Gartner Blog Network

The Coming UBA / UEBA – SIEM War!

by Anton Chuvakin  |  November 7, 2016  |  7 Comments

A war is coming!! A war where not everybody will survive [which is, I guess, the whole point of having a war, eh? :-)] Indeed, I see a high chance of a dramatic SIEM vs UEBA / UBA confrontation in the next 1-2 years – and it will be fun to watch!

The essence of this war is obvious from this visual (sourced from this presentation):



  1. A better SIEM vendors have acquired (one example), partnerered (two examples) or are building (three or more examples) UEBA capabilities. SIEM MQ nonwithstanding, there are only 3-5 SIEM vendors today that truly matter and all of them are aggressively working on UBA / UEBA projects. So, SIEM is doing [some] UEBA!
  2. Some UEBA vendors (example, example – there are others) are building SIEM platform features (collection, normalization, storage, etc) and report a growing number of SIEM-less deployments. So, UEBA is doing [some] SIEM!

But Anton, some of you may say, what war? Don’t SIEM vendors partner with UEBA providers? Suuuuure, they do, and some SIEMs treat their UEBA partners as “weird younger brothers” … Still, I hope neither side will be shocked when the other side’s marines land on their shores … and definitely not to “partner” 🙂

Who will win? Well….

Related blog posts about security analytics:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: analytics  security  siem  ueba  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on The Coming UBA / UEBA – SIEM War!

  1. Dori Fisher says:

    Actually i believe most understand that you need both and one may lead to another. It makes sense creating a rule after analytics has discovered an anomali, i think it’s an expantion of the “detection by exploration” capability.

    • Dario, thanks for the comment. Indeed, you are 100% correct – for now many orgs do use both, but this situation appears unstable and some re-balancing will happen as per this post.

  2. Steve Tout says:

    Capitalism and 2nd law of thermo dynamics.

    Adapt or die.

    Eventually everything is a commodity.

    Eventually IDaaS will eat CASB for dinner.

    SIEM is only interesting if it integrates with CASB and IDaaS to provide visibility of user activity from a single pane of glass.

  3. Mad Zombie says:

    Hasn’t the basic UBA/anomaly detection (not AI based) been present in popular SIEM products for years?

    • An excellent point indeed. Most SIEM vendors do have some statistics-based detection (some had it for 10+ years), but UEBA seeks to do more sophisticated math and data science (hopefully) and so we will try to understand how to separate it…

  4. […] take a look at that list of popular SIEM use cases and see how/where UEBA helps. This will make the SIEM/UEBA war discussion come to life more (check this discussion out as well, as an optional […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.