Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
There’s a familiar saying: “You don’t know what you don’t know”. It’s often delivered in a resigned manner, as if to accept the status quo that imperfect knowledge is inevitable. Yet designing cybersecurity to protect against the unknown is precisely the challenge facing CISOs today. As adversaries adopt AI-enabled tooling, automate reconnaissance, and devise previously unseen attack paths, it’s increasingly clear that relying solely on historical knowledge or learned patterns is no longer sufficient. Defending against attacks you’ve never seen before requires looking for behaviours that fall outside what’s considered normal.
The discipline of User and Entity Behaviour Analytics (UEBA) is not new in cybersecurity, but it is experiencing a renaissance as adversaries’ capacity to innovate zero-day attacks increases exponentially. And while today’s UEBA solutions may work faster and at greater scale, thanks to the introduction of AI for orchestration and analysis, the principles on which they are based date back to centuries-old battlefield doctrine.
Understanding UEBA: A discipline rooted in military strategy
Long before the emergence of digital networks, military strategists relied on behavioural analysis to anticipate enemy action in theatre. Pattern-of-life studies identified unusual troop movements; signals intelligence specialists learned to identify radio traffic anomalies indicating imminent action; and counter-intelligence teams profiled individual behaviour for signs of infiltration or reconnaissance activity. Combined with intelligence on known threats and capabilities, behavioural analysis provides the capacity to anticipate and neutralise threats before attacks fully materialise.
The same principles hold true when applied to the digital domain; in fact, it’s one of the reasons so many former military intelligence personnel find fulfilling careers in cybersecurity.
In the digital theatre, every user, device, service account, application, and workload has a behavioural signature, which constitutes an observable pattern of authentication, access, movement, and interaction. These patterns can be baselined and monitored for deviations that indicate infiltration or misuse.
UEBA tools operationalise this doctrine, drawing on computing power to model normal behaviour across millions of events and detect even subtle anomalies, surfacing the tiny signals that often precede attacks, such as a dormant account suddenly accessing sensitive data, a user accessing the network at an unusual location or time, or a workload initiating lateral movement inconsistent with previous activity.
While AI accelerates the process, the principle of UEBA is the same on both physical and digital battlefields: understand the environment to a depth where the abnormal signals a warning.
Zero-day detection: the critical use case for UEBA
By definition, zero-day attacks evade traditional defences; systems struggle to defend what they haven’t encountered. And in modern, complex digital systems, threat actors don’t even need to design new malware and attack vectors. Increasingly, they leverage misconfigurations in existing security tools or exploit those that have drifted out of compliance. In these instances, there is no immediately detectable attack footprint – the organisation’s own weaknesses are being turned against them.
UEBA offers a different detection plane, one that focuses not on what the threat is, but what it does, and that’s the crux of the issue. By identifying those unusual access patterns, unwarranted privilege escalation, unsanctioned lateral movement and unexpected data exfiltration, UEBA directs threat hunting teams to the activities that signal concern.
Used effectively, good UEBA tools help organisations fine-tune their threat posture and adapting their capabilities to cope with the unknown.
Why many organisations struggle with UEBA
The description of UEBA outlined above sounds straightforward: analyse behaviour data, identify anomalous activity, investigate the cause, and neutralise any threat discovered. However, reality is rarely this simple, and many organisations have struggled to realise the potential of UEBA. Reasons include:
High noise levels from poor data quality and incomplete telemetry
Organisations often attempt to “monitor everything,” only to drown in noise as UEBA becomes simply an alert generator, rather than an investigation accelerator. Conversely, when models are tuned too tightly, they miss the low‑and‑slow campaigns that matter most. Without high‑quality, complete telemetry, UEBA becomes unstable.
Lack of transparency and control
Unintuitive user interfaces mean security teams cannot see why alerts fire or how to tune them. This leads to a loss of trust and/or slow adoption, meaning teams don’t see a return on investment.
Over-reliance on generic models
Every organisation has unique workflows, architectures, and risk profiles. Generic behavioural models fail to capture these nuances, leading to false positives and missed detections. UEBA solutions should be deployed with expert guidance and fine-tuning, to ensure they work for the business that’s using them.
Many more recently developed UEBA extensions fall into these traps, as vendors seek to capitalise on the growing market opportunity of addressing unknown threats. Unfortunately, this has led to UEBA gaining a reputation for complexity, resulting in underutilisation of what should be a fundamental pillar of defensive cyber strategy.
Balancing the UEBA equation for future-proofed detection and response
UEBA is the most effective countermeasure against the unknown, but it must be deployed intelligently and specifically tuned to the operational environment it serves.
Features to look for when evaluating UEBA solution providers include:
It’s also worth noting that – while the addition of AI accelerates the speed and scale at which UEBA works – if the solution is not founded on the strong basic principles outlined above, AI will simply increase noise and confusion exponentially.
UEBA is undergoing a deserved renaissance, emerging as the most effective defence against threat volatility, variety, and volume. Like its military forebears, it helps organisations anticipate and defend against novel campaigns, creating a welcome shift in the balance of defensive power.
