Blog post

The Coming UBA / UEBA – SIEM War!

By Anton Chuvakin | November 07, 2016 | 6 Comments


A war is coming!! A war where not everybody will survive [which is, I guess, the whole point of having a war, eh? :-)] Indeed, I see a high chance of a dramatic SIEM vs UEBA / UBA confrontation in the next 1-2 years – and it will be fun to watch!

The essence of this war is obvious from this visual (sourced from this presentation):



  1. A better SIEM vendors have acquired (one example), partnerered (two examples) or are building (three or more examples) UEBA capabilities. SIEM MQ nonwithstanding, there are only 3-5 SIEM vendors today that truly matter and all of them are aggressively working on UBA / UEBA projects. So, SIEM is doing [some] UEBA!
  2. Some UEBA vendors (example, example – there are others) are building SIEM platform features (collection, normalization, storage, etc) and report a growing number of SIEM-less deployments. So, UEBA is doing [some] SIEM!

But Anton, some of you may say, what war? Don’t SIEM vendors partner with UEBA providers? Suuuuure, they do, and some SIEMs treat their UEBA partners as “weird younger brothers” … Still, I hope neither side will be shocked when the other side’s marines land on their shores … and definitely not to “partner” 🙂

Who will win? Well….

Related blog posts about security analytics:

Comments are closed


  • Dori Fisher says:

    Actually i believe most understand that you need both and one may lead to another. It makes sense creating a rule after analytics has discovered an anomali, i think it’s an expantion of the “detection by exploration” capability.

    • Dario, thanks for the comment. Indeed, you are 100% correct – for now many orgs do use both, but this situation appears unstable and some re-balancing will happen as per this post.

  • Steve Tout says:

    Capitalism and 2nd law of thermo dynamics.

    Adapt or die.

    Eventually everything is a commodity.

    Eventually IDaaS will eat CASB for dinner.

    SIEM is only interesting if it integrates with CASB and IDaaS to provide visibility of user activity from a single pane of glass.

  • Mad Zombie says:

    Hasn’t the basic UBA/anomaly detection (not AI based) been present in popular SIEM products for years?

    • An excellent point indeed. Most SIEM vendors do have some statistics-based detection (some had it for 10+ years), but UEBA seeks to do more sophisticated math and data science (hopefully) and so we will try to understand how to separate it…