Download pdf - Gartner Market Guide for User and Entity Behavior Analytics

Market Guide for User and Entity BehaviorAnalyticsPublished: 8 December 2016 ID: G00292503

Analyst(s): Toby Bussa, Avivah Litan, Tricia Phillips

Security and risk management leaders should leverage user and entitybehavior analytics to improve their organization's threat detectioncapabilities across a variety of use cases.

Key Findings■ User and entity behavior analytics (UEBA) capabilities are maturing in stand-alone UEBA

products that support multiple use cases and in products incorporating behavior analysis as afeature, such as security information and event monitoring (SIEM) or data-centric audit andprotection (DCAP).

■ Buyers are primarily focused on monitoring for external attackers that have breached anorganization's defenses and have compromised users' accounts, and for insider threats thatincrease risk to an organization through unauthorized or illegal activities.

■ Stand-alone UEBA vendors still need to mature their offerings for enterprise use byimplementing access controls, user interfaces for rule management, richer reporting andworkflow.

RecommendationsSecurity and risk management leaders focused on security monitoring and operations should:

■ Choose UEBA vendors aligned to the threats you want to detect, such as malicious insiders andexternal hackers, and those with solutions that align with your use cases. Fill gaps in existingsecurity tools (for example, security event monitoring).

■ Clearly define use cases and be prepared to confirm those use cases through extensive proofsof concept (POCs) before choosing a vendor.

■ Identify required data sources and know how that data can be provided to UEBA solutions,which is critical for successful implementation and use in production.

■ Favor UEBA vendors that profile multiple entities, including users and their peer groups anddevices, and those who use machine learning to detect anomalies. These features enable moredetection of malicious or abusive users who might otherwise go unnoticed.

■ Don't expect UEBA to replace the need for people with domain and organizational knowledge.Resources are still required to configure and tune the UEBA tools, and to validate potentialincidents detected by the tools.

Strategic Planning AssumptionsBy 2018, at least four UEBA technology companies will be acquired by SIEM, data loss prevention(DLP) or other large technology vendors supporting security operations use cases.

By 2018, prescriptive analytics will be deployed in at least 10% of UEBA products, up from zerotoday.

By 2020, at least 60% of major cloud access security broker (CASB) vendors and 25% of majorSIEM and DLP vendors will incorporate advanced analytics and UEBA functionality into theirproducts, either through acquisitions, partnerships or natively.

By 2020, less than five stand-alone UEBA solutions will remain in the market, with other vendorsfocusing on specific use cases and outcomes.

Market DefinitionUser and entity behavior analytics offers profiling and anomaly detection based on a range ofanalytics approaches, usually using a combination of basic analytics methods (e.g., rules thatleverage signatures, pattern matching and simple statistics) and advanced analytics (e.g.,supervised and unsupervised machine learning). Vendors use packaged analytics to evaluate theactivity of users and other entities (hosts, applications, network traffic and data repositories) todiscover potential incidents commonly presented as activity that is anomalous to the standardprofiles and behaviors of users and entities. Example of these activities include unusual access tosystems and data by trusted insiders or third parties, and breaches by external attackers evadingpreventative security controls.

UEBA vendors:

■ Profile, baseline and make visible the activity of users, peer groups and other entities.

■ Detect anomalies using a variety of analytics approaches — primarily statistical models,machine learning, rules and signatures, delivered as prepackaged analytics used to create andthen compare user and entity activity against their profiles (see Note 1).

■ Correlate user and other entity activity and behaviors, and aggregate individual risky behaviors,to highlight anomalous activity.

Page 2 of 27 Gartner, Inc. | G00292503

■ Rely on information about users obtained from IT directories (e.g., Active Directory) as a primarydata source to feed analytics as well as provide context on users.

■ Primarily address security-and-risk-management-oriented use cases, focusing on the activitiesof "trusted" users inside an organization, whether they are users demonstrating abusive,noncompliant or illegal activity, or internal users who have had their accounts and hostscompromised by external hackers.

■ Perform near-real-time monitoring and alerting.

User activities are evaluated beyond basic access activities (logon/logoff), and include usermovements inside an organization, access to organizational assets and the context in which thataccess occurs.

Gartner views the UEBA market to be centered on (1) vendors that offer stand-alone solutions that(2) emphasize the use of advanced analytics (supported by basic analytic approaches as required)across multiple, distinct use cases (e.g., not just generically "monitoring for anomalous useractivities"). The UEBA market is maturing around vendors that support multiple use cases in astand-alone solution. There is also a growing number of vendors that have added user context, anduser and entity behavior analysis features to their existing solutions focused on a specific capability,such as security event monitoring, data protection, identity and access management (IAM), cloudservice usage, and employee activity monitoring (see Figure 1).

Gartner, Inc. | G00292503 Page 3 of 27

Figure 1. UEBA Product Versus Feature

Source: Gartner (December 2016)

For this update to the Market Guide, Gartner has segmented the representative vendors into stand-alone UEBA vendors and products with UEBA features. Based on the direction observed in themarket from inquires and briefing with clients and vendors, we anticipate only covering stand-aloneUEBA vendors in next year's update. Additionally, data repositories holding structured andunstructured data (e.g., relational databases, file shares) as an "entity" have been added torecognize the increasing application of UEBA by vendors focused on data protection andgovernance use cases.

The UEBA market does not include vendors that:

■ Do not profile users and do not detect anomalies in user behavior

■ Only support security use cases through data mining, user-driven data exploration andvisualization

■ Only support fraud detection use cases (see Note 2)


Market Direction

Market Growth

Gartner client interest in UEBA grew significantly over the past year, reflecting increasing awarenessof the market, vendors and applicable use cases by buyers. Market consolidation was minimal overthe last 12 months, with few mergers or acquisitions. Few vendors entered the UEBA market, butvendors that added or claimed to already have UEBA functionality in their solutions increased.Gartner continues to see growth in the market as stand-alone UEBA vendors reported increasedinterest that resulted in revenue growth. Gartner expects revenue for stand-alone UEBA products tosurpass $200 million by the end of 2017.

Gartner sees pressure on the stand-alone UEBA vendors to align to one or two specific securitymarkets, like SIEM platforms, IAM tools, and security incident response platforms (SIRPs). Gartnerestimates that, as these UEBA vendors focus on their strongest product features aligned toestablished markets, vendors with UEBA tools that address multiple use cases and buying centerswill decrease from over a dozen currently to less than five in 2020. Those remaining vendors willcompete where buyers have multiple use cases and want a single, best-of-breed analytics vendorthat can support a variety of third-party solutions, such as SIEM tools, identity and accessgovernance solutions, DLP tools, etc.

