CyberArk Glossary >

What is User Behavior Analytics?

User behavior analytics (UBA) solutions use artificial intelligence (AI) and machine learning (ML) to analyze large datasets with the goal of identifying patterns that indicate:

  • Security breaches;
  • Data exfiltration;
  • Or other malicious activity that might otherwise go unnoticed by security, IT and network operations personnel

UBA solutions help organizations assess risks and mitigate threats before bad actors can traverse networks and do serious harm. They also help organizations demonstrate compliance with industry or government regulations.

  • UBA solutions transform raw data collected from network probes, security devices, sensors, threat intelligence databases and other sources into meaningful and actionable insights for professionals in the security, network and IT operations fields.

A variety of networking and security products support UBA functionality including Identity Security solutions, intrusion detection and prevention systems, security information and event management (SIEM) solutions, and network monitoring and traffic analysis tools. In addition, some vendors offer stand-alone UBA solutions.

Some UBA solutions can provide graphical user interfaces and dashboards for:

  • Visualizing data and identifying trends
  • Reporting tools for investigating security incidents and supporting audits
  • Alerting capabilities to notify administrators of suspicious events in real-time
  • Providing webhooks to interface with external trouble ticket and help-desk tools

UBA-Enabled Multi-Factor Authentication Solutions

Leading multi-factor authentication (MFA) solutions use user behavior analytics to strengthen access security, reduce risks and improve end-user experiences. UBA-powered, adaptive multi-factor authentication solutions track user activity over time to:

  • Identify routine patterns of behavior
  • Establish baseline user profiles
  • Uncover unusual activity symptomatic of a cyberattack or data breach (e.g., access attempts from a foreign country, access attempts in the middle of the night, access attempts from an unknown device.)

UBA-enabled, adaptive MFA solutions, automatically adjust access controls and authentication factors, based on administratively defined risk scores. Administrators can assign unique risk scores to individual users based on a wide range of variables (including source IP address, device type, geo-location data, geo-velocity data, time of day, day of week, and third-party threat intelligence service data) and apply access control policies in real-time based on live circumstances.

For example, if the circumstances are deemed low risk (e.g., a remote user is attempting to log on from a trusted device during the business day as usual), a user might be permitted to access an enterprise network with a password and second authentication factor such as an SMS code. If the circumstances are deemed high risk (e.g., a user is attempting to log on from an unknown device from a foreign country at an unusual time), the user might be denied access altogether.

UBA versus UEBA

User behavior analytics is sometimes referred to as user and entity behavior analytics or UEBA. Gartner coined the UEBA term, adding the word entity to distinguish between human users and non-human elements such as applications, IoT devices and bots. Today the two terms are often used interchangeably.

Learn More About User Behavior Analytics