Remember my Popular SIEM Starter Use Cases post from 2014? Let’s take a look at that list of popular SIEM use cases and see how/where UEBA helps. This will make the SIEM/UEBA war discussion come to life more (check this discussion out as well, as an optional pre-requisite)…
Let’s try it using the same table (with some details trimmed):
|Top SIEM Use Case||UEBA Utility for This|
|1||Authentication tracking and account compromise detection||Top UEBA use case; UEBA shines here; this is hard to do well with SIEM|
|2||Compromised- and infected-system tracking; malware detection by using outbound logs, etc||A common UEBA use case; done either via entity profiing or by detecting systems where compromised accounts dwell|
|3||Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts||UEBA is used for alert validation and triage, but not exactly like SIEM; in fact, UEBA has been used for SIEM alert validation|
|4||Monitoring for suspicious outbound connectivity and data transfers by using logs, etc||Exfiltration detection is a common UEBA use case; done via account activity profiling or via DLP alert analysis|
|5||Tracking system changes and other administrative actions across internal systems, etc||An infrequent UEBA use case, maybe for finding that one worrisome change or access|
|6||Tracking of Web application attacks and their consequences by using Web logs, etc||Not a match to common UEBA use cases|
So… what do we learn here? Some top SIEM use cases (that date before UEBA) are closely related to top UEBA use cases. This means that a) SIEM and UEBA are on a collision course (duh!) and/or b) more people will be deploying UBA / UEBA tools soon.
Finally, some of you UBA / UEBA vendors [BTW, one last time – the terms ARE used synonymously, the UBA is an old term and the UEBA is a new one, that’s it – no hidden nuanced meaning] are thinking “but wait…. we have all those sexy ‘non-SIEM’ use cases for insider threat, etc.” Of course … but more about this later!
P.S. Some of you are still confused about how we define UBA/UEBA. There are documents where we do that and a new Market Guide for UEBA is coming very soon. For now, I would say that UEBA analysis is “user-centric” (rather than, say, relies on user identity data as an option). So, in UEBA, “U” is a must, while other “E” is optional, not the other way round. And of course the “A” – analytics – is a must too.
Related blog posts about security analytics:
- The Coming UBA / UEBA – SIEM War!
- Next Research: Back to Security Analytics and UBA/UEBA
- Sad Hilarity of Predictive Analytics in Security?
- Security Analytics Webinar Questions – Answered
- On Unknown Operational Effectiveness of Security Analytics Tooling
- My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes
- Now That We Have All That Data What Do We Do, Revisited
- Killed by AI Much? A Rise of Non-deterministic Security!
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market? <- important read for VCs and investors!
- More On Big Data Security Analytics Readiness
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?