Buyer Use Cases Are Solidifying

UEBA solutions can be applied to a variety of use cases. In conversations with Gartner clients andUEBA vendors over the past year, visibility of user behavior remains the primary driver forinvestigating and purchasing UEBA tools. Having two different buying centers with different usecases is common (see Figure 2). Security operations are primarily interested in improving theinternal visibility for threat-detection-oriented use cases (i.e., the external attacker who hasbreached perimeter defenses and compromised an internal host and a user's credentials, and isusing those to move laterally through an organization). Buyers oriented toward risk managementresponsibilities are focused on monitoring users to detect prohibited or unauthorized activities bytrusted insiders, such as employees, contractors and external third parties. In some situations,buyers are interested in both use cases (e.g., driven by a chief information security officer [CISO]with responsibilities for risk management and security operations), or have vague use cases aroundimproving the security and risk team's visibility of the IT environment. The two buyers may use thesame tool to perform their jobs, but monitoring of trusted insiders is generally performed by a teamthat is distinctly separate from security operations due to the data sources typically involved, whichraises privacy and regulatory issues for organizations, especially those operating in jurisdictionsunder tight regulatory schemes (e.g., Europe).


Figure 2. UEBA Buyer and Primary Use Cases


Gartner continues to see secondary use cases such as monitoring for data access and movement,IAM, privileged access monitoring, employee activity monitoring, and cloud resource usage beingasked for by buyers, but these use cases tend to be more highly focused concerns that anorganization needs to address.

Stand-Alone UEBA Products Versus UEBA (and User Context) as a Feature

Buyers must decide whether they will invest in a stand-alone UEBA solution or point products (orwait to see if products they already own will add UEBA functionality). Examples of where UEBA isbeing applied to specific use cases is addressed below and in the Representative Vendors section.

SIEM Tools

SIEM tools are commonly deployed to instrument security operation functions focused on themonitoring, detection and response to security threats, primarily external attackers attempting tobreach an organization (see "Magic Quadrant for Security Information and Event Management").SIEM vendors have added UEBA capabilities to their tools through four approaches.

1. Acquisition of stand-alone solutions with tight integration (e.g., Splunk)

2. OEM agreements (e.g., Hewlett Packard Enterprise [HPE] and Securonix)


3. UEBA as native functionality (e.g., IBM QRadar UBA and LogRhythm AI Engine)

4. Loose integration with a UEBA vendor (e.g., Bay Dynamics, E8 Security, Exabeam, Gurucul,

Interset, Niara and Securonix), commonly via an app marketplace or in-product capabilities1

Network Traffic Analysis

The addition of network visibility in stand-alone UEBA products is occurring in the market, withexamples like Niara implementing deep packet inspection to perform network behavior monitoringactivity. Gartner expects UEBA customers will continue to push vendors that acquire data fromsystem logs to also ingest network flow or packet data or other summarized network information, inorder to give visibility into user and application activity not captured in logs. This will be especiallyimportant for vendors that do not have full visibility into a user's endpoint.

Agent-Based Employee Monitoring and Endpoint Detection and Response

Gartner sees agent-based vendors, which includes employee monitoring tools (e.g., Dtex Systems,e-Safe Systems, ObserveIT and Veriato) and endpoint detection and response (EDR) products (e.g.,Carbon Black) incorporating elements of behavior analysis. Some of these vendors, especially theemployee monitoring vendors, report plans to ingest other data sources into their analytics, such asdirect from a SIEM tool. This will give these vendors' products greater visibility into network anduser activity. The technical integration of agent-based and agentless data collection methods willcontinue across stand-alone UEBA vendors, as users demand broader and deeper system, networkand endpoint visibility. Organizations will demand that stand-alone UEBA vendors give them optionsas to which data collection mechanisms they can implement, especially for full endpoint visibility.

Data-Centric Audit and Protection

Vendors that focus on improving the visibility of structured and unstructured data repositories havealso begun to add UEBA functionality to their products, which has been noted as anothercomponent of the "entity" in the definition of UEBA. For example, Varonis has its DatAlert productthat provides user behavior analysis for monitoring of unstructured data access and use in variousrepositories. Other vendors, like Datiphy, are adding behavioral analytics to database activitymonitoring via network monitoring and host agents. SecuPi applies user behavior analytics tostructured data being accessed via applications, with the ability to apply DCAP-type protections tothe data, such as masking, tokenization and encryption.

Cloud Access Security Brokers

Several CASB vendors claim varying degrees of UEBA capabilities (for example, Symantec[Elastica], Skyhigh, Netskope and Bitglass). Stand-alone UEBA vendors are adding capabilities toingest data from CASBs too, such as Gurucul's Cloud Analytics Platform (CAP), Rapid7 InsightIDRand Exabeam. Gartner anticipates stand-alone UEBA platform vendors will expand their coverageto support CASB solutions as a data source.


Identity Access Governance and Privileged Access Management

Products that provide identity and privilege use analytics are also visible in the UEBA vendor space(see "2017 Planning Guide for Identity and Access Management"). Vendors such as Balabit andObserveIT are using behavioral analytics on privileged account usage. Mobile System 7's Interlockproduct is focused on identity analytics. Gurucul has a dedicated module (Access AnalyticsPlatform) leveraging its underlying analytics engine for identity analytics.

Analytics

The main goals for stand-alone UEBA vendors are to pinpoint threats and improve the signal-to-noise ratio across multiple monitoring systems or other information sources that feed into theirplatforms. These goals are only achievable and sustainable if advanced analytics are used, so thatsecurity teams can keep pace with the increasing volume and complexity of security events (see"Demystifying Security Analytics: Sources, Methods and Use Cases").

Advanced analytics and the type of machine learning used by vendors with UEBA functionality arekey to their success and competitiveness. Many vendors, both stand-alone UEBA vendors andthose with UEBA as a feature, rely on basic analytics to varying degrees. We expect those vendorsrelying heavily on basic analytical methods to add more advanced analytics over the next 24months.

In the next few years, machine learning will start migrating into deep learning, where the modelslearn on their own from "training data," and select which attributes and variables to key theiranalytics off of. Deep learning will be incorporated by tools to improve UEBA capabilities and othersectors that rely on machine learning and advanced analytics (see "Advancing Business WithAdvanced Analytics" and "Machine Learning Drives Digital Business").

Over the next 36 months, we expect increasing adoption of machine learning and other advancedanalytics approaches, but more importantly the adoption of deep learning by the vendors withalready mature machine-learning-based capabilities. Gartner also expects buyers to becomeincreasingly aware and educated on the different types of analytics and their nuances, and this willimpact vendors that are not investing in more advanced analytics capabilities as buyers selectvendors with advanced analytics over those with basic analytics.

