Last updated at Wed, 18 Sep 2019 14:30:10 GMT

If you're investing beyond malware detection, you've probably come across User Behavior Analytics (aka UBA, UEBA, SUBA). Why are organizations deploying UBA, and are they finding value in it? In this primer, let's cover what's being seen in the industry, and then a bit on how we're approaching the problem here at Rapid7.

What Are Organizations Looking For?

According to the 2016 Verizon DBIR, 63% of data breaches involved weak, default, or compromised credentials. Companies have solid coverage for known malware and their network perimeter, but teams now need visibility into normal and anomalous user behavior. Largely, the response has been to deploy SIEM technology to monitor for these threats. While the tech is helping with log aggregation and correlation, teams aren't consistently detecting the stealthy behavior real-world attackers are using to breach networks.

What Are the Analysts Saying About UBA?

Gartner: In their most recent Market Guide for User and Entity Behavior Analytics, they agree that UEBA vendors can help threat detection across a variety of use cases. However, they don't make it easy by listing 29 vendors in the report, so be careful with selection – perhaps the most striking prediction is that “by 2020, less than five stand-alone UEBA solutions will remain in the market, with other vendors focusing on specific use cases and outcomes.”

Forrester: In the July 2016 Forrester report, Vendor Landscape: Security User Behavior Analytics (SUBA), a key takeaway is to “require a SUBA demonstration with your own data.” Something everyone is agreeing on is the need for user behavior analytics to be a part of a larger analytics suite, aptly named Security Analytics, which extends beyond SIEM to include network analysis and visibility, endpoint visibility, behavioral analysis, and forensic investigative tools. For more on this shift, we hosted guest speaker, Forrester senior analyst Joseph Blankenship, on the webcast, “The Struggle of SIEM”.

451 Research: In addition to rallying behind the need to go beyond SIEM with Security Analytics, there's agreement that even in 2017, there will be a shakeout in the UBA space. That doesn't just mean life or death for startup vendors, but also the challenge for large SIEM vendors to incorporate UBA into existing legacy platforms.

IDG: The suggested approach is under a security operations and analytics platform architecture (SOAPA). While SIEM technology still plays at the core, SOAPA also includes endpoint detection and response, an incident response platform, network security analytics, UBA, vulnerability management, anti-malware sandboxes, and threat intelligence. While that's certainly a mouthful, the important takeaway is that UBA is only one of the technologies that should work together to detect threats across the entire attack chain.

Questions to Consider

  • If you're looking at User Behavior Analytics, you've likely already experienced pain with an existing SIEM. Will you have enough resources to maintain both the SIEM deployment and a separate UBA tool?
  • Can you put the technology to the test? If you don't have an internal red team, a great time to POC a UBA vendor is when considering a penetration test.
  • For more, check out our evaluation brief: A Matchmakers Guide to UBA Solutions.

And, for added context on the go, we just released a new episode all about UBA on the Security Nation podcast:

The Rapid7 Take

Since the first GA date of our UBA technology in early 2014, we're proud to be both a first mover and have hundreds of customers using UBA to monitor their environments. However, we found that UBA technology alone still leaves gaps in detection coverage, forcing teams to jump between portals during every incident investigation. For that reason, InsightIDR, our solution for incident detection and response, combines SIEM, UBA, and Endpoint Detection capabilities, without the traditional burdens involved in deploying each of these technologies independently.

In addition to the UBA detecting stealthy behavior, InsightIDR also analyzes real-time endpoint data and uses Deception Technology to reveal behavior unseen by log analysis. Through a robust data search and visualization platform, security teams can bring together log search, user activity, and endpoint data for investigations without jumping between multiple tools. Of course, this is a bold claim - if you'd like to learn more, check out the below 3-minute Solution Overview or check out our webcast, User Behavior Analytics, as easy as ABC.