Gartner Blog Network

On UEBA / UBA Use Cases

by Anton Chuvakin  |  January 5, 2017  |  7 Comments

After much agonizing, we (Augusto and myself) have settled on the following list of UEBA / UBA use cases for our upcoming UEBA technology comparison. Here they are:

  1. Compromised account detection: this is a “classic UBA” usage – study account authentication and usage information to conclude that the account is being used by a malicious party [or, at least, by a different party]; this is often powered by some logic to relate multiple accounts to the same person and/or logic to build sessions of user activity.
  2. Compromised system/host/device detection: by detecting things like attacker lateral movement, C&C activity, access to bad domains [unknown ones, not just via TI!], various telling host and network anomalies, etc reach a conclusion that a system is under malicious control; this use case covers many data sources and a lot of fairly dissimilar methods of “sense-making”
  3. Data exfiltration detection: notably, DLP has not fully solved this one (ha!), but has since become a popular UEBA data source; data theft (“exfil”, if you want to sound cool!) detection by trusted insiders and outsiders (as well as their malware) presents a common UEBA tool use case.
  4. Insider access abuse: this is a fuzziest on the list, this focuses on detecting malicious and risky behavior by legitimate trusted insiders, and includes all forms of privileged access abuse and misuse, among other things; typically powered by user profiling, outlier detection and risk scoring of the results
  5. Gaining additional insight about the environment: a broad use case where UEBA tools are used for gaining better situational awareness; this also includes improved alerts prioritization and support for triage and investigation activities (yes, if you have to ask, hunting too)
  6. Custom use case: a good UEBA tool should be able to address a weird client-specific user behavior analytics scenario, ideally without coding and [much] data science knowledge on behalf of a client.

As a side note, to those of you who object to the above because “these are too high-level”…OK…sure, they are. So you can treat them as use case groups or use case types. Or, clusters, if you want to sound smart and “data-science-y”…

BTW, compare/contrast to top SIEM use cases (there are of course many more use cases for SIEM than the top ones mentioned).

Thoughts? Ideas? Additions? Complaints? Silly remarks about “but we have AI!!!”? 🙂

Related blog posts about security analytics:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: analytics  security  ueba  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On UEBA / UBA Use Cases

  1. This is a solid summary at the high level. I think the biggest challenge for UBA buyers is that numbers 1-3 can only be simulated late in a POC when baselines have been established, while #4 (insider access abuse) is a little more likely if you know who deserves privilege, and #5 differs in its definition for every organization.
    This all makes it difficult to compare solutions prior to purchase.
    At least they all have AI to answer these questions for you :-)!

    • Sorry for delayed response. Indeed, I aimed at a solid “high-ish” level summary. IMHO, #1-#4 all require profiling but frankly to me it seems like insider use case requires MORE profiling, unless the vendor “cheats” and falls back to all-rule-based detection….

      And of course AI FTW 🙂

    • Sylvain Gil says:

      We’ve seen a number of POCs where clients asked that we run on a past incident and present findings. In several cases we identified that the compromise had extended beyond the assets that had been cleaned up – Lateral movement anyone?

      Running on historical data is not a problem if the UEBA solution can fetch historical data from a log management system.

  2. […] think, “but wait, UEBA has ML and magic AI stuff”, think again. Well, it does, but some of the use cases are very rule-based and do not extend beyond the “IF <this> AND <that> THEN […]

  3. […] think about password theft – a truly 1980s problem – rampant today and triggering spend on UEBA. Hence, before you predict the future, think about the HUGE IT intertia – frankly, after my 5+ […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.