Supported Data Sources Are Expanding to Provide Better Visibility

Stand-alone UEBA vendors continued to expand data sources in their products over the last year.Historically, UEBA vendors focused on user context data sources collected via various mechanismssuch as direct ingestion of user directory logs (e.g., Active Directory), deep packet inspection ofnetwork traffic or getting user context logs from an upstream SIEM tool. However, UEBA vendorsare incorporating many new data sources by adding native capabilities to directly collect and parsedata straight from the sources generating events. The sources include many of the security controlscommonly deployed in an IT environment, like secure web gateways. Increasingly, it also includesdirect monitoring of network traffic, data collection via the use of agents on hosts (e.g., nativevendor app or an EDR agent), ingesting events from a security-focused data warehouse or datalake, and other sources like HR master data, emails and instant messaging. Many of these


approaches demonstrate how stand-alone UEBA vendors, especially those with multiuse casecapabilities, are expanding their products' scope and removing their reliance on SIEM tools beingtheir primary data sources.

Changes Since the Last Market Guide for UEBA Update

Balabit introduced its Contextual Security Intelligence (CSI) Suite in November 2015, which includesits UEBA tool. SpectorSoft rebranded itself as Veriato in February 2016. Preempt released itsBehavioral Firewall product in June 2016. In November 2016, Mobile System 7 was acquired by CATechnologies, and Telstra acquired Cognevo from Wynyard Group.

Market AnalysisThe dynamic external threat environment and increasing attention on the "trusted" insider are strongdrivers of the UEBA market. Successful hackers have figured out how to beat prevention-basedsecurity controls, gaining access to corporate networks and being able to move laterally withoutbeing detected before they are able to complete their mission. Mandiant's M-Trends 2016 reportindicates that the median time to detect a breach in 2015 was 146 days. UEBA tool buyers arelooking for ways to reduce the dwell time of an attacker inside an organization.

Insider threats have received increased attention over the last 12 months. Gartner research intoinsider threats (see "Understanding Insider Threats" and "Best Practices for Managing InsiderSecurity Threats, 2016 Update") indicates that organizations are not adequately considering the riskfrom their trusted users even though there are myriad examples where organizations have beenimpacted. On a positive note, Gartner fielded almost a 100% increase from clients looking toaddress the insider threat issue, of which UEBA is one of the primary technologies.

What Is UEBA Used For?

UEBA is primarily used for one or more of the following objectives:

■ Analyze: Apply analytics, both basic and advanced, across a variety of data sources in near realtime and on a frequent basis (e.g., hourly, daily).

■ Detect: Provide rapid identification and alerting of attacks and other infractions, many of whichwould likely go undetected by traditional preventative security controls.

■ Prioritize: Prioritize alert security operations and risk management teams need to act on,and/or improve alert management by correlating and consolidating alerts from existing systems.

■ Respond: Streamline alert and incident investigations by reducing the time and number of staffrequired to investigate those alerts, especially by providing contextual information from thevarious data sources to the responder or investigator (since the underlying data for thecorrelated alerts is typically readily available, and investigators can easily look acrossorganizational assets and entities linked to suspect behavior).


Who Buys UEBA?

Stand-alone UEBA tools currently appeal to mainly very large global organizations. Even among thisgroup, interest is not ubiquitous, as UEBA solutions are not inexpensive to acquire, implement,maintain and use. The tools' varying investments in time and resources depend on the use casesand types of analytics employed. Buyers typically have specific drivers for purchasing a tool, suchas improving their external threat detection capabilities by augmenting their SIEM solutions, orneeding technology to support the build out and running of an insider threat detection program.

Gartner client interest in UEBA and related security analytics rose substantially in the past 12months, ending in November 2016. Inquiries by end-user organizations on user behavior analyticsrose over 300% compared to the same period in 2014 to 2015. The volume of inquiries into securityanalytics was half that for user entity and behavior analytics, reflecting the increasing userawareness of the UEBA term and market space. While North American organizations dominatedclient interest, clients from across the globe inquired about UEBA.

UEBA Technology

Stand-alone UEBA products have five main technology components — data sources andintegration, data analytics, data presentation/visualization, source systems analyzed, and servicedelivery method. A typical UEBA tool implementation is shown in Figure 3.


Figure 3. Stand-Alone UEBA Implementations


Data Source and Integration

UEBA solutions should be able to understand any type of structured data and, optimally, alsononstructured information needed for its analysis (for example, RedOwl, which can use instantmessages, emails and HR data). As already noted, a UEBA product that only ingests logs may missimportant activity, especially if it does not have full visibility into the endpoint device used by theuser. As such, the ingestion of network data is advantageous, as are agent-based or agentlesssystems that collect user endpoint activity.

It is inherently more difficult to automate ingestion of unstructured contextual information than it isto automate the ingestion of structured or semistructured (such as unpredictable log) data; hence,the inclusion of unstructured contextual information will elongate project timelines considerably.However, unstructured contextual information (such as performance appraisals, travel logs andsocial media activity) can be extremely useful in helping discover and score risky user behavior.Gartner has also seen the ingestion of results from systems that help organizations secureapplication code (for example, with code reviews) into UEBA tools. The correlation of this data withIT developer behavior and activity has been successfully used to facilitate secure productdevelopment (see Note 3 for samples of structured and unstructured data sources).


Data Analytics

Advanced Analytics: Rules Versus Machine Learning Versus Deep Learning

Stand-alone UEBA tools attempt to improve threat detection by improving the quality of theanalysis, rather than relying on increasing the volume and variety of log and data sources. Thequality of the predefined analytics is more critical to success than the variety of data sources fed tothe UEBA tools.

The effectiveness of an analytics engine depends on:

■ Knowing which data and variables need to be analyzed

■ Making sure it's reading the "right" data sources that will give it the full picture

■ Knowing how much weight to give to key variables

Therefore, users should be highly selective about the entities and data they incorporate intoanalytics, in order to reduce unnecessary noise that the detection engine must filter out. Once theentities and variables are selected, which is done in the vendors' models, the more informationextracted the better in order to help pinpoint "bad behaviors" and increase detection rates. Theanalysis of other entities (such as endpoints and networks), and correlating that analysis with userbehavior informs the analytics engine so that malicious activities can be more easily detected.

As noted in the Market Definition section, UEBA brings machine learning and statistical analysis tosecurity monitoring, generating risk scores for evaluated events and entities. These scores indicatethe likelihood of data breach, compromise or other abusive behavior, and are in stark contrast tobinary "yes" or "no" outputs generated by rules.

