User and entity behavior analytics (UEBA) tools are a relatively recent offering that help businesses better understand cybersecurity threats.
Similar terms for the technology include user behavior analytics (UBA), threat analytics, and security analytics. Many others have simply packaged UEBA into broader security tools, such as security information and event management (SIEM) and extended detection and response (XDR).
Although it’s being gradually subsumed, UEBA is necessary technology regardless; it goes beyond signature- or event-driven security technology by identifying changes in behavior that could indicate a threat.
Best UEBA Tools
- Gurucul UEBA
- Rapid7 InsightIDR
- Microsoft Sentinel
- Key Features of UEBA Tools
- How to Buy UEBA Tools
- Frequently Asked Questions (FAQs)
- Bottom Line: UEBA Tools
Best for Existing Fortinet Customers
FortiSIEM is a full-featured SIEM with an Advanced Agent for UEBA Telemetry add-on. This lightweight, kernel-level agent collects only what is required to profile normal behavior of the endpoint it’s installed on and the users who log in. It securely caches and then streams back the telemetry it collects whenever the user is connected, including to cloud-based collectors if desired, and provides a method of monitoring users working remotely.
- Detects anomalous endpoint behavior that may reflect a compromised system or account or user behavior that may signal a negligent or malicious insider
- Active and passive ways to detect and classify assets, assign risk scoring, and track configurations for unauthorized change
- Real-time correlation engines that can run hundreds of active correlation rules on the fly
- MITRE ATT&CK Framework support
- FortiInsight agent and AI module embedded in FortiSIEM
- Good choice for businesses that already use other Fortinet products
- Strong cybersecurity solution for large enterprises with a tighter budget
- Some users report trouble integrating FortiSIEM with third-party software. FortiSIEM may not be the best choice for organizations with a lot of non-Fortinet solutions in their security infrastructure.
- Although some customer reviews cited the helpful technical support team, others have reported trouble with limited customer support, slow responses, or limited vendor documentation.
FortiSIEM has a free product demo. Buyers must contact sales for an exact quote.
Read more about SIEM tools for businesses.
Best for Big Data
Gurucul UEBA detects and responds to threats based on an understanding of normal activity that continuously learns and adjusts to characterize suspicious and anomalous activity. Combined with threat content and other analytical capabilities, Gurucul UEBA can help security teams quickly distinguish malicious activity from false positives. Gurucul is a good choice for organizations with big data applications because of its support for data lakes.
- The solution can detect threats immediately upon deployment with 1,500+ behavior-based ML models for the most popular use cases and industries that adapt to each organization.
- The risk engine combines telemetry, analytics, and behavioral modeling to help security teams prioritize investigation and response actions.
- Case management allows users to track incidents.
- Gurucul masks any data attribute using roles or individual users to support data privacy requirements.
- Gurucul UEBA uses multiple threat hunting methodologies, including hypothesis-driven investigation and known indicators of compromise.
- Provides Hadoop data lake and supports other data lakes
- No charge for event ingestion in big data operations
- Large number of machine learning behavior models
Gurucul doesn’t offer a free trial.
Gurucul provides demos for potential customers. Contact Gurucul’s sales team for further information about pricing.
Best Standalone UBA
Splunk provides the data platform and security analytics capabilities needed for organizations to monitor, analyze, share, and detect known and unknown threats. Regardless of organization size or skill set, teams can improve their security posture with Splunk’s threat workflow. This technology narrows business-wide raw events down to a few possible threats. For large businesses, Splunk makes traffic and event data more manageable. For small businesses, the information revealed about their endpoints and applications makes security a more doable task.
Customers can choose a Splunk plan based on either workloads, ingest data, hosts, or activities. The UBA solution falls under entity, or host-based, pricing. Pricing is based on the number of assets in your environment.
- Malware and advanced persistent threat detection
- Multiple anomaly and threat models focused on external threat detection
- Fully automated and continuous threat monitoring
- Detects account takeover (ATO), command and control activity, and browser exploits
- Advanced tracking for malicious behavior like lateral movement
- Ability to handle large volumes of raw events and to analyze botnet activity
- Narrows down billions of raw events
- Splunk has an integration with Splunk ES, but it doesn’t appear to offer many third-party integrations for the UBA solution specifically.
- Splunk doesn’t offer a free trial for UBA.
Best for Large Businesses
Cynet’s UBA solution falls under its broader XDR platform. Cynet XDR is a complete breach protection service. It offers organizations a single, multi-tenant platform that can converge endpoint, user, and network security functionalities within one suite. As part of the offering, the company provides the services of CyOps, Cynet’s 24/7 SOC team of threat researchers and security analysts.
Because Cynet’s XDR platform offers a wide range of UBA features as well as other security tools, it’s a good choice for large organizations. Smaller businesses may want to ensure that they have an experienced enough IT or security team to manage Cynet.
