The verdict is in. User and Entity Behavior Analytics (UEBA) isn’t just another buzzword – it’s very real. Just like “cloud” was the sexier, next evolution of “hosting,” UEBA is the more advanced, more exciting evolution of a very familiar concept: statistics. In 2017, I think there are going to be two significant trends in the UEBA market and the use of the technology itself.
Advances in machine learning concepts (supervised, unsupervised, semi-supervised, reinforcement and deep learning) and big data technologies have actually made Artificial Intelligence (AI) a reality – at least in some way, shape or form. And it couldn’t come at a better time. A global shortage of human talent in the cybersecurity space has no doubt been a catalyst for the rapid advancement of UEBA technology, with organizations desperately needing something (anything!) to help them sift through the noise and focus on the events or activities most likely associated with credential or data compromise.
But is today’s UEBA technology really making a dent in this problem? Most would argue it’s not quite there yet, but it’s certainly promising. And therein lies the problem. UEBA is indeed a promising technology; but while it may be able to learn “things” about the data you throw at it today, it still doesn’t really understand the data itself. The true, standalone UEBA platforms out there have taken the same approach to the problem that Security Information and Event Management (SIEM) originally did. They’re trying to boil an ocean of data rather than tune the technology to understand the (very important) intricacies of the most critical data sets. So far, most organizations are finding it’s more noise, just like they did with their SIEM solutions.
The good news is that the users of technology are typically the ones driving the direction of it, even if it doesn’t always seem that way. Infatuation with a concept even as hot as UEBA will only last so long if the makers of the technology don’t ensure it lives up to its promise, and change is already in sight.
Prediction #1 – Market consolidation will continue but won’t yield better results
As previously mentioned, UEBA platform vendors have not only taken a similar approach to SIEM in trying to apply UEBA technology to a vast number of data sources simultaneously, but they actually rely on SIEM itself as the mechanism for getting the data. We’ve already seen Splunk acquire Caspida and HP align closely with Securonix. While IBM has chosen the opposite route by building its own UEBA capabilities into QRadar, IBM also opened up its X-Force Exchange to UEBA providers to easily plug into the IBM framework.
Given the reliance on SIEM for a large contingency of UEBA platform providers and the competitiveness of the SIEM space itself, it only makes sense that we’ll see more acquisitions of UEBA providers by the bigger (and maybe even smaller) SIEM players.
On the surface, this makes perfect sense. However, buyers should be aware that good math doesn’t necessarily mean good results. What SIEM has suffered from over the years is not a problem of bad technology (it’s actually quite good), but bad data. Good math on bad data equals the same thing as bad math on bad data. Until SIEM solves its data-quality problem – which is largely outside any SIEM vendor’s control – the effectiveness of any UEBA technology on top of SIEM will be limited.
Prediction #2 – UEBA as a feature will prevail
The cybersecurity vendor landscape is incredibly rich with specialized solutions that do a far better job than their generic alternatives in terms of understanding, managing and securing specific technologies (e.g., Active Directory, File Systems and Critical Applications). Many of these specialized solutions have access to data and other environmental contexts that event logs don’t, making it impossible for SIEM and their UEBA plug-ins to see or take advantage of data that doesn’t exist in their world – data that’s critical to their ability to produce quality output.
As the mindset among consumers has become more and more security focused, so have the product road maps of these specialized solutions. The result is a new breed of specialized solution providers leveraging the same UEBA technologies and techniques as the big UEBA players, but with higher quality data and deeper domain expertise.
No one has a crystal ball, but it’s not farfetched at all to imagine a scenario where the broad, standalone UEBA platforms lose the battle to a much larger army of smaller providers that can do what they do better, albeit for much narrower data sets individually. SIEM still wins the war, though, as it is the most logical place to bring it all together.
Boiling the ocean
It’s cliché, I know, but this figure of speech exists for a reason. Trying to do it all rarely works, and there’s very solid, recent precedent (SIEM) to make the argument that UEBA on top of SIEM versus UEBA into SIEM is not going to work out as many hoped or planned.
I caution buyers to resist the temptation to think that UEBA is the ultimate solution to their problems, rather than a highly valuable tool in their arsenal that makes solving these problems much easier than previously.
At the end of the day, UEBA represents exciting advancement and potential in the war against cyber threats, but it is also just one of many spokes in the wheel of a strong, layered security program.
Adam Laub is SVP Product Marketing at STEALTHbits. He is responsible for setting product strategy, defining future road map, driving strategic sales engagements, supporting demand-generation activities, enabling the sales organization and all aspects of product evangelism. Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization including sales, marketing, and operational management roles. Follow him on Twitter and on LinkedIn.