Best Practices for Building a Baseline of User Behavior in Enterprise


According to the 2017 Data Breach Investigations Report published by Verizon, 95% of all data breaches involve stolen credentials and malicious insiders. In order to withstand these insidious threats, enterprises need efficient new solutions.

Best Practives for Establishing Baseline of User Behavior

User and entity* behavior analytics (UEBA) offers a new approach by focusing on user activities and prioritized alerts.


This approach can detect potentially malicious activities within millions of daily user actions. Gartner predicts that in 2018, nearly 25 percent of disclosed data breaches at enterprises will be found using behavior analytics. Thus, Ekran System is now entering the world of UEBA to protect our clients against user- specific attacks more effectively.


In this article, we provide a summary of what UEBA is and offer some best practices for security officers on how they can build a baseline of expected user behavior, which is the core of effective UEBA deployment.


* Term “entity” usually refers to non-human system users: service robots, daemons, routine automation tools, etc.

UEBA: What does it mean for enterprises?


What is UEBA?


According to Gartner’s definition, user and entity behavior analytics (UEBA) is a detection and investigation technology that profiles and detects anomalies in user and entity behavior using a combination of basic and advanced analytical methods like machine learning.


While performing their work duties, employees leave digital footprints all around the corporate system. During the baselining period, a UEBA system observes user behavior to set a baseline for normal behavior. During further monitoring of user and entity activities, the UEBA system detects deviations from baseline behavior and sends alerts of possible insider threats.


What are the main components of UEBA?


The functioning of UEBA systems is based on two main components: a system for user monitoring and data collection and a machine learning system.


A user monitoring and data collection system monitors user and entity activities. The data it collects is then analyzed for behavioral patterns. There are many behavioral factors that such systems can collect data on, from visited websites to typically used applications to typing rhythms.


A machine learning system automatically analyzes the huge amount of data produced by user monitoring systems, builds baselines, and detects anomalies.


With such intelligent systems, there’s no need for security officers to establish rules and pre-configure alerts anymore. However, best practices stress that the possibility to add your own rules is still important. You can double-check critical events with both behavior analysis and obligatory manual review.


You should also take into account that machine learning can’t always discern whether alerts actually signify a malicious insider, an unwitting insider, or a configuration error. Thus, human interaction is also necessary to tune alerts when starting to use a system.


How does UEBA work?


To understand user behavior analytics, let’s look closer at how UEBA tools work. While vendors can add different features and keep secret their methods for anomaly detection, the main steps that each UEBA system takes are basically the same.


The first stage of a UEBA system’s work is monitoring user and entity activities and collecting data about them from system logs. After that, it applies advanced analytical methods to analyze the collected data.


The system then creates a baseline of user behavior by finding behavioral patterns and activity intervals and establishing thresholds and deviations within which behavior is considered acceptable or normal. After the system has built the baseline of users’ behavioral patterns, these patterns are compared to the behavior of employees with similar duties (peer groups) to fine-tune for possible deviations. Baselining is the most important stage of a UEBA system’s work, as it defines the accuracy of further detection of potential threats.


At the next stages, the UEBA system compares current user behavior with the established baseline and decides whether deviations are acceptable or anomalous. In case an anomaly is detected, the system estimates the degree of deviation and its risk level and sends alerts to security officers in real time.


How can enterprises benefit from UEBA?


UEBA systems can analyze millions of user actions in a matter of seconds, which is simply impossible for security officers. This significantly increases the chances of detecting dangerous activities and minimizes the scope of data that security officers need to process.


Due to their working principles, UEBA systems can help security officers better detect the main user-centric threats:


Compromised accounts. When a hacker penetrates a corporate system using stolen credentials, they will definitely behave differently than your account officer. There’s little likelihood that the intruder will open the annual report on which your accountant has been working for the last two weeks, for instance. The UEBA approach is especially effective for these cases, as it can quickly detect completely abnormal behavior.


Malicious insiders. This type of attack is very difficult to detect, as malicious insiders (employees and other authorized users) spend most of their work time performing their routines and might act maliciously only during some short period of time. Fortunately, properly designed machine learning algorithms used by a UEBA system can detect these deviations in user behavior. However, the efficiency of detection will depend on the number of behavioral factors that the system monitors, correlates, and analyzes, as well as how well the machine learning algorithms were tuned during baselining.

User behavior factors that a UEBA collects for baselining


The effectiveness of UEBA tools highly depends on the data provided for analysis. UEBA systems gather data during user activity monitoring, sometimes even biometric data, and then apply machine learning algorithms to define behavioral factors for establishing the baseline of normal user behavior.


Though traditional security systems also collect information on different types of user activity, it’s still quite difficult to understand what’s going on when it comes to user-centric attacks. In contrast, UEBA tools use only data that can characterize user behavior precisely. Effective UEBA systems can gather and analyze information from unrelated factors, such as working hours, applications used, and typing rhythms.


When you know what types of behavioral factors a UEBA system collects, you can better define the effective period for baselining and understand the reasons for possible false positives. Here’s a list of some behavioral factors that a UEBA system can gather for baselining.


Factors in users’ work


Work rhythm

Employees usually behave similarly for up to 90 percent of their working hours. For instance, a typical day for a sales manager starts at 9:00 am and ends at 6:00 pm. They begin their day with monitoring industry news, then access the client database, make calls to existing and potential clients, and receive and reply to emails. Thus, accessing the client database in the middle of the night would be anomalous for sales managers.


