Bitdefender Completes Acquisition of Horangi Cyber Security


Products +

Services +

Customers +

Partners +

Resources +

Advanced Threat Detection with UEBA & Anomaly Detection in Warden

Hackers are becoming more sophisticated and with the number of breaches on the rise, we have seen quite clearly that the old ways of doing things aren’t working. Traditional detection methods are not enough for catching all possible cyber attacks. Read more on how Warden Threat Detection uses UEBA to detect these anomalous activities in your cloud infrastructure before it compromises your entire system.

What is UEBA and why do you need it?

Getting breached is a nightmare scenario, and most organizations put smart people and technologies to work as a defensive barrier against hackers. But cloud security is an ongoing process—not a guarantee. Within the context of an organization's security program, the concept of "threat detection" is multifaceted. Even the best security programs must plan for worst-case scenarios, when someone or something has slipped past their defensive and preventative technologies and becomes a threat. This can become less hasslesome with UEBA. 

UEBA stands for User and Entity Behavior Analytics. It analyzes various behavior patterns with large amounts of data within a sufficient time period to understand normal user behavior. And by defining these baselines, it can identify suspicious behavior, potential threats, and attacks that traditional methods may not detect. The key thing in UEBA is it identifies anomalous activities by looking at context information from a series of activities and establishing correlation between them. 

Warden Threat Detection analyzes logs from your infrastructure to perform UEBA to detect anomalies after learning the normal behavior of the users in the organization. It establishes a baseline for each organization or each user based on their previous activity patterns. It can detect any anomalous behavior when there are deviations from these “normal baseline” patterns. It can be due to a credential compromise, cryptojaking, or an early sign of insider threats.

Anomaly Detection with UEBA

Case 1: Detect unusual user access from new geolocation

It is possible that the attacker may not always use malicious sources to get into infrastructure, then the attack may not be flagged by the normal malicious detector. However, with UEBA, Warden could observe every single user in the organization and establish baselines for each user who is accessing your infrastructure and identify anomalous user behavior.

For example, an identity (credential) used by an engineer is always connecting from Singapore in the last 30 days, but all of a sudden the user accessed it from Russia, which is suspicious enough to be flagged and investigated. Once you get the alert, it will elaborate on why this activity was flagged as an anomaly and provides summarized context to help you take action. On your dashboard you can also see a graphical visualization for further investigation on all activities from that specific identity.

Anomaly detection

Anomaly detection

Pro Tip: A great thing with Warden UEBA is that it can automatically adjust the baseline of individual users with their latest patterns instead of a one-size fits all approach. Thus, if the user relocates to a new country, it will consider it as a new normal after gathering sufficient baseline data and will automatically eliminate the false alarm. 

Case 2: Detect anomalous resource provision

Cyberattacks towards compromised instances are most common in cloud based infrastructure. According to Google's latest Threat Horizons report, 86% of compromised instances were used for cryptocurrency mining. In crytojacking attacks, miners steal compute resources for cryptocurrency mining, which may cost you billions of dollars if not found out early enough!

Together with threat intelligence source and correlation information, Warden Threat Detection can identify malicious or accidental compute resource provisioning. You can be alerted immediately when a user creates a compute instance in a new region that your organization rarely uses and flag early signs of abnormal number of instances created in a short period of time which is highlikely a cryptojaking event.

The image below shows an example of anomaly detection on compute instance. 

anomaly detection on compute instance

When an attacker starts to spin up compute instances that deviate from the baseline, it is flagged as an anomaly and immediately gets flagged before the attacker might use the credentials to continue this unwanted activity.


In today’s complex threat landscape, an attack is no longer a single malicious action or something that a single threat detector can help flag and protect your infrastructure. The attackers are using more advanced techniques and processes to get into your environment and it can only be flagged by looking at contextual information, using advanced capabilities like UEBA. Warden Threat Detection continuously provides more effective and valuable detection use cases to  enhance your company’s overall security posture. If you are curious to see this live in a 15 min demo, drop us a line here

Julia Li
Julia Li

Julia is a Product Manager at Horangi for Warden Threat Detection. She is passionate about securing cloud environments by implementing Real-Time Threat Detection and helping enterprises improve their cloud security game.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.