Gartner Blog Network

Ok, So Who Really MUST Get a UEBA?

by Anton Chuvakin  |  January 24, 2017  |  18 Comments

As I mentioned in my 2014 post on security analytics and in a related GTP paper at the same time, “The noise about big data for security has grown deafening in the industry, but the reality lags far, far behind.”

Two years have passed since that time. What can I tell you? It still “lags far behind,” but many more UEBA boxes have been sold than in 2014, that is for sure. BTW, we stick to the original view that “there is no security analytics market.”

In this post, I wanted to explore the topic of “when is user and entity behavior analytics (UEBA) tool a must for an organization?” or “what types of organizations buy UEBA tools today?”

First, if a UEBA vendor is reading this … sir, please step away from the keyboard! I know you wanted to type a comment saying “EVERY ORGANIZATION MUST BUY A UEBA / UBA TOOL NOW!”…but we both know this is not true today…

So, here are some situations we encountered:

  • An organization with a robust insider threat program should definitely get a UEBA. While those are rare as pink elephants, they do exist – and use UEBA with good success, as we learned (note my point regarding insider threat vs threats that are inside)
  • As UEBA evolves closer to SIEM, more organizations that cannot afford creating and refining custom SIEM content, but need improved threat detection will place their trust in UEBA detection algorithms and ML magic.
  • Similarly, organizations that simply “maxed out” on their SIEM, has grown their SIEM deployment to its logical limit (where additional value is hard to extract) or whose SIEM installation has grown so complex and unwieldy often find additional value in UEBA.
  • Naturally, organizations that suffered a breach from exploitation of legitimate user credentials, tend to love UEBA technology.
  • I am sure there are other cases, so feel free to hit the comments below…

Finally, as UEBA use cases further mix up with SIEM use cases and cover more of security monitoring, we expect more broadening of the UEBA customer base, as it further converges with SIEM and other security technologies.

Comments? Any other situations where you think UEBA is a MUST or a strong SHOULD? Dear vendors, don’t be shy… but please don’t say “everybody must get one yesterday” 🙂

Related blog posts about security analytics:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: analytics  security  ueba  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Ok, So Who Really MUST Get a UEBA?

  1. Dori Fisher says:

    I think the question should be: who can benefit from UEBA rather than must have. I think only organizations that can afford the manpower and time to explore and investigate abnormalities in user behavior should go there.
    They need to have clear roles.(for deciding what to do with a detected anomali).
    They need to have relevant auditing.(for getting the relevant data to the platform).
    They need to clearly define scope and use case as user behavior in a 5000 applications enviroment is unachievable imho.
    Also, organizations that cannot spare the manpower to define SIEM content, and decide to implement UEBA may discover that the time saved on content creation and detection is doubled on false positive reduction and investigation.

    • Well, not to be too subtle, but “who can benefit GIVEN ITS PRICE (often $$$$) and SOMETIMES ONEROUS DEPLOYMENT?”

    • Sorry, Dori, forgot to thank you for the comment. So, thanks a lot for the comment. I think your last point re: content and false alarms is “almost true” — some UEBA vendor do show success with out-of-the-box anomaly detection logic in place of system rules, at least in some cases. So fragile custom rules can in fact be tossed out, in some cases.

  2. Tom Clare says:

    Privilege Access Abuse situation where machine learning analytics risk score entitlements to find hidden privileged entitlements in standard accounts and applications (aka Sharepoint with unstructured privilege data) to then guide UEBA on where to look for privilege abuse. Having humans sort through millions of entitlements is futility to know where to look and then detect privilege abuse through anomalies. On average with customers, over 50% of privileged access is not in a list or a vault…if this is a concern, you should consider a UEBA-IdA solution.

  3. Tom Clare says:

    Also, step out of silos labeled with acronyms for solutions and look at the attack surface. The compromise and misuse of identity lies at the core of modern threats, even more so with increasing fragmentation driven by cloud and mobility. What are you doing to asses the risk of identity for access and activity, the answer is wider than the UEBA silo.