Rules are based on what a human knows about the data. When rules are not tuned properly, theygenerate too much noise and too many alerts that are not properly prioritized. This is a commonscenario among many large Gartner clients that use rule-based security monitoring systems that

end up generating hundreds of thousands of alerts or more per day.2 Most importantly, humans

cannot predict what future attacks will look like. And even if they could, keeping a SIEM tool's rulesupdated to be able to detect as an attacker or insider changes their tactics and techniques is veryresource-intensive. Statistical analysis and machine learning can find anomalies in data that humanswouldn't otherwise be able to model and keep up-to-date in existing tools.

Still, in most cases and with most analytics systems, humans must tell the models which data toevaluate and how to weight the different variables. Future models based on deep learning will helpto reduce human involvement in machine learning processes. Gartner expects to see theemergence of deep learning applied by stand-alone UEBA vendors in the next 12 months.

For the time being, machine learning for UEBA requires model tuning based on human feedbackand confirmation of "bad" behavior identified by the machine learning models. Machine learningmodels are good at establishing baselines and detecting anomalies to those baselines, but they arenot capable of knowing if those anomalies represent good or bad behavior unless humans tell them


so. Similarly, machine learning models are incapable of knowing if the baselines they haveestablished represent good or bad behavior.

Humans must also supplement machine learning models with rules that only the business knowsabout. Humans still know things machines don't (for example, a specific threat indicator affectingtheir organization). Therefore, tools applying UEBA need to give their customers the ability to addtheir own rules that fire in coordination with the tools' built-in rules and models. Customers shouldbe able to keep these rules private and only accessible to designated users, as they may containhighly confidential and sensitive information.

User Access to the Analytics

Vendors applying advanced analytics typically approach their development and refinement in thesame way — select a model, train, validate and refine the model, and package the analytics forconsumption in their solutions. However, differences exist in how users of the tools can interact withthe analytics. Gartner defines this approach as:

■ Closed — The vendor's analytics cannot be viewed or modified by users. Buyers must acceptthe use cases and models provided by the vendors, and are tied to their strategic direction andrelease schedule for new models and updates to existing models.

■ Open — These products expose elements of the models to a user. Tools that use basicanalytics tend to be open since the detection is primarily based on rules, signatures and patternmatching, which need humans to construct the rules to make the tools usable. UEBA tools thatuse more advanced analytics, like machine learning, may allow users to change the variables inmodels. This approach is not common in the marketplace, but increasingly Gartner seesvendors considering a move from closed or partially exposed models to exposing almost fullaccess to the underlying analytics and engine.

Cautions About Profiling and Anomaly Detection

User and entity profiling, and machine learning are still not sufficiently proven when it comes todetecting suspicious behavior among privileged users, developers and knowledgeable insiders. Inthese cases, organizations still have to rely partly on their own rules instead of solely on statisticalanalysis and machine learning. These rules can work well with vendor models, but users must takeresponsibility for writing and including them.

UEBA users should note that:

■ The behavior of privileged users, IT developers and others can be highly irregular depending ontheir job functions, making baselining user behavior through profiling and anomaly detectionmuch more problematic.

■ A given user or peer group can be bad from the start of profiling, so that ongoing bad behaviorwill not be noted as anomalous to the baseline. This caution applies for both privileged andnonprivileged users.


■ Reprofiling and re-establishing of baselines may be necessary. Determining the frequency ofthose activities, and whether they are built into the product or have to be planned for, isimportant.

Data Presentation and Visualization

This technology component represents the ability of the vendor to display analytics and results in amanner useful to the organization's security operations team, risk managers, IT and business users,so that patterns and trends in infractions are readily apparent and can be acted upon. This includesproviding functionality for link analysis, time series and trend analysis, cyber kill chain mapping, andqueries and reports across users and other entities.

Source Systems and Applications Incorporated

This technology can be deployed on-premises or in the cloud. It is related to data integrationcapabilities, but the emphasis in this component is the vendor's in-depth knowledge of the sourcesystems. As noted in the Market Direction section, stand-alone UEBA vendors may support avariety of use cases, but generally they focus on a few domains, such as threat detection or dataloss, while other vendors focus on a single domain, and apply UEBA to improving their monitoringand detection capabilities within that context.

Service Delivery Methods

Stand-alone UEBA tools are generally deployed on-premises or offered as a cloud-based service(with some requiring both). Often times, stand-alone UEBA vendors require organizations to installappliances or deploy software for the core components of the solution, in addition to appliances(virtual or physical) for monitoring network traffic and endpoint agents.

SIEM, SIRP and Service Desk Tools

Many organizations are experiencing "portal fatigue" within their security operations and monitoringteams, and prefer to have alerts from UEBA tools sent to a central security monitoring or employeemonitoring platform, rather than interact with yet another portal offering a workflow andinvestigation UI. Organizations with SIEM tools can ingest alerts from their stand-alone UEBA tools,and even use those alerts within correlation rules to enhance the UEBA-generated alert. SomeGartner clients have mentioned utilizing tools like SIRPs (see "Innovation Tech Insight for SecurityOperations, Analytics and Reporting") to provide workflow capabilities for UEBA-tool-generatedalerts. Smaller organizations with limited security tools may, however, use their UEBA tool as aprimary security capability and will make good use of the provided user interface. Likewise,extremely large enterprises with dedicated security operations for the specific use cases supportedby stand-alone UEBA vendors may utilize the provided interface, as it allows a focus on prioritizedalerts without the distraction of the alerts within a broader security solution.

Automated response (such as shutting down a suspect user's access as a result of highlysuspicious activity) is not yet integrated in most stand-alone UEBA vendors' feature sets. However,some vendors leveraging behavior analysis offer active response capabilities, like encrypting ortokenizing data.


Vendor Differentiation

Time to Implement

The ease and time of a UEBA implementation, and its future effectiveness, largely depend on:

■ The sophistication of the vendor's analytics (that is, whether it incorporates statistical modelsand machine learning as opposed to just patterns and rules).

■ How much of the analytics comes prepackaged (that is, the vendor knows which data to collectfor the various use cases, and which variables and attributes are important to the analytics).

■ How easy it is for the vendor to automatically integrate the required data and whether thecustomer can easily access that information. For example, if a UEBA solution uses a SIEM toolas its primary data source, is the SIEM tool already collecting the data sources needed by theSIEM tool, and can the applicable log events be forwarded to the UEBA solution.

■ How focused the organization's use case is, how many datasets the use case requires and howwell the organization's use case aligns with the vendor's domain expertise.

