Managed Security Services


Posted On: 6 October 2021

What is User Behaviour Analystics (UBA)?

What is the benefit of User Behvaiour Analytics (UBA)?

User Behaviour Analytics (UBA) refers to the tracking, collection and analysis of user data and activities using monitoring systems.

UBA solutions first appeared after the turn of the millennium as tools that marketing teams could use to analyse and predict customer buying behaviour.

Today, user behaviour analytics tools have advanced profiling and exception monitoring capabilities and are used for two main functions.

UBA tools are used, firstly, to establish a baseline of normal activities that are specific to the business and its individual users.

Second, they can also be used to identify deviations from normal. UBA uses Big Data and machine learning algorithms to assess these deviations in near real-time.

How does UBA work?

UBA solutions analyse historical data logs – including network and authentication logs collected and stored in log management and SIEM systems – to identify patterns of traffic caused by normal and malicious user behaviour.

UBA systems are primarily designed to provide cybersecurity teams with actionable insights.

UBA does this by collecting various types of data, such as user roles and titles, including access, accounts and privileges, user activity and geographic location, and security alerts.

This data can be collected from past and current activity, and the analysis takes into account factors such as resources used, session duration, connectivity and peer group activity to compare anomalous behaviour against.

UBA systems do not report all anomalies as risky. Instead, they assess the potential impact of the behaviour. If the behaviour involves less sensitive resources, it receives a low impact rating.

If it involves something more sensitive, such as personal data, it receives a higher rating. In this way, security teams can prioritise what to follow up on, while the UBA system automatically restricts or complicates authentication for the user exhibiting anomalous behaviour.

Phases of the UBA

First, the systems collect data on user behaviour from various sources. UBA uses this data to learn about normal user behaviour. For example, it examines which servers and files users normally access, from where and at what times this happens, which typical applications are run or which end devices, operating systems and networks the user uses.

After this baselining, the UBA system is able to identify deviations from normal user behaviour in real time and initiate further measures such as alerting those responsible or blocking certain users.

Typical deviations that User Behaviour Analytics detects are, for example:

  • unusual file accesses in terms of type and scope
  • User accesses from unusual terminals, locations or networks
  • user activity deviating from standard times
  • unusual changes in system configurations
  • unusually many login attempts
  • Login attempts to systems not normally used by a user
  • Use of unusual user accounts

Uses of the analysis of user behaviour

While applying User Behaviour Analytics to just one user may not be useful for finding malicious activity, applying it on a large scale can enable an organisation to detect malware or other potential cybersecurity threats such as data exfiltration, insider threats and compromised endpoints.

User Behaviour Analytics evaluates the behaviour of IT users. The goal is to detect patterns that deviate from normal behaviour in real time and to identify and prevent attacks or dangerous transactions. UBA reduces the risk of insider threats. Big data technologies and machine learning (ML) methods are used.

Advantages through User Behaviour Analytics

User Behaviour Analytics can be used to reduce the risk of insider threats or attacks by people with unauthorised access. UBA detects dangerous or critical behaviour of employees, service providers or external attackers who have unauthorised access.

As the analyses are carried out in real time, threats are uncovered directly. Countermeasures can be initiated immediately. Thanks to the use of machine learning, the UBA systems optimise their detection patterns independently. Security teams are relieved of standard tasks and manual analysis activities.


User behaviour analytics are an important part of a multi-layered, integrated IT and information security strategy to prevent attacks and investigate threats. They can be an incredibly powerful tool to identify a compromise early, mitigate risk and prevent an attacker from exfiltrating an organisation’s data

UBA has grown exponentially in recent years as the Internet of Things (IoT) expands and there are more and more devices that could potentially exploit vulnerabilities in the network. Whether you are trying to identify suspicious insider threats or monitor authorised accounts, UBA provides your IT infrastructure with additional protection against attacks.

We gladly present our IBM QRadar UBA or Rapid7 UBA solutions to you in a personal meeting. We look forward to hear from you.