Gartner Blog Network


Our Security Analytics and UEBA Papers Published

by Anton Chuvakin  |  March 31, 2017  |  6 Comments

After a long, somewhat painful process our security analytics papers are out!

  1. “Demystifying Security Analytics: Sources, Methods and Use Cases” (an update to our 2015 paper) examines security analytics initiatives based on a framework of data sources, methods and use cases – now with more machine learning coverage.
  2. “A Comparison of UEBA Technologies and Solutions” (new research) contrasts select UEBA technologies based on use cases and capabilities and highlights common usage scenarios and tool evaluation processes.

Since we are running our paper feedback experiment, please provide your comments from reading the papers here! Thanks a lot for helping us create better research for you!

Some fun quotes from each follow below:

“Demystifying Analytics…” paper:

  • “Data is [still] lacking on the comparative effectiveness of various analytic algorithms (implemented in vendor tools) versus current, real-world threats and problems. Most organizations instead choose to compare tools based on their own test effectiveness and other requirements.”
  • “Many vendors use ML as a buzzword to define the inner workings of their solutions. However, many products don’t go beyond a few slightly more advanced statistics. ”
  • “Next, can future SIEM tools satisfy the emerging security analytics requirements? At this point, the answer is “maybe,” if some of its design constrains are harmonized.”

“UEBA Comparison” paper:

  • “UEBA technology is maturing, and UEBA use cases are becoming standardized. Most organizations are looking for better detection of account compromise, system compromise, data leak and insider threats, and they want to gain better insights about the environment.”
  • “Although the main characteristics of these solutions have been converging, and the main use cases are now easily identifiable, there are still vast differences in the approaches by the vendors and their views on what constitutes key capabilities for a UEBA solution.”
  • “The major trend in the UEBA market is the increasing proximity with SIEM. The major SIEM vendors are either building UEBA capabilities or getting them from UEBA vendors via partnerships and acquisitions. The pure UEBA vendors are also preparing for this new scenario by adding typical SIEM capabilities, such as log aggregation and reporting, to their solutions.”

Read the papers (this and this)? NOW go and provide feedback for us – so that the future updates are more useful for you! Thanks! :-)

Related posts on paper publication:

Related blog posts on security analytics:

Category: analytics  announcement  security  siem  ueba  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our Security Analytics and UEBA Papers Published


  1. […] our research about UEBA tools, we noticed that these tools are gaining ground on SIEM solutions, with some organizations opting […]

  2. […] to Deploy and Operationalize User and Entity Behavior Analytics (UEBA) Tools” – “UEBA can successfully detect malicious and suspicious activity that otherwise goes unnoticed, but these […]

  3. […] Our Security Analytics and UEBA Papers Published […]

  4. […] growth. To put this in context, a 2nd tier SIEM vendor likely makes more money than the entire UEBA / UBA market worldwide […]

  5. […] am I so adamant about it? During our UEBA research we encountered several organizations that are migrating from DIY/custom security analytics to COTS […]

  6. […] an amazing coincidence! After all the UEBA / UBA excitement (that is, sadly, still ongoing….) and after my short threat hunting paper (out already!), we are […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.