■ How much organizational involvement is required (for example, to write rules, clean up datasuch as dormant accounts and account privileges, and assign weights to variables selected forevaluation, such as document classification).

■ How scalable the vendor's solution and architecture is relative to the organization's current andfuture requirements.

■ Time to build baselines, profiles and identify groups. Often, some vendors need 30 days (at aminimum, sometimes up to 90 days) of data for their analytics before they can establish a"norm."

Domain Expertise and Use Cases

Not all stand-alone UEBA vendors approach the security market in the same way. Gartner has seensix primary domains and use cases that the vendors and their users align with, and some vendorsalign with multiple domains:

■ Account compromise by external hackers: Most organizations have invested securitycontrols primarily at the network perimeter and on endpoints. External attackers are easily ableto bypass preventative perimeter security controls without detection. Most organizations arealso poorly instrumented within their internal IT environments, whether on-premises or in cloudenvironments. Thus, the use case here is to rapidly detect and analyze bad activities once anattacker has infiltrated an organization and is moving laterally around the internal ITinfrastructure; improve signal-to-noise ratio; consolidate and reduce alert volume; prioritizealerts that remain; and facilitate efficient response and investigation. UEBA vendors that targetthis use case typically have tight two-way integrations with organizational SIEM tools.


■ Insider threats: UEBA vendors targeting this use case monitor staff and trusted external partiesonly for unusual, bad or abusive behavior. Vendors in this domain do not monitor or analyzeservice accounts or other nonhuman entities in order to inform their analysis. Largely because ofthis, they are not oriented toward detecting advanced threats where hackers take over existinguser accounts, but are oriented instead toward finding insiders engaged in malicious activities.

Essentially, insider threats emanate from trusted users with malicious intent who seek to imposedamage on their employer. Since malicious intent is difficult to assess, best-in-class vendors inthis category analyze contextual behavioral information not readily available in log files. Vendorsin this domain also optimally ingest and analyze unstructured information, such as emailcontent, performance reviews or social media information, for employee behavior context.

■ Data exfiltration: The use case in this domain is to detect the exfiltration of organizational data.Vendors focused on this use case typically enhance existing DLP systems with anomalydetection and advanced analytics, thereby improving their signal-to-noise ratio, consolidateDLP alert volume and prioritize alerts that remain. For additional context, they tend to integratewith, and rely more on, network traffic (for example, web proxy) and endpoint data, as theanalysis of these data sources can help shed light on data exfiltration activities. Data exfiltrationdetection is used to catch both insiders and external hackers threatening an organization.

■ Employee monitoring: This use case is focused on deep monitoring of employee activity,typically done directly on an endpoint using an agent, providing telemetry to a centralmanagement tool where user activities and behaviors are profiled, tracked and alerted. Agent-based products have an advantage due to their visibility at the endpoint, but they predominantlyemploy basic analytics, like pattern matching and rules (for very specific detection use cases),along with basic integration into user directories primarily for additional user context. Someagents record all screen and other user activity on a host, and enable review and replay ofsessions, raising privacy concerns in some regions.

■ Identity access management: Stand-alone UEBA vendors in this domain monitor and analyzeuser behavior against already-established access rights. This holds true for all types of usersand accounts, including privileged users and service accounts. Organizations have also usedUEBA to help clean up dormant accounts and user privileges that are set higher than they needto be.

■ Cloud security: Some vendors, especially in the CASB space, use UEBA functionality to ensuresecurity and visibility into enterprise use of SaaS applications, as well as IaaS and PaaS.

Enterprise Readiness and Product Maturity

To be enterprise-ready, stand-alone UEBA vendors should provide these features, which are missingfrom many of the UEBA products in the market (note that these are additional to the core featuresnoted in the UEBA Market Definition section, such as predefined analytics):

■ Access controls in the UEBA system so that administrators can properly grant and partitionaccess across UEBA users. In addition, UEBA system users themselves should be audited andtracked by the system.


■ Reporting and query systems so that events can be viewed from various angles and acrossmultiple entities, and so that users can pivot queries off of entities of special interest.

■ An easy-to-use rule engine so that users can write their own rules to work with vendor analytics,or incorporate their own analytics models, if they are so inclined.

■ Ability for users to manage alerts within the tool. Without these capabilities, at a minimum, theability to export alerts, signals and other outputs to other tools for investigating and managingpotential incidents is necessary.

■ Ability to scale architecturally as data volumes increase.

UEBA vendors still have not committed to investing in features necessary to make it a truly stand-alone product, such as workflow and reporting. Several vendors have made investments inimproving data acquisition capabilities, such as connectors to other data sources, log and eventparsing, and even adding log retention capabilities. The lack of investment in core platformcapabilities adds to a buyer's confusion on where to make investments, especially those focused onsecurity operations that may already have a SIEM tool and are experiencing an increasinglycrowded threat detection market with new vendors offering tools with security analytics, incidentresponse (orchestration and automation), and breach detection.

Representative VendorsThe vendors listed in this Market Guide do not imply an exhaustive list. This section is intended toprovide more understanding of the market and its offerings.

Stand-Alone UEBA Platforms

Balabit's Blindspotter product applies machine learning to the challenge of identifyingcompromised, negligent and malicious insiders, with a special focus on analysis of privileged users(through integration with its Shell Control Box product), which includes dynamic analysis ofkeystroke and mouse movements. It has a flexible data integration architecture supporting logmanagement tools (like its syslog-ng solution), SIEM and privileged access management (PAM)tools, LDAP sources, and custom data input. This data is utilized in the dynamic behavioralanalytics that flags and prioritizes high-risk activity and can block the highest-risk actions if desired.

Domains: Insider threats, employee monitoring, identity and access management

Bay Dynamic's Risk Fabric focuses on risk-management-oriented use cases, insider threats beingthe most comparable to other UEBA solutions. It also supports other security operations and riskmanagement use cases like security metrics automation and risk-prioritized vulnerabilitymanagement. The solution profiles and analyzes users, endpoints, applications and other entitiesindependently, and provides both executive and operational level views of risk across anorganization. It presents users with a shortlist of their top risky users, endpoints, applications and IPaddresses.


Domains: Insider threats, external threats, data exfiltration, identity and access management

E8 Security profiles the behavior of users and devices using automated machine learningalgorithms to detect anomalies and discover advanced attacks in the enterprise. The solutionintegrates user, endpoint and network behaviors for on-premises and cloud applications into itsBehavioral Intelligence Platform, providing visibility into multiple stages of attacker activity inside theenterprise perimeter. E8 Security's solution is built on top of big data technologies, such as Hadoop,Spark and HBase.

