User and entity behavioral analytics (UEBA) creates an integrated view of cybersecurity risk generated by an entity—a risky insider, an infected host, or a compromised account—by mathematically measuring “unique normal” with contextual intelligence.

What Kinds of Threats Does Our Behavioral Analytics Platform Detect?

Behavioral analytics utilizing advanced mathematical models and unsupervised machine learning can detect the following threats:

  • At-Risk employee
  • High-Risk Employees
  • Account Misuse
  • Data exfiltration
  • Email file transfer
  • Unusual print jobs
  • Compromised Account
  • C2 Activity Detection
  • Impossible Journeys
  • Lateral movement
  • Snooping
  • Dormant file access

What is Behavioral Analytics and why do I need it?

Behavioral analytics mathematically discovers patterns that create unique digital fingerprints of all entities in an enterprise. Each entity—a person, machine, printer, website, IP address, etc.—exhibits certain characteristics of usage and operation. Understanding the normal characteristics of each is necessary to detect abnormalities. In security, behavioral analytics is associated with security analytics and UEBA.

No two cyber attack vectors are the same. At the same time, existing tools generate a flood of alerts that are overwhelming security operations center (SOC) resources. Behavioral analytics powered by unsupervised machine learning provide defenders with the tools to augment existing data and a prioritized list of threats that matter.

What is “Unique Normal”?

“Unique normal” is the individual digital fingerprint of each entity. Each individual server, user, printer, or website has unique patterns of access and operation. This baseline of “unique normal” can then be continuously compared to itself over time to see aberrations.

Interset continuously measures “unique normal” for the following entities types, as well as for its relationship to every other entity: users, machines, files, IP address, projects, resources, services, shares, websites, volumes and printers.

Why "Unique Normal" Matters and How It's Measured.

Just as every human is unique, so is each entity—user, machine, printer, IP address, etc. Anomaly detection algorithms that expects the same patterns from all entities results in a flood of ineffective false positives. The accuracy of a UEBA solution requires precise measurement of how a unique entity behaves and requires the scalability of machine learning.

The only practical, scalable, and accurate method for measurement of “unique normal” across an enterprise requires unsupervised machine learning technology, a type of artificial intelligence (AI) that automatically discovers patterns from limited data sets. Unlike supervised machine learning, unsupervised machine learning does not require labels (i.e. a “dictionary” for the machine to learn from). Since there is no textbook definition of normal that applies to all entities, only unsupervised machine learning can accurately measure “unique normal.”

Why Does The Math Matter? Everyone Has AI

Everyone says they have AI, but the truth of the matter is that not everyone actually employs true AI technology. Even within AI there are many different options, and not all are effective for the problem at hand. The AI techniques utilized to detect modern cybersecurity threats must be able to adapt to the continuously changing cyberattacks, and unsupervised machine learning is a key component of this capability.

Advanced mathematical models measure an entity’s behavior against both unique individual and peer group baselines for more accurate threat detection. The analytical models leverage a native big data storage and compute architecture for scalable incorporation of broader contextual information for increased accuracy and a more complete view of risk.

Interset’s principled math provides a library of more than 350 proven machine-learning and advanced-analytics models. These models enable self-learning, consider both events and entities, and thus create an incredibly accurate way to detect, connect, and quantify high-risk behaviors.

After extensive testing, the U.S. intelligence community determined that Interset’s visionary behavioral analytics architecture can achieve threat detection that’s faster and more accurate than any other analytics-based threat detection product.

Learn more about the math behind behavioral analytics.

How Does Interset Help My Security Posture?

Behavioral Analytics or UEBA provide the following benefits:

Increased enterprise risk visibility

More insights from existing security tools

Faster threat detection

SOC team productivity and efficiency

Alleviate alert fatigue

Accelerated threat hunting

Jumpstart insider threat programs

Find signs of data breaches sooner

How Do I Evaluate a UEBA product or vendor?

There are multiple factors to consider when selecting a UEBA product or vendor, such as:

  • Advanced, proven mathematical approaches with meaningful results. Anomaly models should identify normal behaviors for every entity, allowing the models to detect deviations from historical behavior or statistical peer groups accurately. Behaviors can then be weighed to create aggregated risk scores and identify high-risk combinations that indicate real threats. Learn more about mathematical analysis.


  • Online, unsupervised machine learning. Unsupervised machine learning discovers new patterns without relying on humans to “teach” the machine what to look for. Interset’s models also learn “online,” which means that they can analyze your live data set in realtime. As your organization changes, these models also change into order to detect threats effectively. Learn more about unsupervised machine learning.


  • Open inbound and outbound integration. Open inbound integrations enable the broadest amount of data for the contextual data analysis necessary for accurate threat detection. Open outbound integrations enable actional intelligence and automated workflows. Learn more about Interset’s integration options.


  • Big data storage and compute capability. A solution built on a big data storage and compute foundation is the only scalable option for measuring “unique normal” across millions of entities and distilling billions of events into a handful of prioritized threat leads. Learn more about big data storage and compute in cybersecurity.