Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).

One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.

UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.

User Behavior Analytics Versus Security Information and Event Management

While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.

UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.

UBA applications require data from an SIEM tool and may include basic log management features, but they aren’t a replacement for a general-purpose SIEM solution. In fact, if your SIEM system has anomaly detection capabilities or can identify whether user access activity matches typical behavior based on the user’s role, you may already have UBA.

Part of the confusion comes from the fact that, although SIEM has been around for a long time, there is no one set of standard features. Many systems are only capable of rule-based alerting or limited to canned rules. If you don’t have a rule for a new threat, you won’t be alerted to it.

Analytical applications such as UBA are intended to address certain types of cybersecurity threat detection and remediation. Choosing point applications without a unified log manager creates silos of data and taxes your security operations center (SOC), which is probably short-staffed to begin with. Many UBA solutions also require the use of software agents, which is something every IT organization would like to avoid.

Start With a Well-Rounded SIEM Solution

A robust, well-rounded SIEM solution should cross-correlate log data, threat intelligence feeds, geolocation coordinates, vulnerability scan data, and both internal and external user activity. When combined with rule-based alerts, an SIEM tool alone is sufficient for many organizations. Applications such as UBA can be added on top for more robust reporting.

Gartner’s latest “Market Guide for User and Entity Behavior Analytics” forecast significant disruption in the market. Noting that the technology is headed downward into Gartner’s “Trough of Disillusionment,” researchers explained that some pure-play UBA vendors “are now focusing their route to market strategy on embedding their core technology in other vendors’ more traditional security solutions.”

In my view, that’s where it belongs. User behavior analytics is a great technology for identifying insider threats, but that’s a use case, not a security platform. A robust SIEM tool gives you a great foundation for protection and options to grow as your needs demand.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…