Domains: External threats, data exfiltration, insider threats

Exabeam focuses on the malicious insider threat and insiders compromised by external attackeruse cases (complemented by its Threat Hunter product that enables proactive searching of sessiondata for threats). The system profiles users, peer groups and other entities, and adds points to auser's risk score based on anomalies it detects with its statistical models, machine learning andrules. It builds timelines of sessions and attack sequences. The product is built on a big dataplatform leveraging Hadoop and other big data components like Spark, but does not require aseparate or stand-alone Hadoop instance to operate. The vendor has integrated its solution withmajor SIEM tools, along with other security systems, such as VPN, DLP, EDR, firewalls and CASBproducts.

Domains: External threats, insider threats, data exfiltration

Fortscale provides user and other entity profiling and machine learning incorporating multiple datasources using unsupervised machine learning algorithms. The product ingests many different typesof data, and includes detection and investigation capabilities in the application. It has a "smart alertscore" that identifies clusters of user behavior across many users, events and time frames. Thisinformation can be streamed back into any third-party solution within the operational environment(e.g., via RESTful APIs and syslog). Canned analytics are designed to detect rogue insiders andhackers with compromised credentials. Fortscale is scalable and deployed on a customer'spremises using a Cloudera Enterprise Hadoop environment.


Haystax Technology's Constellation Analytics Platform focuses primarily on insider threat usecases, providing real-time evaluation of user trustworthiness. Data sources that Constellation'sanalytics engine can consume include structured and unstructured data sources, ranging from SIEMtools, network security devices, physical access data, HR and public records, social media sources,and RSS feeds. Bayesian models are employed with a baseline of over 700 key risk indicators.Models are adaptable and can be extended to address specific customer requirements.

Domains: Insider threats, employee monitoring

Gurucul Risk Analytics (GRA) is a multiuse case UEBA solution that consists of several componentsfocusing on access and identity (Access Analytics Platform), cloud services (e.g., Amazon WebServices [AWS], Azure, Office 365 and Box) monitoring (Cloud Analytics Platform), and threatdetection (Threat Analytics Platform). Gurucul says it innovated dynamic peer group analytics basedon users' activities and access patterns. The solution supports on-premises, cloud-based and


hybrid implementations. Gurucul provides a Hadoop-based big data back end or can run on acustomer's preferred implementation (e.g., Cloudera, Hortonworks). GRA has an open analyticsarchitecture where customers can define their own rules and machine learning models (without theneed to code them) on top of Gurucul's packaged analytics via its Studio application.

Domains: Identity and access management, external threats, insider threats, cloud security, dataexfiltration

Interset provides a multiuse-case-oriented solution, focusing on insider and external threats. Thesolution can acquire data from multiple sources, including SIEM tools, authentication sources (e.g.,Active Directory, IAM tools), network-related data sources (e.g., VPN, secure web gateways), datarepositories and cloud services. Additionally, customers can deploy Interset's optional endpointsensor. The Interset Analytics Engine applies data correlation and machine learning across multipledata sources to profile users and entities. The analytics engine does not require rules or thresholdsto surface high-risk users and activity, which is achieved by correlating multiple suspect events. Itcan be deployed on-premises or as a cloud-based service.

Domains: Insider threats, data exfiltration, external threats, cloud security

Microsoft's Advanced Threat Analytics (ATA) focuses on the detection of advanced persistentthreats and insider threats using a combination of behavioral analytics, machine learning and peergroup analysis methods to profile users and detect anomalous activity. ATA uses deep networkpacket inspection of Active Directory and DNS traffic, and can also use data from SIEM tools andservers. Analytics are entirely automated and ATA does not use rules or require tuning by the user.The platform is composed of the ATA Center and a mix of one or more ATA Gateways (whichmonitor network traffic via TAP or span port), and an optional lightweight Gateway installed ondomain controllers or DNS servers, all of which are deployed on the customer's premises.

Domains: External threats, insider threats, identity and access management

Niara offers behavioral profiling and anomaly detection using supervised and unsupervised machinelearning models. Its models incorporate a variety of data sources including network packets andflows, as well as log data received from security infrastructure platforms, such as SIEM tools, webapplication firewalls (WAFs) and network traffic analysis (NTA) solutions. Niara supports on-premisesand cloud deployment, and can sit atop a customer's Hadoop environment. Niara claims low-volume, high-fidelity alerts with a forensics user interface to enable investigation and dynamicfeedback to the models.

Domains: Insider threats, data exfiltration, external threats

Preempt's Behavioral Firewall product was released in June 2016 with a focus on external andinsider threats, and adds a response capability to automate action when specific risky events aredetected. User activity data comes primarily from deploying a network appliance in front of domaincontrollers that performs inspection of Active Directory traffic. Other data sources, such as SIEMtools and cloud-based single sign-on (SSO) services, are also supported. Peer group analysis, andboth supervised and unsupervised machine learning approaches, are employed to build userprofiles and monitor for risky behaviors. Response policies include generating alerts, step-up


authentication of a user, and isolating hosts via blocking Active Directory traffic (if the appliance isdeployed in-line) or integration with network access control (NAC) tools. The platform is deployedon a customer's premises.

Domains: External threats, insider threats

Rapid7's InsightIDR product (previously UserInsight) is a cloud-based solution that can ingest,analyze and visualize logs from a variety of sources (SIEM tools, network devices, hosts and SaaS,like Office 365, Box and others) based on technology acquired with Logentries. Rapid7 now offersan EDR-like agent and deception technology that can be deployed on a customer's premises tocollect and send data directly into the solution for analysis. InsightIDR profiles users, peer groupsand other entities, and detects anomalous activity, using a combination of correlation rules, machinelearning and threat information collected from other sources, like its incident response services.

Domains: External threats, insider threats, cloud security, identity and access management

RedOwl has a multiuse case solution that evolved out of a focus on insider threat and regulatorycompliance use cases. The product can ingest data from a variety of structured sources (ActiveDirectory, endpoint and network), unstructured sources (email content and metadata, instantmessaging content and metadata, and voice) and business data (human resources data, socialmedia and transaction-level data sources). RedOwl uses a combination of statistical patternmatching, machine learning and content analytics to profile user behavior, identify anomalous useractivity, and provide precursor indicators of malicious or disgruntled employees. The tool isdelivered via software or as a virtual appliance, which can be installed on AWS or on-premises.