  4. Nitin Agale says:

    Here are some additional use cases/thoughts
    – Organizations with IP protection needs can use UEBA for Data Exfiltration Analytics and Privileged Account Monitoring. UEBA solutions with the entity context and machine learning approach are more likely to provide actionable results compared to a traditional security monitoring tools

    – Organizations looking to extend Context and Behavior based monitoring to Cloud can leverage the UEBA solutions for Data Exfiltration analytics on cloud applications like O365, Google Apps, Box and Privilege Account Analytics on cloud platforms like AWS and Azure

    – Healthcare organizations with use cases such as patient data snooping are likely to see more success with a behavior based approach than the traditional compliance (rule) based approach

    – The ‘E’ in UEBA – Entity based analytics can help organization with advanced cyber threat use cases like Lateral Movement, Ransomware, and Pass the Hash.

    • Thanks a lot for a helpful and otherwise comment! I think patient data snooping may well fit our list of “when is UEBA a must” since we have seen examples where other tech really did’t help. Re: data loss and exfil, I’d say this is close to it, but probably more like a strong should rather than a must. Still, need to think more about it before we “set it in stone” via our paper…

  5. I find that U(E)BA contains a set of technologies like machine learning, that can be very useful if applied to a specific segments of security, like privileged access management or fraud detection.

    Machine learning applied to the general security problem quickly spreads its value very thin, as it does not focus anywhere, really.

    With that said, organisations should use a risk based approach: if there’s an application, a set of users or some corner of the organization that is considered highly valuable, then proper auditing/monitoring and behaviour analytics can help mitigate a good chunk of the risk, and help detecting breaches a lot quicker than traditional tools. My point is that we need to use a focused approach if and when it is worth it.

    • An excellent point, Balazs. Here most people believe that either general anomaly detection is not possible or not possible now (despite all the ML). Re: value — I think it is more about VALUE + FEASIBILITY 🙂

  6. Karl Galbraith says:

    Anton – I believe a key insider threat use case for UEBA is the ‘many user to many data’ scenario. As opposed to say traditional sys admin keys to kingdom acting on Crown Jewels data this case would apply to say health care records and hospital staff where most of the users have access to the critical data vs a few trusted it userids and the simple reading of data (vs exfiltrations) represents a compliance issue and impacting breach. Back in the day IBM and a few others tried to use a DAM solution to track but I believe that market wrote checks it couldn’t cash similar to DLP market circa the 2005-2008 timeframe. UEBA shows promise in setting a baseline and detecting anomolies across a large audience of privilege users in health care scenario.

    Other possible scenarios include tax info, legal info.

  7. Tom Clare says:

    If the solution, granted larger than the scope of just the UEBA silo, can reduce excess access by ~60%, detect ~50% of unknown privileged access for monitoring and abuse, provide behavior analytics on must have, should have, and nice to have use cases (30+), provide self audits for user context beyond SOC knowledge, increase security awareness and deterrence, plus provide an API-based CASB into SaaS, IaaS, PaaS and IDaaS for behavior analytics covering hybrid environments, then paying $3 per user once and $0.50 per year annually may be reasonable to a large enterprise.

  8. Tom Clare says:

    Any business model for a platform solution below $0.50 per user per year is questionable for investment in ENG for innovation and new features, etc. It may make sense to collect new customers for a quick exit…which is unlikely to benefit customers. Also investing in a solution for one use case in one environment is a very narrow scope and uncommon…hybrid on-premise and cloud is more the reality with 5+ use cases.

  9. You need value then mirror UEBA with IdA to top the bad players and reduce the attack surface at the identity level

  10. Melvin Foong says:

    UEBA can benefit any size, any industry and any culture of organization, provided they have the right people and the budget for a good one.

    Being the partner for one of the UEBA listed in Gartner, we have seen nothing but success. I am an end user myself for the past 5 years, and the ability to detect anomaly and harnessing few hundred data points for threats predictions has helped me a lot.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.