Three Considerations When Selecting a UEBA Solution

What's the first step in choosing a user and entity behavior analytics (UEBA) solution that's right for you? You could try the incredibly cumbersome feature-by-feature comparison across vendors, but most vendors use similar words to describe vastly different capabilities. A far simpler and more meaningful selection mechanism is to consider these questions:

  1. Is the UEBA solution multidimensional?
  2. Is the UEBA solution scalable?
  3. Does the UEBA solution integrate human and machine learning?


A UEBA solution should be multi-dimensional, i.e., it should apply a set of multivariate models to multiple data sources. Why? Because this is the most effective way to bridge the gap between "anomalous" behavior and "malicious" intent. As the Russian Foreign Minister succinctly stated when asked by CNN to define a terrorist: "If it looks like a terrorist, if it acts like a terrorist, if it walks like a terrorist, if it fights like a terrorist, it's a terrorist."

In the same way, a multidimensional UEBA solution can provide various lines of evidence that together paint a more compelling picture of malicious intent than any single indicator could. For example, if behavioral analytics modules are applied against:

  • Badge logs that reveal that user "Bob" is entering the office 1) at abnormal times, and 2) more frequently than usual;
  • Network packets that show that Bob is 1) accessing a large number of internal servers that he has never accessed before, and 2) downloading more data than is normal for him; and
  • Endpoint logs that reveal that Bob is 1) downloading the files containing sensitive confidential information that is not permitted to be downloaded to local endpoints, and 2) transferring an unusual volume of data to removable USB storage.

An analyst can then position that all these anomalies tied to Bob are likely leading indicators of malicious intent. If an analyst had to make a decision based on only one of the above anomalies, he couldn't have that same level of confidence. Only UEBA solutions that are multidimensional can provide analysts with confidence that they aren't chasing ghosts.


A UEBA solution must be scalable. Today, most large enterprises collect and store terabytes of data every day, with data coming in from tens of different data sources. Buried within the data are many interesting behavior patterns (i.e., feature vectors) that machine learning models will use to detect the abnormal behaviors that traditional rule-based and signature-based systems can't find.

Modeling many behavior patterns simultaneously enhances detection accuracy and also the visibility into different data sets that all security analysts need for an incident investigation. So an effective UEBA solution needs to monitor hundreds or even thousands of the behavior patterns from this giant data pool in order to automatically detect and correlate anomalies to find real threats.

Obviously, this requires a lot of computing power. Only a UEBA solution that is architected for scalability – i.e., built on a modern big data platform and carefully designed with performance and elasticity in mind – can satisfy the needs for increased compute and storage that comes as an organization grows.

Human-Driven, Machine-Assisted

 A UEBA solution also must integrate human and machine intelligence. Although more and more machine learning-based smarts are being utilized to solve challenging security problems (e.g., detecting multi-stage APT attacks), human intelligence – including knowledge of both enterprise local context and security heuristics – is still a very crucial component that determines the overall effectiveness of a UEBA solution.

Enterprise security is a hunting game between security analysts and attackers or malicious insiders. The role of machine learning is like the weapon in the hunter's hands: It can shoot down anything, but what the hunter gets at the end – a hippo or a squirrel – totally depends on where the hunter points the weapon.

It's the same case for UEBA-based detection. UEBA can detect any anomalous behavior, but whether the anomaly caught by UEBA is valid highly depends on what behavior it monitors. Take the case of using UEBA to detect abnormal internal server access behavior (time, volume, etc.). It can be used across all internal servers together, which may add random noises into the feature space, or on a more focused, limited set of high-value servers, which normally yields more valuable findings. Defining meaningful behavior use cases requires a good knowledge of enterprise local context.

In addition, most UEBA solutions use unsupervised or semi-supervised machine learning models due to lack of labeled training data. Both techniques are naturally prone to generating more noise in detection than supervised techniques, so it's important to use all three. Mated with human knowledge of genuine malicious behavior patterns will not only accelerate the convergence of these models but also improve their accuracy in detecting the anomalous behaviors that warrant analyst investigation.

It's as simple as that: Multidimensionality, scalability and the ability to integrate human and machine intelligence. If your UEBA solution can do that, you are well positioned to thwart risky behaviors and advanced attacks.

Learn how Aruba IntroSpect meets the three considerations for UEBA solutions. Get the product overview.

Jisheng Wang is the senior director of data science in the office of the CTO for Aruba, a Hewlett Packard Enterprise company.