UEBA Market Dies - Long Live UEBA

Today we will provide a brief overview of the market for user and entity behavioral analytics systems (UEBA) based on the latest Gartner study . The UEBA market is at the bottom of the “disappointment stage” of the Gartner Hype Cycle for Threat-Facing Technologies, which indicates the maturity of this technology. But the paradox of the situation lies in the simultaneous overall growth of investments in UEBA technologies and the disappearing market of independent UEBA solutions. Gartner predicts that UEBA will become part of the functionality of related information security solutions. The term “UEBA” is likely to go out of use and will be replaced by another acronym focused on a narrower scope (for example, “analytics of user behavior”), on a similar scope (for example, “data usage”) or simply turn into some new buzzword (for example, the term “artificial intelligence” [AI] looks interesting, although it does not make any sense to modern UEBA manufacturers).

Key findings from the Gartner study can be summarized as follows:

Confirmation of the maturity of the market of behavioral analytics of users and entities is the fact that these technologies are used by the medium and large corporate segments to solve a number of business tasks;
UEBA analytics functions are built into a wide range of related information security technologies, such as secure cloud access brokers (CASB), identity management and administration systems (IGA) SIEM systems;
The hype surrounding UEBA vendors and the incorrect use of the term “artificial intelligence” complicates customers 'understanding of the real difference between manufacturers' technologies and the functionality of solutions without a pilot project;
Buyers note that the time of implementation and day-to-day use of UEBA solutions can be more time-consuming and take more time than the manufacturer promises, even if we consider only the basic threat detection models. Adding your own or boundary application scenarios can be extremely difficult and require expertise in data science and analytics.

Strategic forecast for market development:

By 2021, the market for user and entity behavioral analytics systems (UEBA) will cease to exist as a separate area and will shift towards other solutions with UEBA functionality;
By 2020, 95% of all UEBA deployments will be part of the functionality of a broader security platform.

Defining UEBA Solutions

UEBA solutions use built-in analytics to measure the activity of users and other entities (for example, hosts, applications, network traffic and data storage).

They detect threats and potential incidents, usually representing abnormal activity compared to the standard profile and behavior of users and entities in similar groups over a certain period of time.

The most common application scenarios in the corporate segment are threat detection and response, as well as detection and response to internal threats (in most cases, to compromised insiders; sometimes to internal intruders).

UEBA is both a solution and a function built into a specific tool:

The solution is the manufacturers of "clean" UEBA platforms, including vendors that also sell separately SIEM solutions. Focused on a wide range of business tasks in analyzing the behavior of both users and entities.
Embedded - manufacturers / departments integrating UEBA functions and technologies into their solutions. Usually focused on a more specific set of business tasks. In this case, UEBA is used to analyze the behavior of users and / or entities.

Gartner examines the UEBA in a cross-section of three axes, including solvable tasks, analytics and data sources (see figure).

Clean UEBA Platforms vs. Embedded UEBA

Gartner considers the “clean” UEBA platform solutions that:

Solve several specific tasks, such as monitoring privileged users or outputting data outside the organization, rather than simply abstract “monitoring abnormal user activity”;
involve the use of sophisticated analytics, which, if necessary, is based on basic analytical approaches;
provide several options for data collection, including both built-in mechanisms of data sources, and from log management tools, Data lake and / or SIEM systems, without the need to deploy separate agents in the infrastructure;
can be acquired and deployed as independent solutions, but not included in

composition of other products.

The table below compares the two approaches.

