Gartner Blog Network

The Missing ‘D’ in the UEBA market

by Avivah Litan  |  June 22, 2016  |  1 Comment

I just got back from a whirlwind client-packed week at the flagship Gartner Security Summit in the Washington D.C. area.

One thing that hit home was discussions with DAM (Database Activity Monitoring) vendors who are implementing a data centric view of UEBA. That is, they are starting with the data that their current products revolve around, and building up profiles and analysis of; access to, use of, and activity around specific data. In this analysis, data is the anchor element (as opposed to a user, endpoint or network).

I always struggled with how to fit the D into the UEBA market.  Our diagrams of the UEBA market – see below- left this important dimension out when describing the entities that were anchors for UEBA security analytics,  largely because there was nothing happening in this ‘D’ dimension when we authored our first UEBA market guide in 2015.


It’s good to see this dimension coming along.  The data (and file) views are critical as anchors, since the bad guys are almost always going after data or information in organizational systems.  It makes it easier to ‘not boil the ocean’ of security analytics looking for security infractions if you analyze access to and use of your ‘crown jewels’ which are inevitably sitting in a database, data lake, or file system.

For the time being, as noted in the diagram, UEBA vendors in various categories complement each other.  Vendors with a ‘D’ focus will be instrumental in the future in finding the ‘needles in the needles’ that are sitting in a database.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on The Missing ‘D’ in the UEBA market

  1. Bill Munroe says:

    Maybe the challenge with the graphic is the “User” centric view it takes. As UEBA matures, the E for Entity seems to be taking over as the critical center. If the entities include users (accounts), data (files and data assets), machines and applications – all things that can be baselined and a risk score applied – then your challenge of where to put data is solved. A database, after all is just another form of an asset that contains events and entities. Analyzing SQL logs would add visibility to see when specific database tables are under attack (e.g. the accumulation of behaviors such as customer database accounts being used to take unusual volumes of records from HR tables, which those accounts normally do not do). Connecting the events and entities from the database log to connected events and entities from other sources like AD or endpoints would enable an even more complete picture of an unfolding attack.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.