Work environment

Nowadays, there are many places from which employees can work. While most people access corporate servers from the office, there are also cases when an employee works from home or visits a conference in another country. However, it’s very unusual when someone tries to authenticate from two different places at the same time or from a host that they’ve never used before.


Factors in user’s activities


Applications used and websites visited

Most employees use the same range of applications during the same time periods each day. For example, almost all office workers deal with Microsoft Word and Excel, Google Chrome, and an email client, while the development department also needs Visual Studio and other applications for programming. In addition, there are many cloud services like Google Drive that can be used for work purposes. Clearly, it’s necessary to find out whether UEBA tools monitor user behavior in browsers.


Accessed corporate data

Access to corporate data is a potential source of risk for every enterprise, so a best practice is to limit access to data according to people’s work duties. But there are many real-life scenarios when the minimal privilege rule doesn’t work, and thus internal users can have access permissions to a wide scope of data that they usually don’t use. UEBA can detect anomalies here – for instance, it might look suspicious if a marketing specialist opens a database with clients’ financial information.


Contextual factors


Psycho-linguistic indicators

A UEBA system can also use data on changes in email activity and language used by employees. Several studies confirm that the language people use can indicate possible data leaks. For instance, there may be a shift in pronoun use: employees involved in insider threats use more I words and fewer we words. There can also be other deviations in behavior patterns when comparing to the language used by peer groups.


Non-IT data

In addition to technical data, UEBA tools can collect data from human resources and other business applications. This data provides the system with information about employees’ vacation periods, ranges of duties, and business projects on which they work.


Biometric factors


Biometrics is commonly used for user authentication. However, in case of stolen credentials, we also need to know whether a user logged in to a privileged manager account is really the manager we know. Behavior biometrics analyzes the way users interact with input devices and allows security officers to react immediately when an account is compromised by hackers. There are several methods of behavior biometrics that can be used by UEBA.


Keystroke dynamics makes user behavior profiles for the way people type. Each of us has our own typing speed as well as the tendency to make typical mistakes in certain words.


Mouse dynamics takes into account a user’s interactions with the mouse. Mouse dynamics for user authentication is based on the time duration between clicks as well as the unique speed, rhythm, and style of cursor movement.


Eye-movement biometrics is based on distinctive eye movement patterns and can be used for preventing insider attacks. People move their eyes in unique ways, and these patterns may be used to distinguish them from each other. Eye and gaze tracking tools can record videos of eye movements. This type of behavior biometrics can detect cases when an authorized user is out of the workplace and a co-worker tries to compromise their workstation.

Establishing a baseline of user behavior


Before you can benefit from a UEBA system, you need to spend some time on user activity monitoring and establishing a baseline. Here are some recommendations to help you better set up your baselining of user and entity behavior for your enterprise.


Recommendations for the baselining period


UEBA vendors usually recommend a duration for the baselining period, but you should also take into account specifics of your business and the time of year when you monitor employees (for instance, whether it’s a peak period of employee activity). The time for baselining can vary from one week to 30 or 90 days depending on the specifics of user activity. Spending less than a week on user monitoring may result in a high rate of false positives. However, if you establish a baseline for too long, the system may mark some malicious events as normal.


Recommendations on organizational issues


Security officers should inform employees about the deployment of UEBA tools from the very beginning, telling how the technology will be used and conducting awareness training.


When an enterprise deploys behavior analysis, it should take into account that UEBA technology can’t replace investments in security awareness training and management. During the adoption period, a high rate of false positives may negatively affect employee morale.


To avoid this, security officers should comply with pre-determined escalation procedures that include the participation of HR, legal staff, and team leads when they investigate potential attacks. Analyze alerts with extraordinary care so that dedicated employees don’t begin to think that they’re no longer trusted.


You should also take into account that the baselining of normal behavior can be successful only if you ensure that employees don’t perform any malicious activity during this period. But how can you be sure of this? Use other security solutions in order to double-check for any incidents or security violations.


Recommendations on baseline testing


After the baseline has been established, you need to conduct acceptance testing of UEBA tools. First, define use cases that you want to test. Then, run the system for testing purposes and analyze the response. Review the findings and analyze the rate of false positives. If the rate of false positives is too high, then you may need to enrich information about user activity with additional monitoring data by continuing the period of baselining.


You should also review alerts and risk scoring and analyze the time spent triggering alerts. Think about assessing the amount of tuning done by the vendor during baseline testing and review whether you have the skills needed for working with the UEBA system.


When do you need to rebuild the baseline?


User and entity activities are constantly changing. Employees can change their tasks and projects, for instance, so their behavior will obviously vary from time to time. Most UEBA systems automatically collect data and adjust the baseline periodically thanks to their machine learning algorithms. However, when your enterprise faces major structural or personnel changes, you may need to establish a new baseline for continued effective operation of the UEBA system.



UEBA is a promising approach for detecting user-specific threats and preventing data breaches. Thus, Ekran System is entering the world of UEBA opportunities to provide more threat detection capabilities for our clients. We’re sure that UEBA technology will complement our product well, since it will allow us to generate more precise alerts while minimizing the need to manually customize rules for alerting. Ekran System collects a wide range of information regarding user activity, including keystrokes and opened applications and web pages, allowing us to create detailed and accurate baseline profiles that then can be used to quickly detect user-specific attacks.