Domains: Insider threats, external threats, employee monitoring, data exfiltration

Securonix supports behavioral analytics for multiple use cases. Securonix can ingest and parsedata from multiple sources, like SIEM tools, IAM tools (including Active Directory), network devices,hosts and cloud services. Securonix now provides its own open security data management layer viathe introduction of its SNYPR platform, built on Hadoop, which provides buyers a scalable datarepository that can be used by Securonix's analytics or other applications as desired. SNYPRprovides Securonix customers with capabilities like long-term data retention, data enrichment, anddata search and visualizations. The vendor states it has dozens of analytics packages for varioususe cases, as well as a library of threat indicators that is frequently updated through the Securonixcontent portal.

Domains: External threats, insider threats, data exfiltration, cloud security, identity and accessmanagement

Splunk UBA profiles users, peer groups, endpoints, networks, data sources and other entities, anddetects anomalies and threats (made up of multiple related anomalies) using a multipass,unsupervised machine learning approach and by correlating entity behavior. Splunk's UBA app hastight integration with Splunk Enterprise for data acquisition, and the Splunk Enterprise Security (ES)app when signature and pattern matching-based rules are required, as well as for workflow andresponse. Splunk UBA is deployed as a stand-alone solution running on a Hadoop platform.


Content-packs are a recent addition to provide customers access to new models more frequentlywithout requiring an application upgrade.

Domains: External threats, insider threats, data exfiltration

Products With UEBA as a Feature

Bottomline Technologies' User Behavior Monitoring solution parses network data of multipleprotocols, and reconstructs user sessions providing visual replay for investigations of internal andexternal threats, data leakage, and anomalous events. It uses a rule-based analytics engine andstatistical profiling of users and their peer groups. It correlates alerts and generates predictive riskscores for compliance (anti-money-laundering, privacy regulations, PCI), security and fraud usecases. The solution leverages network sniffing sensors to capture data that is fed into its AnalyticEngine.

CA Technologies' Threat Analytics for PAM is based upon the recent acquisition of Mobile System7's Interlock product. The CA solution provides continuous monitoring of privileged user activities,detection of high-risk and malicious behaviors, and automated response to mitigate detected risksand protect privileged accounts and access (e.g., activating session recording and forcing sessionreauthentication). The product collects event and activity information from various sources, analyzesthis data in near real time using statistical and machine learning algorithms to detect anomalies, andassess the risk of individual users, peer groups, devices and other entities. The product generatescontext-rich events and alerts that can be sent to SIEM and incident response tools.

Domains: Identity and access management, insider threats

Datiphy Enterprise focuses on monitoring structured and unstructured data in databases (both on-premises and in cloud services) using a combination of agents deployed on hosts, in the cloud or atthe network layer. The solution is deployed on the customer's premises as the management serveralong with the agents. Datiphy Enterprise has preconfigured threat intelligence rules, as well as riskmetrics included out of the box. Pattern matching and machine learning are used to profile usersand entities, and to detect specific threats against databases.

Domains: Data exfiltration, external threats

Dtex Systems is focused on insider threats, and provides human analytics and a behavioral riskengine built on top of an endpoint agent. The agent can be pushed to endpoints by softwaredistribution or logon scripts. Dtex says its agent is lightweight in terms of the amount of data itcollects and the impact to the endpoint, and Dtex anonymizes the identities it profiles. The vendorclaims 5,000 known behavior patterns out of the box and self-tunes through the use of machinelearning. Dtex can integrate with DLP and SIEM solutions for additional user visibility.

Domains: Insider threats, employee monitoring, data exfiltration, external threats

e-Safe Systems' e-Safe Compliance solution focuses on monitoring users for compliance andinsider threat use cases. Its agent-based solution is built on prediction first and detection second,with an emphasis on understanding the psychology and behavioral patterns of the malicious insider.


Analytics are primarily based on signatures, patterns and rules, which need to be configured andtuned by the customer. Data protection via a rights management capability is integrated directly intothe product and can be used to take action according to specific events.

Domains: Insider threats, data exfiltration, employee monitoring

Forcepoint's SureView Insider Threat (SVIT) product supports insider threat, employee monitoringand compliance-focused use cases as part of its larger security offering. Rule-based policies withcustomizable weightings combine with behavioral baselines to create user risk scores. Risk scoresare used to identify potentially risky user behaviors and enable investigation of users demonstratingactivities that indicate negligence, malicious activity, or compromised credentials or machines. Itssolution focuses particularly on employee monitoring with features such as video replay of anemployee's screen to better understand the context around suspicious activities. In addition to itsown native analytics capability, SVIT also integrates with other analytics engines.

Domains: Insider threats, employee monitoring

IBM's QRadar User Behavior Analytics is an app available in the QRadar Security IntelligencePlatform. QRadar is an integrated SIEM solution that can capture a variety of log and other data,such as security devices, hosts, network activity (including full content capture) and user data, andcan perform real-time analysis for detecting threat-oriented activities. In July 2016, IBM introducedthe QRadar UBA module, which is fully integrated into QRadar, leveraging the solution's existinganalytics to focus on user activity, assigning risk scores and correlating multiple anomalous eventsinto an incident.

Domains: External threats, insider threats

Leidos (formerly Lockheed Martin) Wisdom Insider Threat Identification (ITI) integrates structuredand unstructured contextual information, such as performance reviews or employee informationaccess, as well as logs, network, and endpoint and authentication data. The product is deployedalongside Interset, and includes rule-based and analytics capabilities to increase speed of detectionof new threats. Leidos offers a consultative implementation process including foundationalorganizational training, in addition to technology integration.

Domains: Insider threats

LightCyber is an NTA vendor that profiles users and all network-connected Internet Protocol (IP)-based devices using network, endpoint and log data (e.g., VPN devices and NetFlow). The productuses machine learning to detect anomalous activities related to these entities, like external attackersinside an organization or risky actions by employees. The product enables user context andcorrelation of user behavior with other entities, such as hosts and network activity. LightCybergathers its information from a network-based appliance. The product can also deploy a lightweightendpoint ("dissolving") agent on suspect devices upon detection of suspicious activity in thenetwork, which then proceeds to interrogate the host to automatically gather data for both detectionand investigative purposes.



LogRhythm's Security Intelligence Platform is a SIEM tool that includes its AI Engine, whichprovides analytics across all the log and data sources collected by the platform, whether via itsproprietary network and host agent solutions, or other sources. The AI Engine detects suspicioususer, network and host behavior via anomaly detection capabilities that include correlation,statistical analysis and a variety of behavioral profiling methods. AI Engine generates alarms usingrisk-based scores. Dashboards provide real-time visibility into anomalous and highest-risk usersand endpoints to facilitate targeted hunting activities.

