Gartner Blog Network


What Should Your UEBA Show: Indications or Conclusions?

by Anton Chuvakin  |  December 8, 2016  |  2 Comments

While starting to research UBA / UEBA and other analytics-related security tools, one interesting paradox has emerged. I’d call it “INSIGHT vs CERTAINTY paradox.”

Specifically:

  1. Some UEBA users and prospects say “give me CERTAINTY” (some grumpily add: “I can get ‘false positives’ from my SIEM, should I want them”)
  2. Other UEBA users say “give me INSIGHT about things I won’t know otherwise” (and some remind us: “if I want detection of basic threats, I can go to my SIEM”)

But aren’t those a tad contradictory? Can people be looking at UEBA to solve all their security monitoring problems, including some that seem to be a subject to “zero sum game”?

Furthermore, this led to an additional paradox: as some users from camp #1 above push UEBA vendors to deliver “certainty now”, the vendors are tempted to just fall back to rules (and away from analytics). After all, if a vendor engineer can quickly cook up a rule that “shows something”, the POC will go better… Rules are indeed an easier way to certainty, being very black and while (matches the rule vs does not match the rule).

However, the chance that the rules will catch “unknown unknowns” is of course ZERO. Frankly, the chance of catching those pesky “known unknowns” is probably very low too. At the same time, rules are often a clean way to product a signal with high certainty, and work well for “known knowns” [that can still hurt you, of course – see ransomware]

In other cases, some people at the organization (e.g. SOC Level 1 analysts) may prefer a signal with high certainty, while others will vote for deeper insight at the cost of lower certainty (e.g. threat hunters, if you have any).

My conclusion? If you want real UEBA | UBA and real analytics, you will have to learn to live with [some] uncertainty. Look for vendors that use analytics to make their own analytics-produced alerts, scores and signals more useful (such as for giving better historical context or by using 2nd stage analytics), who apply data science to the problems they face with signal quality – and treat carefully around those that use hand-written rules as a crutch all the time…

Related blog posts about security analytics:

Category: analytics  security  ueba  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on What Should Your UEBA Show: Indications or Conclusions?


  1. […] What Should Your UEBA Show: Indications or Conclusions? […]

  2. […] What Should Your UEBA Show: Indications or Conclusions? (UEBA / UBA research) […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.