Effective CISSP Questions

Which of the following statements about user and entity behavior analytics (UEBA) is not true?
A. UEBA collects live data from various sources, as SIEM does.
B. UEBA analyzes user behavior only, while SIEM monitors network device activities.
C. UEBA detects potential insider threats and compromised accounts.
D. UEBA sends alerts and reduces false positives.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. UEBA analyzes user behavior only, while SIEM monitors network device activities.

User and Entity Behavior

User and entity behavior analytics (UEBA) extends the idea of user behavior analytics (UBA). The addition of the term “Entity” refers to devices, applications, and networks. UEBA, as its name suggests, analyzes both user and entity behavior. It correlates events from comprehensive data sources and takes the user-centric view. 

Analysis and Analytics

  • Some treat data analysis as a process, part of data analytics, while data analytics as a discipline.
  • Data analysis answers, “What happened?” while data analytics answers, “Why, and What will happen next?”
  • Data analysis relies on descriptive statistics, while data analytics relies on inferential statistics.

Use Cases

UEBA correlates user activity from multiple sources to detect insider threats, targeted attacks, and financial fraud. It collects data from various sources (including SIEM), creates a baseline (or a model using a machine learning) for each user and entity, detects and scores deviations from the baseline, and sends alerts.

False Positives

  • UEBA relies on historical data to build a baseline or model and analyze live data against the model to determine anomaly.
  • Anomaly-based detection systems inevitably generate false positives. However, some may argue that UEBA will cause fewer false positives because its baseline or model is built based on more comprehensive data sources.

UEBA Solutions

Most UEBA solutions can be deployed in standalone mode or integrated with other systems, e.g., SIEM. Nowadays, it’s not uncommon to deploy a UEBA solution alongside SIEM with bi-directional integration to preserve early investment and produce additional value.

User and entity behavior analytics (UEBA) solutions use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons.

Activity that is anomalous to these standard baselines is presented as suspicious, and packaged analytics applied on these anomalies can help discover threats and potential incidents.

The most common use cases sought by enterprises are detecting malicious insiders and external attackers infiltrating their organizations (compromised insiders).

Source: Gartner




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. UEBA像SIEM一樣從各種來源收集實時數據。
B. UEBA僅分析用戶行為,而SIEM監視網絡設備活動。
C. UEBA檢測到潛在的內部威脅和受感染的帳戶。
D. UEBA發送警報並減少誤報(false positive)。


Leave a Reply