Enterprises are increasingly turning to user behavior analytics (UBA) for an array of security missions, as they confront ever-more sophisticated external threats and the possibility that even their most trusted insiders could be compromised or turn malicious, say leading analysts at IT research and advisory firm Gartner.

A central theme of the recent Gartner Security & Risk Management Summit was that UBA has now matured to a sufficient extent that it is being adopted by organizations experiencing limitations with their older security information and event management (SIEM) tools, which provide real-time analysis of security alerts generated by network hardware and applications.

Gartner defines UBA as threat detection and investigation technology that focuses on user activities and that incorporates some form of advanced analytics such as machine learning, data science and/or AI-like capabilities. (The firm’s own preferred acronym, UEBA, also includes an entity component, given the importance of detecting compromised device and system activity at the same time as user activity.)

Anton Chuvakin, Research Vice President and Distinguished Analyst at Gartner, said that while SIEM “is still very relevant for a lot of companies,” it lacks the ability to analyze certain kinds of non-IT data that is vital in mitigating today’s more advanced threats, such as those posed by inside personnel.

One example is identity and access management (IAM) data, but he also cites the utility of information from human resources files, travel records and employment histories. This additional analytical context is important, Chuvakin said, “because people want to have that deeper level of insight that’s completely non-achievable in a tool like SIEM.”

“SIEM is broad, but UBA is smart,” he added.

There are three primary reasons enterprises seek out UBA solutions, Chuvakin said:

1. Lack of ability to detect user account takeovers, phishing and other user-centric threats.
2. Lack of threat detection coverage for issues and environments not monitored by older systems.
3. The high cost, in analyst time and energy, of triaging and investigating alerts generated by SIEM systems.

In particular, he said, UBA solutions have several strengths compared to conventional analytics. First, they detect threats better (and detect better threats); second, they analytically decide what matters, boost those signals and “squash the noise”; and third, they solve some security problems with less expert labor.

Haystax Technology’s UBA solution meets those criteria. It is based on our model-driven Haystax Analytics Platform™, which is optimized for a number of different use cases where user trustworthiness is a primary concern. These include insider threats, account and system compromise and cyber-fraud, plus a variety of customer-specific applications where the adaptability of our Carbon ‘whole-person’ model has proven to be a key distinguishing capability. Another strength of Haystax is its ability to connect with a broad array of data sources (providing greater context to the analytics) and its ability to take in and analyze SIEM logs and other third-party detection data.

Although Chuvakin said that the SIEM-UBA war “is here” and that each camp is building tools designed to take on the other, he also noted that customers do not necessarily have to choose one solution exclusively. Rather, SIEM and UBA can be deployed jointly, provided companies decide in advance what tasks will be handled by each tool. “UBA’s focus on analytics — real-time and batch — is quite different,” he said. “SIEM is focused on rules, while UBA has more interesting detection algorithms.”

Current trends point to an increasing level of UBA sophistication in the future. According to Chuvakin, new features and functions will include the increased spread of deeper analytics functions to endpoint detection and response (EDR) systems and cloud access security broker (CASB) software, and eventually to data loss prevention (DLP). “We will have a little baby UBA in many products,” he said.

For all its advanced capabilities, however, Chuvakin cautioned that UBA “is not a replacement for a human brain or analyst.” UBA systems certainly take on more of the thinking from humans, he noted, “but they don’t think for you and won’t for a very long time.”

Haystax Technology’s Haystax for Insider Threat product is designed to take the burden off SOC analysts and decision-makers by packaging all the critical information in one place and prioritizing it, giving them a more effective way to quickly investigate changes in an individual’s trustworthiness and understand if that person represents an insider threat.