*** Welcome to piglix ***

User behavior analytics


User behaviour analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users.Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.

The problem UBA responds to, as described by Nemertes Research CEO Johna Till Johnson, is that "Security systems provide so much information that it's tough to uncover information that truly indicates a potential for real attack. Analytics tools help make sense of the vast amount of data that SIEM, IDS/IPS, system logs, and other tools gather. UBA tools use a specialized type of security analytics that focuses on the behavior of systems and the people using them. UBA technology first evolved in the field of marketing, to help companies understand and predict consumer-buying patterns. But as it turns out, UBA can be extraordinarily useful in the security context too."

Developments in UBA technology led Gartner to evolve the category to user and entity behavior analytics ("UEBA"). In September 2015, Gartner published the Market Guide for User and Entity Analytics by Vice President and Distinguished Analyst, Avivah Litan, that provided a thorough definition and explanation. UEBA was referred to in earlier Gartner reports but not in much depth. Expanding the definition from UBA includes devices, applications, servers, data, or anything with an IP address. It moves beyond the fraud-oriented UBA focus to a broader one encompassing "malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP." The addition of "entity" reflects that devices may play a role in a network attack and may also be valuable in uncovering attack activity. "When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats."


...
Wikipedia

...