Gartner Blog Network


UEBA Shines Where SIEM Whines?

by Anton Chuvakin  |  November 14, 2016  |  8 Comments

Remember my Popular SIEM Starter Use Cases post from 2014? Let’s take a look at that list of popular SIEM use cases and see how/where UEBA helps. This will make the SIEM/UEBA war discussion come to life more (check this discussion out as well, as an optional pre-requisite)…

Let’s try it using the same table (with some details trimmed):

Top SIEM Use Case UEBA Utility for This
1 Authentication tracking and account compromise detection Top UEBA use case; UEBA shines here; this is hard to do well with SIEM
2 Compromised- and infected-system tracking; malware detection by using outbound logs, etc A common UEBA use case; done either via entity profiing or by detecting systems where compromised accounts dwell
3 Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts UEBA is used for alert validation and triage, but not exactly like SIEM; in fact, UEBA has been used for SIEM alert validation
4 Monitoring for suspicious outbound connectivity and data transfers by using logs, etc Exfiltration detection is a common UEBA use case; done via account activity profiling or via DLP alert analysis
5 Tracking system changes and other administrative actions across internal systems, etc An infrequent UEBA use case, maybe for finding that one worrisome change or access
6 Tracking of Web application attacks and their consequences by using Web logs, etc Not a match to common UEBA use cases

So… what do we learn here? Some top SIEM use cases (that date before UEBA) are closely related to top UEBA use cases. This means that a) SIEM and UEBA are on a collision course (duh!) and/or b) more people will be deploying UBA / UEBA tools soon.

Finally, some of you UBA / UEBA vendors [BTW, one last time – the terms ARE used synonymously, the UBA is an old term and the UEBA is a new one, that’s it – no hidden nuanced meaning] are thinking “but wait…. we have all those sexy ‘non-SIEM’ use cases for insider threat, etc.” Of course … but more about this later!

P.S. Some of you are still confused about how we define UBA/UEBA. There are documents where we do that and a new Market Guide for UEBA is coming very soon. For now, I would say that UEBA analysis is “user-centric” (rather than, say, relies on user identity data as an option). So, in UEBA, “U” is a must, while other “E” is optional, not the other way round. And of course the “A” – analytics – is a must too.

Related blog posts about security analytics:

Category: monitoring  security  siem  ueba  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on UEBA Shines Where SIEM Whines?


  1. Atul Tiwary says:

    When is the next UEBA market guide being published?

  2. Dori Fisher says:

    analytics and behavior alerts leave you with questions like what happend and why.
    when you build a specific rule with an hypothesis in mind, when it alerts, you can script or create response process.
    Level 1 SOC operators need simple steps to follow. these are still better achieved with SIEM.
    Also, mapping human behavior and human interaction with machines yields a lot of false positives.in short, if UBA can do what SIEM does + additional capabilities, i sure we will all switch.

    • For sure — we are not talking about any kind of immediate SIEM->UEBA switch. NOT AT ALL!

      However, we do see some SIEM and some UEBA vendors very much interested in raiding each other’s lunch boxes :-)

  3. […] When it comes to deciphering the difference between tools, it’s hard to tell the difference when terminology is similar. For instance, what’s the difference between SIEM and UBA? […]

  4. […] UEBA Shines Where SIEM Whines? (UEBA / UBA / security analytics research) […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.