Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).
One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.
UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.
User Behavior Analytics Versus Security Information and Event Management
While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.
UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.
UBA applications require data from an SIEM tool and may include basic log management features, but they aren’t a replacement for a general-purpose SIEM solution. In fact, if your SIEM system has anomaly detection capabilities or can identify whether user access activity matches typical behavior based on the user’s role, you may already have UBA.
Part of the confusion comes from the fact that, although SIEM has been around for a long time, there is no one set of standard features. Many systems are only capable of rule-based alerting or limited to canned rules. If you don’t have a rule for a new threat, you won’t be alerted to it.
Analytical applications such as UBA are intended to address certain types of cybersecurity threat detection and remediation. Choosing point applications without a unified log manager creates silos of data and taxes your security operations center (SOC), which is probably short-staffed to begin with. Many UBA solutions also require the use of software agents, which is something every IT organization would like to avoid.
Start With a Well-Rounded SIEM Solution
A robust, well-rounded SIEM solution should cross-correlate log data, threat intelligence feeds, geolocation coordinates, vulnerability scan data, and both internal and external user activity. When combined with rule-based alerts, an SIEM tool alone is sufficient for many organizations. Applications such as UBA can be added on top for more robust reporting.
Gartner’s latest “Market Guide for User and Entity Behavior Analytics” forecast significant disruption in the market. Noting that the technology is headed downward into Gartner’s “Trough of Disillusionment,” researchers explained that some pure-play UBA vendors “are now focusing their route to market strategy on embedding their core technology in other vendors’ more traditional security solutions.”
In my view, that’s where it belongs. User behavior analytics is a great technology for identifying insider threats, but that’s a use case, not a security platform. A robust SIEM tool gives you a great foundation for protection and options to grow as your needs demand.
QRadar Swat Team, IBM Security
Product Specialist on IBM Security Intelligence assisting clients and sellers address cyber security goals and a provide a proactive posture against APT's, M...