- Threat detection and prevention for endpoints, networks, and users
- Next-generation antivirus
- Deception technology to trap attackers
- Cynet Response Orchestration, which includes a set of remediation actions to address infected hosts, malicious files, network traffic, and compromised user accounts
- CyOps, an MDR service that assists with in-depth investigation, proactive threat hunting, and attack reports
- Deception technology
- Wide range of endpoint and detection features
- User-accoladed technical support team
Cynet doesn’t support Android or iOS, so businesses with phones that need protection should consider another UEBA or XDR solution.
Cynet offers a 14-day free trial for its 360 AutoXDR platform. For further information about pricing, potential customers should contact Cynet’s sales team.
Read more about business XDR tools.
Best for Experienced Teams
LogRhythm UEBA uses machine learning to detect anomalies related to potential user attacks, such as insider threats, brute force attacks, administrator abuse, and misuse. LogRhythm’s analytics monitor systems for compromised business accounts. Its file integrity monitoring capability looks for inappropriate file access; consider LogRhythm if your business stores large numbers of files with sensitive company data. Also note that LogRhythm can take months to fully customize; this is a good solution for businesses with experienced IT and security teams.
- LogRhythm UEBA uses threat models of the LogRhythm SIEM AI Engine to deliver analysis and visibility into user activity and outliers.
- Analysts can use the individual anomaly scores and a summary user score to prioritize anomalies for investigation and response.
- SmartResponse automated actions can take care of routine remediation measures.
- Models analyze when an identity is anomalous in relation to its own baseline, in relation to its peers, or in relation to all monitored identities.
- Custom demo available
- Integration with LogRhythm SIEM to function as an advanced UEBA log source in the SIEM
- Business file monitoring for teams storing sensitive data
- LogRhythm doesn’t offer a free trial for UEBA.
- Some users report long deployment and integration processes.
LogRhythm offers different pricing structures: a software solution, an unlimited data plan, or an appliance. Contact LogRhythm to learn more about which deployment type works best for your business needs.
Best for SMBs Wanting XDR Functionality
InsightIDR by Rapid7 is a SIEM and XDR platform. It continuously baselines normal user activity beyond defined indicators of compromise to detect hard-to-spot threats, such as attackers that are posing as company employees. This product connects activity across the network to specific users. If a user behaves in a way that’s unusual, InsightIDR investigates.
InsightIDR is a good choice for businesses ready to implement XDR. Teams can use prebuilt workflows to contain threats and temporarily disable user accounts. If you want response features alongside UEBA, consider Rapid7.
- InsightDR automatically correlates activity on the network to the specific users and entities behind them.
- It continuously baselines user activity, adapting to the users and entities on the network to define normal.
- The dashboard has a watchlist to monitor users that can pose a potential higher risk.
- InsightIDR spots misconfigurations via visual log search and prebuilt compliance cards to detect anomalies.
- Month-long free trial
- SaaS deployment
- Doubles as XDR solution
Multiple users had trouble manually searching through InsightIDR’s logs.
InsightIDR starts at $5.89/month for one asset. Note that this pricing applies to a minimum of 500 assets. InsightIDR also offers a 30-day free trial for teams that want time to see if it works for their business.
Best for Integrations with Other Software
Exabeam Advanced Analytics is now packaged within its Fusion SIEM offering. Fusion SIEM breaks down silos by combining weak signals from many products into high-fidelity threat indicators using behavior analytics. This approach detects complex, unknown, and insider threats to find attacks missed by purpose-built tools or other analytics tools that have been deployed.
- Fusion SIEM unifies SIEM, UEBA, and XDR in one package.
- Fusion SIEM includes centralized data storage and compliance reporting as well as rapid search.
- Prebuilt integrations are available with hundreds of third-party security tools.
- Behavior analytics combine weak signals from multiple products to find complex threats.
- User-friendly, easy-to-read UI
- Supports MITRE ATT&CK framework
- Plenty of third-party integrations with other network security software, including SOAR solutions
Exabeam’s customer support team receives mixed reviews from users. Some found the support team highly experienced and responsive; others reported significant trouble getting quick or knowledgeable assistance.
Contact Exabeam’s sales team for pricing. Exabeam also offers a demo for potential buyers.
Considering a SOAR solution? Read about our picks for SOAR tools.
Best for All-Microsoft Organizations
Microsoft Sentinel helps stop threats before they cause harm via a bird’s-eye security view across the enterprise. Its cloud operation means it reduces security infrastructure setup and maintenance and can elastically scale to meet security needs.
Sentinel integrates with 365 Defender, Microsoft’s XDR product. It has other integrations with Microsoft products and is a good solution for businesses using Azure cloud.
- Sentinel collects data from all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
- Sentinel detects previously uncovered threats and minimizes false positives using analytics and threat intelligence.
- AI helps investigate threats and hunt suspicious activities at scale.
- Sentinel avoids the storage limits or query limits that sometimes prevent on-premises systems from protecting the enterprise.
- SOAR capabilities
- Integrations with other Microsoft products
Microsoft Sentinel may be too expensive for very small businesses.
Sentinel has pay-as-you-go pricing: it costs $2.46 per GB ingested. Log analytics is priced as an add-on. For a full quote, potential customers can contact Microsoft to request pricing information.