Table 1. “Clean” UEBA Solutions vs Embedded

Category	Clean UEBA Platforms	Other solutions with integrated UEBA
Task to be solved	Analysis of user behavior as well as entities.	Lack of data may limit UEBA in analyzing only user or entity behavior.
Task to be solved	Serves to solve a wide range of tasks.	Specializes in a limited set of tasks
Analytics	Identify anomalies using various analytical methods - mainly through statistical models and machine learning, together with rules and signatures. Comes with built-in analytics to create and compare user and entity activity with their profiles and colleague profiles.	Similar to pure UEBA, however, analysis can only be limited to users and / or entities.
Analytics	Advanced analytic capabilities, not limited only by rules. For example, a clustering algorithm with a dynamic grouping of entities.	Similar to “pure” UEBA, however, the grouping of entities in some models of built-in threats can only be changed manually.
Analytics	Correlation of activity and behavior of users and other entities (for example, by the Bayesian network method) and aggregation of individual risk behavior in order to identify abnormal activity.	Similar to pure UEBA, however, analysis can only be limited to users and / or entities.
Data sources	Receiving events for users and entities from data sources directly through built-in mechanisms or existing data stores, such as SIEM or Data lake.	Data acquisition mechanisms are usually only direct and affect only users and / or other entities. Do not use log management tools / SIEM / Data lake.
Data sources	The solution should not only rely on network traffic as the main data source, as well as exclusively on its own telemetry collection agents.	The solution can only be focused on network traffic (for example, NTA - analysis of network traffic) and / or use its agents on end devices (for example, employee monitoring utilities).
Data sources	Saturation of user / entity data with context. Support for the collection of real-time structured events, as well as structured / unstructured coherent data from IT directories - for example, Active Directory (AD), or other resources with machine-readable information (for example, a human resources database).	Similar to “pure” UEBA, however, the scope of contextual data may vary in different cases. AD and LDAP are the most common contextual data stores used by embedded UEBA solutions.
Availability	Provides these features as a standalone product.	It is impossible to buy embedded UEBA functionality without buying the external solution in which it is embedded.
Source: Gartner (May 2019)

Thus, for solving certain problems, the built-in UEBA can use basic UEBA analytics (for example, simple machine learning without a teacher), but due to access to the right data, it can be generally more effective than a “pure” UEBA solution. At the same time, “clean” UEBA platforms are expected to offer more sophisticated analytics as the main know-how compared to the built-in UEBA tool. These results are summarized in table 2.

Table 2. The result of the differences between pure and embedded UEBA

Category	Clean UEBA Platforms	Other solutions with integrated UEBA
Analytics	Applicability for solving many business problems implies a more universal set of UEBA functions with an emphasis on more complex analytics and machine learning models.	The emphasis on a smaller set of business tasks implies highly specialized functions focused on models for specific applications with simpler logic.
Analytics	Customization of the analytical model is necessary for each application scenario.	Analytical models are pre-configured for the tool in which the UEBA is built. A tool with built-in UEBA as a whole results faster in solving certain business problems.
Data sources	Access to data sources from all corners of the corporate infrastructure.	Fewer data sources, usually limited by the presence of agents under them or by the tool itself with UEBA functions.
Data sources	The information contained in each log may be limited by the data source and may not contain all the necessary data for a centralized UEBA tool.	The amount and detail of the source data collected by the agent and transferred to the UEBA can be specially configured.
Architecture	It is a complete UEBA product for the organization. Easier integration using the capabilities of the SIEM system or Data lake.	Requires a separate set of UEBA functions for each solution that has a built-in UEBA. Embedded UEBA solutions often require you to install agents and manage data.
Integration	Manual integration of UEBA solutions with other tools in each case. Allows the organization to build its own technology stack based on the “best among peers” approach.	The main bundles of UEBA functions are already embedded in the tool itself by the manufacturer. The UEBA module is built-in and cannot be retrieved, so customers cannot replace it with something of their own.
Source: Gartner (May 2019)

UEBA as a function

UEBA is becoming a feature of end-to-end cybersecurity solutions that can benefit from additional analytics. UEBA underlies these decisions, representing an impressive layer of advanced analytics on user and / or entity behavior patterns.

Currently, the built-in UEBA functionality on the market is implemented in the following solutions, grouped by technological scope:

Data-centric auditing and protection are vendors that focus on improving the security of structured and unstructured data warehouses (so-called DCAP).

In this category of vendors, Gartner notes, among other things, the Varonis cybersecurity platform , which offers an analysis of user behavior to monitor changes in access rights to unstructured data, their access and use for various information storages.
CASB systems that offer protection against various threats in cloud SaaS applications by blocking access to cloud services for unwanted devices, users and application versions using an adaptive access control system.

All market leading CASB solutions include UEBA capabilities.
DLP solutions - focused on detecting the output of critical data outside the organization or its abuse.

