Blog post

The Disappearing UEBA Market

By Avivah Litan | January 03, 2017 | 6 Comments

I’m working on a forecast for the UEBA market and it’s quickly bringing this fact into focus

By 2022 – there will be no more UEBA market. 

Yes the UEBA market has been doubling every year and we estimate it grew from $50M in 2015 to $100M in 2016 and will double again to $200M in 2017.  But then what?

Some UEBA vendors will survive as standalone platforms that in essence become ‘next generation SIEM’ platforms. How do we define ‘next gen SIEM’ platforms?  SIEM plus smarter advanced analytics, plus user and entity behavior analysis, plus cognitive computing based (i.e. smarter) orchestration and response.

UEBA vendors who don’t make it to standalone next gen SIEM vendors will get folded into other security markets such as Endpoint Security, IAM, DLP, CASB where advanced analytics and behavioral profiling will help these products cut through the noise, resulting in lower alert volume and more accurate and actionable high priority alerts.

The eventual disappearance of a standalone UEBA market has been apparent all along. We knew when we started our first 2014 Market Guide on UBA  and later graduated it to a 2015 Market Guide on User and Entity Behavior Analytics that this market represented a collection of technologies as noted in the UEBA definition.  See 2014 Market Guide on User Behavior Analytics and 2015 Market Guide for User and Entity Behavior Analytics.

From the start, this collection of technologies has addressed many use cases and solved many problems.  But it is quickly maturing and evolving – to the point where it will make UEBA as a standalone market obsolete.

Bottom line – Security is getting smarter with the integration of advanced analytics and user and entity behavioral profiling. That’s good for users and good for vendors who can keep up with this trend.

Happy 2017!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Eyal Gruner says:

    I am happy to say that this is exactly what Cynet is already doing today. One platform that consolidates and simplifies the EDR, UEBA, Deceptions, Logs Collectors, Sandbox, Network Analysis and much more. It sounds crazy, it really does, but these are the facts.
    Try Cynet now for free:

  • Tom Clare says:

    The UEBA market is also uncovering the CIO and CISO divide for IAM as the compromise and misuse of identity is at the core of modern threats. Plus important silos of data without API access required for behavior analytics leave blind spots. The net-net is org charts need to be crossed to clean up access with identity analytics and any important data source without an API needs attention for behavior analytics to uncover anomalies.

  • craig kensek says:

    UEBA features often have limited visibility within unique solutions. The best approach is hybrid visibility built upon big data for on-premises and cloud. While a PoC may focus on specific use cases, the larger focus to reduce access risks and detect unknown threats is more holistic.”

  • Spot on, Avivah. I think you’re right, consolidation will happen. Point analytics products like UEBA are ‘some analysis’ on ‘some data’ to detect ‘something’. No need for a standalone platform to do this, better to have a ‘utility’ analysis platform to do this across security.

    Question for you – in the larger organisations, e.g. the big Financials, can you see extension of the use cases for a platform to stakeholders outside of security? Taking an example, Tech Risk needs different analysis (typically metrics, measurements and analytics) of the same data used by Sec Ops.

    Thanks! And Happy 2017 to you too.

  • James Naylor says:

    Great write up Avivah and not new scenario within the security industry. Before the market consolidates however we need to see the price of entry reduce – at the moment it’s too high and therefore only suitable for the select few organisations with a satisfactory user case – I think they call it “Milking the Cash Cow”! I’m a fan of UBEA but it needs to commoditise as the sale will remain complicated just as long as it requires funding at current price points.

    Nik – to answer your question – every UBEA deal I’ve been involved in has included HR and Legal and their continued use after the sale. It’s also found a place where specific governance models are in place and typically has been funded outside the IT Security Budget.

  • Avivah Litan says:

    Hi Nick, thanks for your comment and question. Re other use cases outside security – I definitely see the vendors with UEBA functionality being pulled into some use cases outside IT security, but generally they don’t have the deep domain expertise to satisfy those use cases very well so i don’t see them succeed there.
    You’re spot on – the data is often the same for different use cases, but because the users/buyers are different, and the analytics require different models, I don’t generally see re-purposing of analytic packages for different domains (e.g. Tech risk, IT security, fraud, compliance, etc.). The UEBA systems just aren’t that smart and flexible yet.