How UEBA Helps Endpoint Security Monitoring

How UEBA Helps Endpoint Security Monitoring

How does user and entity behavioral analysis (UEBA) help with endpoint security monitoring? How does it represent a critical bridge between SIEM and endpoint protection platform? 

ALERT: Our Buyer’s Guide for SIEM helps you evaluate the best solutions for your business use case and features profiles of the leading profiles, as well as a category overview of the marketplace and Bottom Line Analysis.

UEBA is a critical component of modern SIEM solutions and enterprise-level cybersecurity. Samir Jain, Senior Product Manager of Security Analytics at SIEM vendor LogRhythm, shared a relevant definition of UEBA in an interview with Solutions Review: “[It] provides visibility into user behavior to prevent theft or corruption of company information by both trusted insiders and entities and by malicious outsiders masquerading as insiders.” 

Behaviors indicative of suspicious activity can vary, and often includes: 

  • Abnormal Logon/Logoff Time
  • Files Accessed By Unauthorized Employees
  • Unusual Email Usage
  • Poor Job Performance
  • Expressions of Discontentment

As a result, UEBA can monitor insider threats as well as external actors controlling users’ accounts. So the connection between UEBA and identity management is obvious; both provide a component of continuous monitoring beyond the login portal.  

However, that doesn’t answer the connection between UEBA and endpoint security monitoring. The answer lies in one of the letters that comprise UEBA: entity. 

UEBA, Endpoint Security Monitoring, and Device Identity

UEBA doesn’t just monitor users, but the device they operate and use to navigate and interact with the network. This matters in a few ways: 

  • Hackers can and often do plant malware and other cyber-attacks beneath the notice of users. These can include cryptojacking software and ransomware payloads waiting for access to more central databases. 
  • Devices may have become bots without users’ knowledge, allowing threat actors to communicate with devices at any time and take control of them. 
  • Hackers may steal or subvert devices and use them to log in. Given that so many authentication protocols take the device used into account, this could prove a critical means to avoid detection. 

Looking for signs of these kinds of subversive attacks involves looking for suspicious behaviors on each device as it connects and interacts with the network. With UEBA partnered with endpoint security monitoring, you can find these behaviors faster and thus mitigate more attacks. 

For more, check out the SIEM Buyer’s Guide and the Endpoint Security Buyer’s Guide.   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner