<p>User and entity behavior analytics technology uncovers hidden risks to the enterprise. It does this by sifting through streams of data from various sources and looking for patterns and anomalies. That is, UEBA learns what is expected or normal and sniffs out variations that signal threat actor activity, such as attacks in progress, successful compromises, internal reconnaissance and data exfiltration.</p>
<p>UEBA specifically analyzes the online behavior of both people — e.g., user accounts — and software or hardware systems — e.g., entities. It aims to identify anomalous behaviors, such as a user account suddenly downloading a huge amount of data or a network appliance attempting to connect to a server with which it doesn’t usually communicate. It reports or alerts on anything it deems out of the ordinary, as well as activities administrators flag in advance as potentially suspicious.</p>
<p>In enterprise cybersecurity, UEBA tools and features play a pivotal role in detecting <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-prevent-and-detect-lateral-movement-attacks”>lateral attacks</a>, compromised accounts, <a href=”https://www.techtarget.com/searchsecurity/tip/Insider-threat-hunting-best-practices-and-tools”>insider threats</a>, Trojan accounts and account sharing. It is also key to securing enterprise deployments of <a href=”https://www.techtarget.com/searchenterpriseai/definition/agentic-AI”>agentic AI</a>.</p>
<section class=”section main-article-chapter” data-menu-title=”Cybersecurity UEBA use cases”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Cybersecurity UEBA use cases</h2>
<p>UEBA looks for evidence of a variety of types of threats or compromise by sifting through logs, configuration files and other data sources.</p>
<p>It can be used prospectively or retrospectively. Prospectively, organizations use UEBA in cybersecurity to detect attacks as they occur, with the goal of triggering a response, <a href=”https://www.techtarget.com/searchsecurity/tip/Incident-response-automation-What-it-is-and-how-it-works”>preferably automated</a>. It can also assign risk scores to specific behaviors to help staff prioritize alerts in real time.</p>
<p>Retrospectively, cybersecurity teams use UEBA to review logs and other data as part of their forensic investigations into attacks that have already happened. UEBA can spot precursors to an attack, for example, and tease out the various threads of activity that constituted the attack. Cybersecurity and operations teams can use this information to fully remediate the effects of the attack and to improve defenses.</p>
<p>Key cybersecurity UEBA use cases include the following:</p>
<h3>Detecting lateral attacks</h3>
<p>UEBA can flag network log data that suggests a system is trying to contact other systems it doesn’t usually talk to — a possible indication attackers have compromised it and are using it as a launching pad for lateral attacks.</p>
<h3>Identifying compromised accounts</h3>
<p>If system and network logs show that an account is trying to do things it doesn’t usually and shouldn’t do, UEBA can alert administrators or take automated action to block the suspicious activity. The anomalous behavior might indicate that the account’s credentials have been compromised and a third party is using the account to map out capabilities and vulnerabilities or to exfiltrate sensitive data.</p>
<h3>Finding insider threats</h3>
<p>Behavioral analysis can spot an account using <a href=”https://www.techtarget.com/searchsecurity/tip/6-ways-to-prevent-privilege-escalation-attacks”>higher levels of privilege</a> than usual or trying to reach systems it doesn’t usually interact with. These activities could be evidence of an insider abusing access.</p>
<h3>Detecting Trojan account creation</h3>
<p>UEBA can spot unusual account administration activity, such as a slew of system admin accounts being created or existing ones losing specific access privileges. This behavior may indicate a bad actor is setting up local accounts from which to carry out further malicious operations.</p>
<h3>Monitoring for account sharing policy breaches</h3>
<p>UEBA systems can spot evidence that users have shared credentials instead of operating only within their own accounts, making compromise by bad actors more likely.</p>
<h3>Agentic AI security</h3>
<p>As more enterprises introduce AI-enabled tools — especially AI agents — into their environments, UEBA tools will become even more important. Behavioral analytics provide visibility into AI agents’ actions and ensure they occur within prescribed guardrails.</p>
<p>Insiders an
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: