UEBA Piergiorgio Venuti

UEBA: Behavior Analysis Explained

Classic cyber threat defense tools and systems are rapidly becoming obsolete, and there are ways to overcome them. What remains confidently common among cyber criminals attempting an attack is the intent of the attack itself. Indeed, knowing that there are systems capable of detecting indicators of compromise (IOC), it is natural that competent hackers will try not to leave traces traceable to standards. User and Entity Behavior Analysis (UEBA) offers a more comprehensive way to make sure your business has world-class IT security. At the same time, it helps detect users and entities that could compromise the entire system.

A definition of User Entity Behavior Analytics

User and Entity Behavior Analysis or UEBA, is a type of cybersecurity process that takes note of standard user behavior. In turn, the system detects any abnormal behavior or cases where there are deviations from the “normal” patterns mentioned above. For example, if a particular user regularly downloads 10MB of files every day, and suddenly downloads 1GB, the system would be able to detect this anomaly and immediately alert operators. The behavior may be legitimate, but it’s worth checking out.

The UEBA system uses machine learning, algorithms and statistical analysis to know when there is a deviation from established patterns. Next, it shows which of these anomalies could result in a potential and real threat. Additionally, UEBA can aggregate report and log data, as well as analyze file, stream and packet information.

With a UEBA all users and entities of the system are tracked. In this way the system focuses on insider threats, such as dishonest employees, compromised ones and people who have access to the system and then carry out targeted attacks and fraud attempts, as well as the servers, applications and devices that work inside. of the system.

Advantages

It is the unfortunate truth that today’s cybersecurity tools are rapidly becoming obsolete. Now the most skilled hackers and cyber criminals are able to bypass the perimeter defenses used by most companies. A few years ago you were sure if you had web gateways, firewalls, and intrusion prevention tools. This is no longer the case in the complex threat landscape, and is especially true for large companies that have proven to have very porous IT perimeters that are also very difficult to manage and supervise.

The key point? Preventive measures are no longer sufficient. Firewalls will not be 100% infallible and attackers will enter the system at one point or another. That’s why detection is just as important: when hackers successfully enter your system, then you need to be able to quickly detect their presence to minimize damage.

How does it work?

The premise of the system is actually very simple. You can easily steal an employee’s username and password, but it is much more difficult to mimic the person’s normal behavior once inside the network.
For example, let’s say you manage to steal John Smith’s password and username. However, it is almost impossible to act exactly like Mario Rossi once inside the system, unless extensive research and preparation is also done in this direction. Therefore, when Mario’s username is logged into the system and his behavior is different than typical, that’s when the UEBA alarms start ringing.

Another related analogy would be the theft of a credit card. A thief can steal your wallet and go to a luxury store and start spending thousands of dollars. But, if the spending pattern on that card is different from that of the thief, the fraud detection department will recognize the anomalous expenses and block suspicious purchases, either by sending you an alert or asking you to verify the authenticity of a transaction. .

What can UEBA do?

UEBA is a very important component of modern IT security and allows you to:

1. Detect insider threats: It is not too far fetched to imagine that an employee, or perhaps a group of employees, could disobey, steal data and information using their login. UEBA can help you detect data breaches, sabotage, abuse of privileges and policy violations by staff.

2. Detect Compromised Accounts: Sometimes, user accounts are compromised. It could be that the user has unintentionally installed malware on his machine, or that sometimes a legitimate account has been forged. UEBA can help eliminate compromised users before they can do any damage.

3. Detect Brute Force Attacks: Hackers sometimes target cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute force attack attempts, allowing you to block access to these entities.

4. Detect permission changes and super user creation: Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that have been granted unnecessary permissions.

5. Detect Secure Data Breach: If you have secured data, it’s not enough to keep it safe. Know when a user accesses this data if they have no legitimate business reason for doing so.

UEBA and SIEM

Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies that provides a complete view of the security of your IT system. It leverages event data and information, allowing you to see normal patterns and trends, and to warn of anomalies. UEBA works the same way, only it uses information on user (and entity) behavior to verify what is normal and what is not.

SIEM, however, is based on rules, and competent hackers can easily circumvent or evade these rules. Furthermore, the SIEM rules are designed to immediately detect threats that occur in real time, while the most advanced attacks are usually carried out over months or years. The UEBA, on the other hand, is not based on rules. Instead, it uses risk scoring techniques and advanced algorithms that allow it to detect anomalies over time.

One of the best practices for cybersecurity is to use both SIEM and UEBA to have better security and detection capabilities.

How a UEBA should be used

UEBA was born out of the need to identify the harmful behavior of users and other entities. UEBA tools and processes are not intended to replace legacy monitoring systems, but should instead be used to complement them and improve a company’s overall security. Another great practice is to take advantage of the storage and calculation capabilities of big data, using machine learning and statistical analysis to avoid receiving an avalanche of unnecessary alarms and being overwhelmed by the large volume of data. generated.

And this is exactly what happens in the SOCaaS offered by SOD, where the SOAR is also guaranteed by the collaboration of these systems.

UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a proactive approach to security and gaining greater visibility into user and entity behavior, today’s businesses are able to build stronger security systems and more effectively mitigate threats and prevent breaches.

Useful links:

SOC as a Service

 

Next Generation SIEM: where are we?

 
Contact us

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • ESP-RFID-Tool v2 PRO — Full Public Disclosure April 29, 2026
    Posted by Milan Berger via Fulldisclosure on Apr 29# Security Advisory: ESP-RFID-Tool v2 PRO **Product:** ESP-RFID-Tool v2 PRO **Vendor:** Raik Schneider (Einstein2150), foto-video-it.de **Repository:** https://github.com/Einstein2150/ESP-RFID-Tool-v2 **Affected Version:** v2.2.1 (latest as of 2026-04-28) **Severity:** CRITICAL **Disclosure Type:** Full Public Disclosure **Disclosure Date:** 2026-04-28 **Researcher:** Milan 't4c' Berger --- ## Disclosure Timeline | Date | Event |...
  • Re: SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App April 29, 2026
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29*Update 2026-04-28:* The vendor contacted us and now provides a patched version v1.3.674 which can be obtained at the following URL: https://desktime.com/download
  • SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App April 29, 2026
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29SEC Consult Vulnerability Lab Security Advisory < 20260427-0 > ======================================================================= title: Missing TLS Certificate Validation leading to RCE product: DeskTime Time Tracking App vulnerable version: 1.3.671 fixed version: - CVE number: CVE-2025-10539              impact: medium homepage:https://desktime.com...
  • SEC Consult SA-20260423-0 :: DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) April 29, 2026
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29SEC Consult Vulnerability Lab Security Advisory < 20260423-0 > ======================================================================= title: DLL Hijacking product: EfficientLab Controlio (cloud-based employee monitoring service) vulnerable version:
  • SEC Consult SA-20260421-0 :: Broken Access Control in Config Endpoint in LiteLLM April 29, 2026
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29SEC Consult Vulnerability Lab Security Advisory < 20260421-0 > ======================================================================= title: Broken Access Control in Config Endpoint product: LiteLLM vulnerable version:
  • SEC Consult SA-20260415-0 :: Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer April 29, 2026
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 29SEC Consult Vulnerability Lab Security Advisory < 20260415-0 > ======================================================================= title: Exposed Private Key of X.509 Certificate             product: SAP HANA Cockpit & SAP HANA Database Explorer vulnerable version: HANA Cockpit
  • APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8 April 29, 2026
    Posted by Apple Product Security via Fulldisclosure on Apr 29APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8 iOS 18.7.8 and iPadOS 18.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/en-us/127003. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Notification Services Available for: iPhone […]
  • APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2 April 29, 2026
    Posted by Apple Product Security via Fulldisclosure on Apr 29APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2 iOS 26.4.2 and iPadOS 26.4.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/en-us/127002. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Notification Services Available for: iPhone […]
  • Research: When Trusted Tools Become Attack Primitives April 29, 2026
    Posted by Nir Yehoshua on Apr 29Hi Full Disclosure list, I published a technical research article titled: When Trusted Tools Become Attack Primitives The article examines how trusted local utilities can become security-relevant primitives when used inside automated processing pipelines. It covers two case studies: 1. macOS textutil resolving remote resources during HTML-to-text conversion. 2. […]
  • [KIS-2026-08] SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability April 29, 2026
    Posted by Egidio Romano on Apr 29----------------------------------------------------------------- SocialEngine

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l. place picture
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Riccardo Crocilli profile picture
Riccardo Crocilli
14:02 22 Mar 19
Ho collaborato con Secure Online Desktop per importanti progetti IT. Si sono dimostrati negli anni partner seri, competenti e professionali , l' Azienda dimostra una grande esperienza maturata in tanti anni di consulenza e lavoro su contesti IT innovativi.
Davvero consigliata !!!!!
In particolare vorrei sottolineare la figura che piu’ racchiude e sintetizza le qualità della Secure Online Desktop , il suo AD Ing. Piergiorgio Venuti, professionista impagabile , sia dal punto di vista tecnico/organizzativo che soprattutto (e non dimeno) come persona , capace di gestire , risolvere e approcciare qualsivoglia attività/problematica, davvero un grande !!!!
Filippo Scavone profile picture
Filippo Scavone
13:39 22 Mar 19
Dopo anni di collaborazione confermo la professionalità, competenza ed affidabilità
clickday at2016 profile picture
clickday at2016
13:36 22 Mar 19
Con lo studio di consulenza di cui sono socio, ATS – CONSULENTI ASSOCIATI S.r.l., collaboriamo già da alcuni anni, in materia di Sicurezza informatica in ambito GDPR, con la Secure Online Desktop. Si sono dimostrati partner seri, competenti e professionali sia su clienti PMI sia su Grandi imprese.
Paolo Ferrari profile picture
Paolo Ferrari
13:34 22 Mar 19
Professionali e competenti
Paolo Raimondi profile picture
Paolo Raimondi
11:08 21 Apr 18
La Polimatica Progetti Srl, azienda di cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR)
Claudia Cavatorta profile picture
Claudia Cavatorta
21:45 20 Apr 18
Ormai da anni lavoriamo con Secure Online Desktop e ci siamo trovati sempre molto bene. L'Azienda ha dimostrato disponibilità costante nel risolvere problemi ed esigenze che nel nostro tipo di lavoro si presentano molto frequentemente. Sempre puntuali nell'implementare le modifiche richieste e propositivi riguardo a soluzioni che possano apportare migliorie ad un sistema già ottimale. Per quanto riguarda il prodotto: la piattaforma che abbiamo a disposizione funziona molto bene, la connessione è veloce e siamo sicuri di conservare i nostri dati in assoluta sicurezza.
Omid Fazeli profile picture
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
Miki A. profile picture
Miki A.
13:47 16 Apr 18
Prodotti eccellenti, a partire dai classici hosting, sino a VPS e cloud strutturati.
Tempi veloci e staff preparato!
More reviews
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 11 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
recommendsLa Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
recommendsServizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
recommendsExcellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
recommendsServizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
recommendsOttima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
recommendsAzienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
recommendsHo avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
recommendsOttimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Luca Prati
Luca Prati
10:12 18 Apr 18
recommendsAzienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
recommends
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
recommends
More Reviews
js_loader
payments gateway
About