DLP achievements are largely based on an understanding of the content, with less focus on understanding the context, such as user, application, location, time, event rate, and other external factors. To be effective, DLP products must recognize both content and context. That is why many manufacturers are starting to embed UEBA functionality in their solutions.
Employee monitoring is the ability to record and reproduce the actions of employees, usually in a data format suitable for litigation (if necessary).

Constant monitoring of users often generates an exorbitant amount of data requiring manual filtering and analysis by a person. Therefore, UEBA is used inside monitoring systems to improve the performance of these solutions and detect incidents with only a high degree of risk.
Endpoint Security - Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPPs) provide powerful tools and telemetry for your operating system.

end devices.

Such user-related telemetry can be analyzed to provide built-in UEBA functions.
Online fraud - online fraud detection solutions detect abnormal activity, which indicates compromise of the client’s account through a dummy, malware or operation of insecure connections / interception of browser traffic.

Most fraud solutions use the quintessence of UEBA, transactional analysis and measurement of device characteristics, while more advanced systems complement them by matching relationships in a database of identity identifiers.
IAM and access control - Gartner marks a trend in evolution among manufacturers of access control systems, which consists in integrating with clean vendors and integrating some UEBA functions into their products.
IAM and Identity Management and Administration Systems ( IGAs ) use UEBA to cover behavioral and identity analytics scenarios, such as anomaly detection, dynamic grouping of similar entities, system login analysis, and access policy analysis.
IAM and privileged access control (PAM) - in connection with the role of controlling the use of administrative accounts, PAM solutions have telemetry to display how, why, when and where administrative accounts were used. This data can be analyzed using the built-in UEBA functionality for the presence of abnormal behavior of administrators or malicious intent.
Manufacturers of NTA (Network Traffic Analysis) - use a combination of machine learning, advanced analytics and rule-based discovery to identify suspicious activity in corporate networks.

NTA tools constantly analyze source traffic and / or stream records (e.g., NetFlow) to build models that reflect normal network behavior, mainly focusing on analyzing entity behavior.
SIEM - many SIEM vendors now have advanced data analytics functionality built into SIEM, or as a separate UEBA module. Throughout 2018 and still in 2019, there has been a continuous blurring of the boundaries between the SIEM and UEBA functionality, as disclosed in the article “Technology Insight for the Modern SIEM” . SIEM systems have become better at working with analytics and offer more complex application scenarios.

UEBA Application Scenarios

UEBA solutions can solve a wide range of tasks. However, Gartner customers agree that the main application scenario includes the detection of various categories of threats, achieved by displaying and analyzing frequent correlations of user behavior and other entities:

unauthorized access and movement of data;
suspicious behavior of privileged users, malicious or unauthorized activity of employees;
non-standard access and use of cloud resources;
and etc.

There are also a number of atypical non-cybersecurity application scenarios, such as fraud or employee monitoring, for which the use of UEBA may be warranted. However, they often require data sources that are not related to IT and information security, or specific analytical models with a deep understanding of this area. The five main scenarios and applications that both UEBA manufacturers and their customers agree are described below.

Malicious Insider

The UEBA solution providers covering this scenario monitor employees and trusted contractors only in terms of non-standard, “bad” or malicious behavior. Vendors in this area of expertise do not monitor or analyze the behavior of service accounts or other non-human entities. For the most part, it is because of this that they are not focused on detecting advanced threats when hackers hijack existing accounts. Instead, they aim to identify employees involved in malicious activities.

In essence, the concept of a “malicious insider” comes from trusted malicious users who are looking for ways to inflict damage on their employer. Since malicious intent is hard to evaluate, the best manufacturers in this category analyze contextual behavior data that is not easily accessible in audit logs.

Solution providers in this area also optimally add and analyze unstructured data, such as email content, productivity reports, or social media information, to form a context for behavior.

Compromised Insider and Intrusive Threats

The task is to quickly detect and analyze “bad” behavior as soon as the attacker gained access to the organization and began moving within the IT infrastructure.

