Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • How Privileged User Behavior Analytics (PUBA) Can Protect Your Privileged Accounts current page
Link copied

How Privileged User Behavior Analytics (PUBA) Can Protect Your Privileged Accounts

Nov 29, 2017
Author:
Derek Smith 2025
Derek A. Smith
Founder, National Cybersecurity Education Center
Blog banner default
How Privileged User Behavior Analytics (PUBA) Can Protect Your Privileged Accounts
Derek Smith 2025
Derek A. Smith
Founder, National Cybersecurity Education Center

When we examine the cause of most data breaches today, almost all of them involve the perpetrator getting access to and using legitimate login credentials. According to Forrester, approximately 80% of breaches involve compromised privileged accounts.

When this happens, it essentially equates to an “insider attack” and guarding against this type of activity requires the ability to detect when hackers are using your stolen credentials. Unfortunately, traditional methods of using security tools to detect and thwart this threat are falling short. However, a new type of user behavior analytics has been engineered for this specific problem, and it is proving to be highly effective.

This new method I speak of is called Privileged User Behavior Analytics, or PUBA for short. PUBA uses machine learning technology to analyze the behavior of your privileged accounts to create baseline behaviors for your users and those privileged accounts. This baseline allows you to rapidly detect and alert your security team to anomalous behavior, an early indication of compromise or abuse.

How does privileged user behavior analytics differ from user behavior analytics?

Before we get into PUBA, let me explain a little about User Behavior Analytics (UBA).

UBA is when you use your monitoring system to track, collect, and assess your user data. UBA technologies analyze your historical data logs, to include your network and authentication logs you have collected and stored in your SIEMs and log management systems. This data is then used to identify the normal and malicious behavior traffic patterns of your users. With this analysis, you can develop some actionable items for your security teams to implement to increase the safety of your network.

UBA collects many types of data on your network's activities, including information about your users’ roles and titles, access, accounts, and permissions. Additionally, it collects information on user activities where those activities are conducted from, generating security alerts based on this activity if required. You are able to take historical data and compare it to current activity, and analyze the data based on factors such as the resources your users used, how long they used it, where they are connecting from. You can schedule automatic updates when changes occur to the data, such as privilege promotions or added permissions.

UBA is a unique and exciting subfield within security. It examines your user account activity to determine if attackers are trying to penetrate your defenses using a low privilege user account and escalating its privileges. This approach is effective because UBA technologies notice when user accounts are operating outside of the normal activities of the account, based on its historical data.

The functions that privileged user behavior analytics performs

So back to PUBA. PUBA technology can assist you to perform three main functions:

  1. It helps you to determine a baseline of your user’s normal activities
  2. It helps you to quickly recognize any deviations from those user’s normal activites
  3. Based on this information, it alerts your security team to take action

The anomalous or negligent behavior might not be malicious, but at least you are aware of it and can investigate further. PUBA will enable your IT and Security administrators to rapidly discover breaches before they even occur, analyze how your privileged accounts are distributed and examine how they are accessed throughout your organization. This adds an additional layer of security to your defense-in-depth strategy. This way your time can be better spent focusing on finding, managing, and protecting your privileged accounts.

There are at least three uses that I can recommend for PUBA within your organization. They are as follows:

  • Identify compromised service accounts. Your service accounts are constantly under attack from cybercriminals looking to compromise your network. Many of these accounts are not sufficiently monitored, but may have high access rights for use by your operating systems and various applications to perform such activities as automated background tasks. The activity of these accounts must be monitored to confirm that they are not accessing systems they are not authorized to access, or worse, transmitting your critical data to unauthorized recipients.
  • Detect privileged account abuse. Your privileged accounts are the prime targets for Therefore, it is imperative that you monitor the use of these accounts for unusual behavior. Automated, remote, or simultaneous access can be a telltale indicator of insider threat. Logging in at unusual times, accessing unauthorized accounts and systems, and unsanctioned data transmissions should all raise red flags.
  • Discover shared credentials.Unfortunately, it is a fact that users share their passwords with others, even when it is in violation of your policy. Using PUBA to monitor for simultaneous, remote, or unusual usage of user accounts can help you to discover and deal with credential sharing violations.

How BeyondTrust Can Help

The Privileged Access Management platform offered by BeyondTrust combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to allow you to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondTrust platform capabilities to:

  • Aggregate user and asset data to centrally baseline and track behavior
  • Correlate diverse asset, user, and threat activity to reveal critical risks
  • Identify potential malware threats buried in asset activity data
  • Measure the velocity of asset changes to flag in-progress threats
  • Isolate users and assets exhibiting deviant behavior
  • Generate reports to inform and align security decisions
  • Increase the ROI of deployed security solutions with deep risk analytics

Dependable insider threat detection is essential to safeguard your environment and you must be diligent about using every mechanism at your disposal. PUBA can help with this, but keep in mind that it alone is not the “magic pill” for protecting your user accounts. It is also important to use baseline protections such as firewalls, intrusion prevention system (IPS), intrusion detections systems (IDS), etc., to form a complete defense-in-depth strategy for your network. Layering on PUBA helps ensure your security is that much tighter and resilient.

If you would like to learn more about BeyondTrust’s threat analytics capabilities, contact us today.

Latest Posts
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
Related
  • A Christmas Fail – Putting Holiday Hacklore On The Naughty List
    Dec 22, 2025 A Christmas Fail – Putting Holiday Hacklore On The Naughty List
    Blog
    5m
  • BeyondTrust Remote Support + Cherwell Service Management: 4 Ways this Powerful Integration Boosts your IT Service Value
    Sep 12, 2019 BeyondTrust Remote Support + Cherwell Service Management: 4 Ways this Powerful Integration Boosts your IT Service Value
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.