As I mentioned in my 2014 post on security analytics and in a related GTP paper at the same time, “The noise about big data for security has grown deafening in the industry, but the reality lags far, far behind.”
Two years have passed since that time. What can I tell you? It still “lags far behind,” but many more UEBA boxes have been sold than in 2014, that is for sure. BTW, we stick to the original view that “there is no security analytics market.”
In this post, I wanted to explore the topic of “when is user and entity behavior analytics (UEBA) tool a must for an organization?” or “what types of organizations buy UEBA tools today?”
First, if a UEBA vendor is reading this … sir, please step away from the keyboard! I know you wanted to type a comment saying “EVERY ORGANIZATION MUST BUY A UEBA / UBA TOOL NOW!”…but we both know this is not true today…
So, here are some situations we encountered:
- An organization with a robust insider threat program should definitely get a UEBA. While those are rare as pink elephants, they do exist – and use UEBA with good success, as we learned (note my point regarding insider threat vs threats that are inside)
- As UEBA evolves closer to SIEM, more organizations that cannot afford creating and refining custom SIEM content, but need improved threat detection will place their trust in UEBA detection algorithms and ML magic.
- Similarly, organizations that simply “maxed out” on their SIEM, has grown their SIEM deployment to its logical limit (where additional value is hard to extract) or whose SIEM installation has grown so complex and unwieldy often find additional value in UEBA.
- Naturally, organizations that suffered a breach from exploitation of legitimate user credentials, tend to love UEBA technology.
- I am sure there are other cases, so feel free to hit the comments below…
Finally, as UEBA use cases further mix up with SIEM use cases and cover more of security monitoring, we expect more broadening of the UEBA customer base, as it further converges with SIEM and other security technologies.
Comments? Any other situations where you think UEBA is a MUST or a strong SHOULD? Dear vendors, don’t be shy… but please don’t say “everybody must get one yesterday” 🙂
Related blog posts about security analytics:
- Why SIEMs F*cked Up Application Log Analysis?
- On UEBA / UBA Use Cases
- UEBA Clearly Defined, Again?
- Comparing UEBA Solutions (by Augusto)
- What Should Your UEBA Show: Indications or Conclusions?
- UEBA Shines Where SIEM Whines?
- The Coming UBA / UEBA – SIEM War!
- Next Research: Back to Security Analytics and UBA/UEBA
- Sad Hilarity of Predictive Analytics in Security?
- Security Analytics Webinar Questions – Answered
- On Unknown Operational Effectiveness of Security Analytics Tooling
- My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes (2015 version)
- Now That We Have All That Data What Do We Do, Revisited
- Killed by AI Much? A Rise of Non-deterministic Security!
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market? <- important read for VCs and investors!
- More On Big Data Security Analytics Readiness
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.