Obsessive threats (APTs), like unknown, or not yet fully understood threats, are extremely difficult to detect and often hide under the legitimate activity of users or business accounts. Such threats usually have a comprehensive work model (see, for example, the article " Addressing the Cyber Kill Chain ") or their behavior has not yet been regarded as malicious. This makes them difficult to detect using simple analytics (for example, matching by patterns, thresholds, or correlation rules).

However, many of these obsessive threats lead to different behaviors, often associated with unsuspecting users or entities (so-called compromised insiders). The UEBA methodologies offer several interesting opportunities to detect such threats, increase the signal-to-noise ratio, consolidate and reduce the volume of notifications, prioritize the remaining responses and facilitate an effective response and investigation of incidents.

UEBA vendors targeting this area of work often have bi-directional integration with SIEM systems in their organizations.

Data filtering

The task in this case is to detect the fact of data output outside the organization.

Manufacturers who focus on this task usually enhance the capabilities of DLP or data access control (DAG) systems with anomaly detection and advanced analytics, thereby increasing the signal-to-noise ratio, consolidating the volume of notifications and prioritizing the remaining responses. For added context, manufacturers typically rely more on network traffic (such as web proxies) and end device data, as analyzing these data sources can help investigate data exfiltration.

Data exfiltration detection is used to catch insiders and external hackers threatening the organization.

Authentication and privileged access control

Manufacturers of independent UEBA solutions in this area of expertise observe and analyze user behavior against the background of an already formed system of rights in order to identify excessive privileges or anomalous access. This applies to all types of users and accounts, including privileged and service accounts. Organizations also use UEBA to get rid of dormant accounts and user privileges that are higher than required.

Incident prioritization

The goal of this task is to prioritize the notifications generated by the solutions of their technology stack in order to understand which incidents or potential incidents should be addressed first. UEBA methodologies and tools are useful in identifying particularly abnormal incidents or especially dangerous ones for a given organization. In this case, the UEBA mechanism not only uses the basic level of activity and threat models, but also saturates the data with information about the organizational structure of the company (for example, critical resources or roles and access levels of employees).

Problems implementing UEBA solutions

The market pain of UEBA solutions lies in their high price, complex implementation, maintenance and use. While companies are trying to deal with the number of different internal portals, they get another console. The size of the investment of time and resources in a new tool depends on the challenges and types of analytics that are necessary to solve them, and most often require large investments.

Contrary to the claims of many manufacturers, UEBA is not a “tuned and forgot” tool, which can then work continuously for days on end.

Gartner customers, for example, note that it takes 3 to 6 months to launch the UEBA initiative from scratch before receiving the first results of solving problems for which this solution was implemented. For more complex tasks, such as identifying insider threats in an organization, the term is extended to 18 months.

Factors affecting the complexity of UEBA implementation and the future effectiveness of the tool:

Complexity of organization architecture, network topology, and data management policies
Availability of the right data with the right level of detail
The complexity of analytics algorithms from the manufacturer - for example, the use of statistical models and machine learning against simple patterns and rules.
The number of pre-configured analytics that comes with the kit - that is, the manufacturer’s understanding of what data needs to be collected for each of the tasks and which variables and attributes are most important for the analysis.
How easy is it for a manufacturer to automatically integrate with the required data?

For example:
- If the UEBA solution uses the SIEM system as the main source of its data, does SIEM collect information from the required data sources?
- Is it possible to forward the necessary event logs and contextual data of the organization to the UEBA solution?
- If the SIEM system does not yet collect and control the data sources required by the UEBA solution, then how can they be transferred there?
How important is the application scenario for the organization, how many data sources are required for it, and how much does this task overlap with the manufacturer's area of expertise.
What degree of organizational maturity and involvement is required - for example, the creation, development and refinement of rules and models; assigning weights to variables for evaluation; or adjusting the threshold value of the risk assessment.
How scalable is the manufacturer’s solution and architecture compared to the current size of the organization and its future requirements.
Time to build basic models, profiles and key groups. Manufacturers often need at least 30 days (and sometimes even up to 90 days) to conduct an analysis before they can define the concept of “norm”. One-time loading of historical data can accelerate model learning. Some of the interesting cases can be identified faster using rules than using machine learning with an incredibly small amount of raw data.
The level of effort required to build a dynamic grouping and profiling accounts (service / person) can vary greatly between solutions.

All Articles