Blog post

UEBA Shines Where SIEM Whines?

By Anton Chuvakin | November 14, 2016 | 4 Comments

UEBASIEMsecuritymonitoring

Remember my Popular SIEM Starter Use Cases post from 2014? Let’s take a look at that list of popular SIEM use cases and see how/where UEBA helps. This will make the SIEM/UEBA war discussion come to life more (check this discussion out as well, as an optional pre-requisite)…

Let’s try it using the same table (with some details trimmed):

Top SIEM Use Case UEBA Utility for This
1 Authentication tracking and account compromise detection Top UEBA use case; UEBA shines here; this is hard to do well with SIEM
2 Compromised- and infected-system tracking; malware detection by using outbound logs, etc A common UEBA use case; done either via entity profiing or by detecting systems where compromised accounts dwell
3 Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts UEBA is used for alert validation and triage, but not exactly like SIEM; in fact, UEBA has been used for SIEM alert validation
4 Monitoring for suspicious outbound connectivity and data transfers by using logs, etc Exfiltration detection is a common UEBA use case; done via account activity profiling or via DLP alert analysis
5 Tracking system changes and other administrative actions across internal systems, etc An infrequent UEBA use case, maybe for finding that one worrisome change or access
6 Tracking of Web application attacks and their consequences by using Web logs, etc Not a match to common UEBA use cases

So… what do we learn here? Some top SIEM use cases (that date before UEBA) are closely related to top UEBA use cases. This means that a) SIEM and UEBA are on a collision course (duh!) and/or b) more people will be deploying UBA / UEBA tools soon.

Finally, some of you UBA / UEBA vendors [BTW, one last time – the terms ARE used synonymously, the UBA is an old term and the UEBA is a new one, that’s it – no hidden nuanced meaning] are thinking “but wait…. we have all those sexy ‘non-SIEM’ use cases for insider threat, etc.” Of course … but more about this later!

P.S. Some of you are still confused about how we define UBA/UEBA. There are documents where we do that and a new Market Guide for UEBA is coming very soon. For now, I would say that UEBA analysis is “user-centric” (rather than, say, relies on user identity data as an option). So, in UEBA, “U” is a must, while other “E” is optional, not the other way round. And of course the “A” – analytics – is a must too.

Related blog posts about security analytics:

Comments are closed

4 Comments

  • Atul Tiwary says:

    When is the next UEBA market guide being published?

  • Dori Fisher says:

    analytics and behavior alerts leave you with questions like what happend and why.
    when you build a specific rule with an hypothesis in mind, when it alerts, you can script or create response process.
    Level 1 SOC operators need simple steps to follow. these are still better achieved with SIEM.
    Also, mapping human behavior and human interaction with machines yields a lot of false positives.in short, if UBA can do what SIEM does + additional capabilities, i sure we will all switch.

    • For sure — we are not talking about any kind of immediate SIEM->UEBA switch. NOT AT ALL!

      However, we do see some SIEM and some UEBA vendors very much interested in raiding each other’s lunch boxes 🙂