SIEM, UBA, UEBA... If you're suffering netsec acronym overload, then here's our handy guide

Something missing?

In 2015, Gartner decided that UBA had evolved into something new it called user and entity behavior analytics (UEBA), sneaking in an extra letter. Broadly, this adds devices, servers and applications to the mix, which some UBAs had been adding to allow the correlation of user events to their access of services and data. Arguably, Gartner’s reorientation of UBA into UEBA was just stating the obvious – while it’s useful to monitor user behavior, it’s just as important to watch the resources they interact with in the same overview.

The intriguing issue is whether SIEM is being replaced by UBA/UEBA or complemented by it. The market argument favored by established vendors keen not to lose their shirts is that there is nothing worth arguing about. If an organization has a SIEM, they can build UEBA in parallel and feed its data into SIEM for a higher-level view.

The alternative view is that UEBA isn’t just a user-oriented extension of traditional SIEM analytics but a totally new way of understanding network security. Traditionally, network security has been about designing policies, which are implemented through rules. If a rule is broken somewhere, that creates an alert. The problem with this model has always been that it is labor-intensive, inherently slow, and struggles to cope with attackers who will go to any lengths to find a way in. It also fails to take account the threat from insiders, whether employees acting maliciously or misconfiguring a resource they have legitimate rights to.

The machines and us

For UEBA, what matters is whether an event, or its context, departs from the network’s "normal" state as defined at that moment. A lot is made of UEBA’s use of machine-learning software, but this is more symptom than cause. It just so happens that machines are good at spotting patterns, which makes noticing deviations from a defined state possible.

If the model of using machine intelligence as a security tool proves itself, this could see UEBA supplant SIEM. That said, it’s also possible that the two could merge. Should this happen, it will be a challenge for the market as such an evolution would consolidate vendors into a slightly matured product class and they’d then compete against one another.

Ultimately, customers will have to ask themselves not what technology they believe in, but what kind of network and governance they want to invest in. Perimeter security is still the simplest way of doing this even as it collapses under the weight of its own contradictions.

To have any chance, what replaces it will have to do the job in real time, without sending defenders on a wild goose chase, and without wasting too much time debating the meaning of acronyms. The future may well belong to whatever technology makes the most of the past, while embracing the future. ®