Benefits of a UEBA approach

Dealing with cybersecurity within an organization is no longer the same as it was a few years ago. Today, an entity’s network is mostly decentralized, with multiple access points through different applications, terminals and locations, via its employees and all the players in its supply chain. This increased decentralization de facto increases the attack surface of the organization in question, giving cyber-attackers a wide opportunity to break into an information system, using a variety of increasingly innovative methods.
Le Lab Gatewatcher D

In order to adapt to these threats and limit their cost, companies are looking to new, increasingly effective detection techniques that are invisible to cyber attackers [1]. Firewalls, double authentication, antivirus, hackers are bypassing these technologies. More and more importance is now being given to automatic and orchestrated detection and response tools, such as SOAR, vulnerability scanners and log management systems (SIEM)[2].

UEBA (User Entity Behavior Analytics) tools analyze user and entity behavior[3] to identify malicious ones. This makes them a real asset. Today, monitoring traffic generated by users and devices is already established. But few tools examine behavior patterns in depth. However, some of these behaviors could be unusual, and would suggest the start of a network breach. This information could be essential in anticipating a possible IS compromise as early as possible.

That’s why many solution providers are turning to UEBA for its ability to analyze and warn of these unusual behaviors. Back in 2017, Gartner reported that “60% of the leading CASB vendors and 25% of the leading SIEM vendors were (already) integrating UEBA functions”.

But what are the real strengths of this technology? How does it differ from existing monitoring systems?


How does UEBA work ?

To get a clearer idea of the advantages of this technology, let’s take a brief look at how it works, which can be summed up in several stages.

Once all the data has been collected, the UEBA will process and organize the data from entities and users to establish a baseline [4]. With reference to this baseline, the UEBA will distinguish whether or not the observed behavior is within the norm. To do this, it will use statistical models based on artificial intelligence, and in particular supervised Machine Learning, which is best suited to creating the reference baseline. This will enable the precise detection of any anomalies compared to normal traffic.

Detecting a deviation from the baseline is decisive, particularly in terms of temporality. Cyber-attackers generally take stealth actions to avoid detection, since they do not know the usual behavior of the user or equipment they have compromised in order to establish their initial access. The challenge is therefore to be alerted to these slight anomalies in usage. For example, the simple copying of a file by an attacker could leave the door open to more serious security breaches, such as modifying authorizations, creating new users, accessing protected data and so on. This is even the first thing the attacker will seek to do: install the payload on the machine he is seeking to compromise completely.

The UEBA analyzes a wide range of sources, comparing data obtained from existing data systems to provide an ever more precise analysis.

Once all this information has been integrated and analyzed, the UEBA will alert security analysts, via a list accompanied by evidence, if unusual activity is detected, associating a risk score to it, thus qualifying the threat’s level of risk. It is then up to security teams to investigate the irregular behavior(s), monitor the main malicious actors and take appropriate action.


The value of UEBA

The behavioral analysis proposed by the UEBA approach therefore represents a high added value for security teams. There are several reasons for this:

  • As mentioned in the introduction, it is essential today to have accurate detection tools to deal with increasingly sophisticated and difficult-to-detect cyber-attacks, especially when they come from inside the company[5]. An employee behaving suspiciously could, for example, access files to which he or she does not normally have access, or make copies of files which are generally not very active, in order to exploit them for financial gain (economic blackmail, industrial espionage); modify them by adding a clause; or distribute them in order to have a direct impact on the company’s activities or image. A wide range of actions is therefore available!
    Within the framework of a UEBA approach, the strong automatic dimension and the use of Machine Learning make it possible to draw on complex behavioral patterns via the contextual analysis of a large quantity of raw data that a human analyst would not necessarily have taken into account. It is then possible to model a greater number of behaviors, by comparing them with peer groups, and consequently to combat a larger and more sophisticated register of cyber-attacks. For example, UEBA can be used to combat the exploitation of privileged accounts, privilege escalation and data exfiltration.


  • This more nuanced and precise analysis also makes it possible to optimize all IT resources made available within an organization. Indeed, automated detection goes some way to addressing the shortage of experienced cybersecurity analysts, by keeping skilled profiles on more urgent analytical tasks. For example, teams will be able to concentrate more effectively on threat detection and response activities, as they will have more time at their disposal. Through its precise analysis of people’s behavior, UEBA also contributes to a considerable reduction in false positives, which are having an ever-greater impact on security teams in a context of soaring attacks. For example, UEBA will distinguish the behavior of an employee from the one of an administrator, thus avoiding the triggering of false alarms. By reducing these daily false alarms, UEBA restores more operational availability and fluidity to SOC/CERT/MSSP analyst teams, in favor of more complex, critical and higher value-added tasks [6].


  • Another advantage of UEBA is its speed of analysis and alert, in a context where every minute counts in an attack. Indeed, the longer an attacker has access to a network, the more data, for example, can be exfiltrated. It is therefore essential that the Mean Time To Repair (MTTR) is amply reduced.


  • From a technical point of view, UEBA also has the advantage of not interfering with legitimate network traffic and normal user behavior. As a result, it does not disrupt business operations.


The UEBA tool therefore offers numerous benefits. In particular, it provides a continuous level of supervision and knowledge of the threat, and ultimately reduces the cost of cyber-attacks.

However, this is only possible under certain conditions, if it is to be truly effective.


Conditions for optimal use

Before implementing a UEBA solution, a CISO must first keep in mind the size and structure of his network, and the data in his possession.

Indeed, even before the tool produces any analysis, it is necessary to have a pre-existing pattern of behavior. For this, every organization/company needs to identify all the elements present on its network, and to have a healthy network. If it is compromised, then there is no longer any use, as Machine Learning will establish a baseline taking into account the malicious actor’s behavior as legitimate traffic.

Identification is a decisive step in the process, and is covered by a number of security standards, such as NIST and ISO 27000, a veritable bedside book for CISOs, who can rely on NDR to help them achieve this. Once this inventory has been made, a certain typology of behavior can be established in relation to the network’s usual operation.

A corollary condition for this is the availability of quality data for this behavioral analysis.

For optimal implementation, it is also essential to clearly define the use cases, such as which ones have priority, and to describe the desired results for each. The analysis will then be all the more refined and appropriate. Whether it’s detecting abuse of privileged accounts, compromised credentials or internal threats, the tool’s range of intervention is wide and equally precise, as long as you define your data sources and the behavior of the data collected. Indeed, the more different types of data a UEBA system can manage, the more precise the basic data will be.

With this data regularly updated, and its behavior defined over a defined reference period, understanding and detecting false positives will be easier.


In a context where cyber-attacks are multiplying and becoming more sophisticated, the UEBA seems to be a high value-added tool, thanks to the data it collects, the behavioral and contextual analysis it performs, and the alerts it provides on unusual phenomena detected on the network. Although certain conditions need to be met in order to take full advantage of this tool, CISOs should consider its use more closely.


Pierre Guiho – Product Manager


[1] More than 8 out of 10 companies plan to acquire new protection solutions

[2] 8th barometer edition CESIN

[3] Non-human – devices, applications, servers

[4] Behavior reference framework for each profile

[5] Barnabé Watin-Augouard. « La prévention, un impératif pour lutter efficacement contre les cybermenaces. » Revue de la Gendarmerie Nationale. Juin 2022. P17-23.

[6] Gatewatcher study x Vanson Bourne