User Behavior Analytics: Definition and Applications

Companies have put user behavior analytics (UBA) into play for many years, but machine learning and more advanced software algorithms have expanded their use in recent years. Organizations now can create security systems that are far more robust in protecting consumer data than they were in the past.

The use of such systems is only expected to grow. Research firm Gartner projects that user and entity behavior analytics will no longer remain a standalone market by 2021. Instead, they expect core techniques and technologies will be “80% of threat detection and incident prioritization solutions.”

Part of this is driven by advances in technology. Another factor is simply more organizations understanding how to use UBA.

What Are User Behavior Analytics?

Developed originally for use in cybersecurity, user behavior analytics is a term that encompasses the tracking, collecting and assessing of user data. Analytics are then used to research the data, looking for patterns amid millions of data points.

By understanding the typical patterns created through normal behavior, these systems can quickly identify anomalous, even potentially malicious, behavior. That can include actions such as repeated attempts to sign into a system from one IP address or trying to download a large number of files.

How Does it Work?

User behavior analytics is used for two main reasons, according to TechTarget. The first is to determine the parameters of normal activities between an organization and its website users. The second is to determine what constitutes deviation from normal behavior. These assessments can now be made in real-time, using advanced algorithms and machine learning.

Tracking the patterns of just one or even a few dozen users does not generate enough data to reach actionable conclusions on user behavior. Developing reliable UBA requires enormous amounts of data over a span of time showing how users interact with a website.

This does not involve tracking certain types of devices or looking at an analysis of one event. This consists of monitoring every user in your system and interactions involving servers, applications and devices. UBA also includes tracking data from inside users, evaluating what employees may have “gone rogue” or perhaps been hacked.


UBA and Security Information and Event Management (SIEM) have similar features, but perform different functions, according to the Security Intelligence blog from IBM.

SIEM acts as a log management tool that helps security operators “make sense of a deluge of information,” according to IBM. That’s useful in doing targeted analysis.

UBA systems are typically built on top of a SIEM tool. However, UBA does not replace SIEM. Because there are no set standard features for a SIEM, according to IBM, it’s possible that you may already have UBA capabilities in your SIEM.

Uses of UBA

The first clear advantage of UBA is that it looks at all activity, regardless of how many firewalls or other protections you might have in place. Hackers often find a way around these security measures. UBA, by monitoring all activity in real-time, spots threats as they happen.

These systems can:

  • Detect attacks from outsiders
  • Detect attacks from insiders
  • Quickly identify any user accounts that have been compromised
  • Detect “brute-force attacks” on outside systems
  • Detect changes in permissions
  • Detect when anyone accesses protected data and ensure they have the proper authority

Weaknesses of UBA

UBA is an evolving technology. While it’s more robust than in the past, there still are potential weaknesses. According to CSO, Gartner, Forrester Research and Enterprise Security Group have found areas of weakness. They include the following.

  • Black swan events. These are difficult to detect because they don’t resemble past events.
  • False positives. Even with advances in software sophistication, UBA systems still can flag behavior as potentially threatening when it is not.
  • Lack of experts. Some organizations do not invest in enough data scientists and other experts needed to run a UBA system.
  • Inside attacks. Although, as noted above, systems can now spot activity that indicates an employee has “gone rogue,” they lack relevant data from non-IT sources such as employment history, personnel records and travel records.

Best Practices

One of the most important best practices associated with UBA is that they should not be used to replace the detection programs in place. UBA is meant to complement current security systems, not replace them.

Users also should put machine learning and Big Data statistical analytics into play. Otherwise, it’s easy to become overwhelmed by the task of analyzing that much data. Further, machine learning and artificial intelligence can handle faster and more in-depth analysis of vast datasets.

These are some issues to keep in mind regarding UBA. It’s certainly a part of the future for data security, although it is not a cure-all. Used properly, however, it can significantly enhance the security of organizational operations.

Get program guide
YES! Please send me a FREE brochure with course info, pricing and more!

Unfortunately, at this time, we are not accepting inquiries from EU citizens.

If you would like more information relating to how we may use your data, please review our privacy policy.

Unfortunately, at this time, we are not accepting inquiries from EU citizens.

If you would like more information relating to how we may use your data, please review our privacy policy.