Key Features of UEBA Tools
Note that multiple UEBA solutions, including some listed above, belong to a larger platform like XDR or SIEM and may also have prevention features. This list focuses only on features of standard UEBA.
In a security infrastructure, networks, devices, and applications all need to be monitored. UEBA tools constantly observe IT systems and notify admins when network traffic or device or application behavior aren’t consistent with preconfigured standards.
In UEBA solutions, behavioral analytics are based on machine learning technology. ML identifies user behaviors to determine whether they fit predetermined criteria for typical actions. If the UEBA tool decides a user’s erratic behavior is a danger, it will highlight this pattern on the dashboard for security admins to view.
Alerts and prioritization
UEBA tools trigger alerts when a significant enough anomaly occurs. Because these tools study typical user and application patterns over time, they notice when something out of the ordinary happens. Often, UEBA tools also prioritize alerts — ranking the risk level so IT and security staff can decide which to tackle first.
UEBA solutions monitor user permissions and determine whether a particular user’s behavior contradicts their assigned permissions. This is helpful for decreasing privileged access exploitation and may also reveal malicious insider activity.
How to Buy UEBA Tools
To select a suitable UEBA tool for your business, follow these guidelines.
Find a solution suitable for your team
Choose a UEBA tool that suits your engineering team’s needs. For example, if you have a smaller or inexperienced team of engineers or security analysts, pick a solution that’s known for its easy-to-use UI. But if you have an experienced security team with senior employees, a highly customizable solution might give them more advanced configuration options. And of course the tool has to work with your environment so check for compatibility.
Communicate with the provider
Speak with the vendor before buying. Some businesses prefer an ongoing partnership with their SIEM or UEBA provider. If that’s the case for your IT and security teams, how involved will the vendor be throughout your customer lifecycle? Some vendors give the option to have regular meetings with a client success manager or other designated representative.
Know your customer support needs
Does the UEBA vendor have stellar technical support? This may not be a dealbreaker if your teams have highly experienced engineers or have used the UEBA solution in a past job. But for inexperienced IT teams, it’s best to choose a UEBA tool with responsive and knowledgeable tech support. User reviews are one way to gauge this.
Make sure you have response, not just detection
Choose a UEBA solution that either doubles as a threat response solution or that integrates well with EDR or XDR of your organization’s choice. A basic UEBA tool doesn’t provide much in the way of prevention and mitigation. To protect your infrastructure, you’ll need a UEBA tool that works seamlessly with your prevention solution or a solution like Rapid7 InsightIDR that also provides response technology.
Frequently Asked Questions (FAQs)
People frequently ask the following questions about UEBA solutions and their role in security infrastructures, as well as their differences from other platforms.
What is the difference between SIEM and UEBA?
Both SIEM and UEBA solutions collect data within an organization’s security infrastructure. However, UEBA tools focus more on rapid alerts based on user actions, while SIEM is more focused on logging and identifying anomalies in those logs. Although SIEM data can be used for rapid response to incidents, it’s not as focused on user behavior. However, SIEM vendors are increasingly adding behavioral capabilities to their systems, a convergence of SIEM and UEBA that benefits users. XDR is another centralized security management tool that has been incorporating behavioral analytics.
What is the difference between UEBA and EDR?
EDR covers all business endpoints, such as laptops, mobile devices, and servers, and often provides user behavior analytics. UEBA and EDR are very similar, but EDR solutions focus more on incident response technology, while UEBA is more centered around advanced behavioral study.
Your business would want to deploy EDR if the security teams are focused on strong endpoint coverage; if you’re looking at user behavior across employees, contractors, and service users, you’d choose UEBA. Both can work well together in a business’s security infrastructure if they’re well-integrated, too.
Why do I need a UEBA tool?
If your organization has multiple users accessing company resources, like applications and cloud file-sharing solutions, you should consider a UEBA solution. Users present some of the biggest dangers to enterprise security, and a behavioral analytics platform like UEBA will help your security and IT teams manage the deluge of user activity data to identify anomalous patterns that could indicate a threat.
UEBA tools can also be used to reveal patterns over time. If a particular user behavior becomes consistent, maybe that’s a vulnerability for your security team to address. Without a dedicated security solution, it’s hard to standardize finding and understanding that data.
Bottom Line: UEBA Tools
UEBA solutions provide valuable insights for businesses as they work to understand user and application behavior across their tech infrastructures. The more data is generated by network traffic and company software, the more information IT and security professionals have to analyze and distill. UEBA does some of that work for them, redirecting their workload from manual efforts to more strategic ones.
Of course, UEBA tools don’t entirely eliminate manual IT work, nor are they set-and-forget solutions. But it’s rewarding to closely configure UEBA to fit your own infrastructure: alerts make more sense, and you’ll begin to better understand behavioral patterns in databases, networks, and applications. UEBA is a long-term investment for businesses that want to improve their security posture by knowing exactly what their users are doing.
Read more about how behavioral analytics works in security environments next.
Drew Robb contributed to this buyer’s guide.