts, which pose as genuine corporate users with ulterior motives. Before the attackers have a chance to take advantage of this vulnerability, UEBA systems can assist you in identifying compromised accounts.
  • Data exfiltration: For Detection of unauthorized or malicious data exfiltration by the action of authorized users.
  • Brute force attacks: For detecting anomalies in the usage behavior within third-party cloud environments. When automated bots generate a large number of fake credentials in an attempt to guess a valid user’s password, the UEBA systems identify the deviation from the pattern, flag it as unusual behavior, and then lock the account in time to prevent the breach.

Rapid threat detection is possible with UEBA systems. These specialized systems are designed for user behavior analysis, with real-time and continuous monitoring of user activities to ensure that you always know what’s going on in your network. When you implement UEBA in your environment, you expand your cybersecurity perimeter to include monitoring activity for closed systems, users, cloud providers, and smart and connected endpoint devices.


, , , , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.