Remember my Popular SIEM Starter Use Cases post from 2014? Let’s take a look at that list of popular SIEM use cases and see how/where UEBA helps. This will make the SIEM/UEBA war discussion come to life more (check this discussion out as well, as an optional pre-requisite)…
Let’s try it using the same table (with some details trimmed):
|Top SIEM Use Case||UEBA Utility for This|
|1||Authentication tracking and account compromise detection||Top UEBA use case; UEBA shines here; this is hard to do well with SIEM|
|2||Compromised- and infected-system tracking; malware detection by using outbound logs, etc||A common UEBA use case; done either via entity profiing or by detecting systems where compromised accounts dwell|
|3||Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts||UEBA is used for alert validation and triage, but not exactly like SIEM; in fact, UEBA has been used for SIEM alert validation|
|4||Monitoring for suspicious outbound connectivity and data transfers by using logs, etc||Exfiltration detection is a common UEBA use case; done via account activity profiling or via DLP alert analysis|
|5||Tracking system changes and other administrative actions across internal systems, etc||An infrequent UEBA use case, maybe for finding that one worrisome change or access|
|6||Tracking of Web application attacks and their consequences by using Web logs, etc||Not a match to common UEBA use cases|
So… what do we learn here? Some top SIEM use cases (that date before UEBA) are closely related to top UEBA use cases. This means that a) SIEM and UEBA are on a collision course (duh!) and/or b) more people will be deploying UBA / UEBA tools soon.
Finally, some of you UBA / UEBA vendors [BTW, one last time – the terms ARE used synonymously, the UBA is an old term and the UEBA is a new one, that’s it – no hidden nuanced meaning] are thinking “but wait…. we have all those sexy ‘non-SIEM’ use cases for insider threat, etc.” Of course … but more about this later!
P.S. Some of you are still confused about how we define UBA/UEBA. There are documents where we do that and a new Market Guide for UEBA is coming very soon. For now, I would say that UEBA analysis is “user-centric” (rather than, say, relies on user identity data as an option). So, in UEBA, “U” is a must, while other “E” is optional, not the other way round. And of course the “A” – analytics – is a must too.
Related blog posts about security analytics:
- The Coming UBA / UEBA – SIEM War!
- Next Research: Back to Security Analytics and UBA/UEBA
- Sad Hilarity of Predictive Analytics in Security?
- Security Analytics Webinar Questions – Answered
- On Unknown Operational Effectiveness of Security Analytics Tooling
- My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes
- Now That We Have All That Data What Do We Do, Revisited
- Killed by AI Much? A Rise of Non-deterministic Security!
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market? <- important read for VCs and investors!
- More On Big Data Security Analytics Readiness
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
When is the next UEBA market guide being published?
Should be in 2-3 weeks, I think [but I am not the author]
analytics and behavior alerts leave you with questions like what happend and why.
when you build a specific rule with an hypothesis in mind, when it alerts, you can script or create response process.
Level 1 SOC operators need simple steps to follow. these are still better achieved with SIEM.
Also, mapping human behavior and human interaction with machines yields a lot of false positives.in short, if UBA can do what SIEM does + additional capabilities, i sure we will all switch.
For sure — we are not talking about any kind of immediate SIEM->UEBA switch. NOT AT ALL!
However, we do see some SIEM and some UEBA vendors very much interested in raiding each other’s lunch boxes 🙂