Domains: External threats, insider threats, identity and access management

ObserveIT uses lightweight, user-mode agents that can be deployed across a variety of PCs andservers (Linux, Unix, Windows, Mac) to monitor endpoint and user activity, and includes full sessionrecording. The solution supports employee monitoring (including privileged users) and education,audit and compliance, insider threat identification and elimination, and vendor risk management.ObserveIT profiles user activity and behavior through its prepackaged library of close to 200 rulesusing metadata from the host agent, which is indexed and easily searchable, to detect anomaliesand eliminate insider threats.

Domains: Insider threats, identity and access management

SecuPi incorporates UEBA features for sensitive data usage, analysis and protection. The solutionemploys an innovative approach that relies on sensitive data access in high-risk applications as akey factor in its UEBA model, along with other user activities. SecuPi uses an agent installed on theapplication server to collect data for its models, discover sensitive data and perform real-time dataprotection using encryption, masking or tokenization of data being accessed by a user.

Domains: Data exfiltration, external threats, insider threats

Varonis' DatAlert product analyzes user behavior focusing on unstructured data access, which itgathers to baseline how users behave. Activity is correlated with other key metadata indicators,such as user's role and the contents of data being accessed. The product uses rules, statisticalanalysis and unsupervised machine learning to detect anomalous activities. Varonis identifies threebasic functions required to reduce insider threats: detection of abnormal activity, protection andprevention through management of access rights and ongoing monitoring to enable efficient accessmanagement, and identification of risky behavior and mitigation of emerging threats.

Domains: Insider threats, data exfiltration

Veriato's (formerly SpectorSoft) Recon solution is focused on threat detection use cases usingbehavioral analytics and psycholinguistic risk indicators. With an emphasis on proactiveidentification of at-risk employees, it provides alerts and enables review of up to 90 days of high-riskactivities, including screen recordings to determine context for flagged activity. The solution uses anagent-based approach for monitoring and recording capabilities. It can send data to a SIEM foralerting and workflow, and is integrated with the Veriato 360 user activity monitoring solution forinvestigations.

Domains: Insider threats, employee monitoring, data exfiltration


Market Recommendations■ Evaluate UEBA vendors with domain expertise that aligns with your primary use case (for

example, improving security operations via anomaly detection, prioritization and enabling moreefficient response and investigations; monitoring use of privileges established in IAM systems;and pinpointing data exfiltration and leakage).

■ When implementing a UEBA tool, start "small," with a narrow well-defined use case and alimited set of data, but select a vendor with a tool that can support future use cases andnecessary data sourced.

■ Operationalize UEBA tools by integrating them with a SIEM, SIRP or service desk tool thatprovides ticketing and workflow capabilities.

■ Incorporate network and endpoint data to gain additional visibility into user and applicationactivity beyond what is present in log files.

■ Do not discount the need to investigate individuals who have low risk scores in UEBA tools.Baselines can be built on existing bad user behaviors and users may know how to operate withenough stealth to avoid being flagged as "risky."

■ Write your own rules and policies for monitoring developer and privileged user behavior thatwork in conjunction with UEBA models, since UEBA anomaly detection is less reliable for theseunpredictable users.

■ Consider the inclusion of nonstructured behavioral information, such as email, HR data andrecords, or social media activity, to provide fuller context for user behavior analysis. But beprepared for longer project timetables and the inability to fully automate their inclusion.

■ Operationalize UEBA results by sending alerts to security orchestration, service desk tools andinvestigation systems, which over time may be native functionality in the UEBA system.

■ Favor UEBA vendors that profile multiple entities, including users and their peer groups, anddevices, and that use machine learning to detect anomalies. These features enable moreaccurate detection of malicious or abusive users.

■ Look for UEBA products that give your organization integrated visibility into on-premises, cloud-based and bring your own device (BYOD) platforms and endpoints.

■ Augment UEBA tools with other layered security solutions, such as network, endpoint, data andapplication protection, as well as deception platforms, because UEBA is not a be-all and end-allsecurity system.

■ Promote cultural change and executive-level interest in security and risk at your organization byusing UEBA dashboards to present security and risk postures and indicators in a meaningfulway to senior risk and security managers. This type of information presentation can be and hasbeen used to promote secure IT product development.


Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"The Fast-Evolving State of Security Analytics, 2016"

"Best Practices and Success Stories for User Behavior Analytics"

"Market Guide for Employee-Monitoring Products and Services"

"Market Guide for Endpoint Detection and Response Solutions"

"Market Guide for Data-Centric Audit and Protection"

"Market Guide for Privileged Access Management"

"Magic Quadrant for Security Information and Event Management"

Evidence

1 HPE Arcsight Marketplace, IBM Security App Exchange, Intel Security Alliance Partnership

2 Some large Gartner clients receive from 500,000 to one million alerts a day across multiplesecurity monitoring systems, such as SIEM and DLP.

Note 1 UEBA Market Definition: Machine Learning, Statistical Models and Rules

UEBA vendors must profile users and look for anomalous user behavior relative to their profilesusing machine learning, statistical models and/or rules. UEBA vendors that are consideredadvanced use machine learning and statistical models to detect anomalous behavior. UEBAvendors that only use rules are still, however, included in this market as long as they profile userbehavior.

Optimally, vendors should use all types of tools that aid in anomaly detection. Also, they shouldcombine a rule engine with machine learning and statistical models built into the platform, so thatusers can write their own policies and rules based on information they know that the machinelearning models have not yet (or cannot) learn on their own. For example, this could include a policythat restricts all communications with a certain geographical area based on political considerationsthat originate from state doctrines unknown to machine models.

Note 2 UEBA Market and Fraud

Security technology is focused on stopping the theft of information or data, whereas fraud detectiontechnology is focused on stopping the use of stolen information or fraud. Fraud detection is coveredin "Market Guide for Online Fraud Detection."


https://marketplace.saas.hpe.com/arcsight/category/partner-integrations

https://exchange.xforce.ibmcloud.com/hub

http://www.mcafee.com/us/partners/partnerlisting.aspx?azFilter=All&pFilter=enterprise_security_manager&mFilter=&cFilter=false

Note 3 Semistructured and Unstructured Contextual information

Sample semistructured data sources include:

1. Logs from existing agentless or agent-based logging applications

2. Native log collection from event sources or operating systems

3. Connectors into various applications, such as SaaS applications

4. Network flow or packet data

5. Data exports into standard formats like CSV

6. Structured threat intelligence using standards such as STIX and TAXII

7. Metadata from electronic communications such as email

Unstructured contextual data sources include:

1. Social media network connections and postings

2. The content of electronic communications such as email and chat

3. Images

4. News feeds

5. Unstructured threat intelligence

6. Other documents that help inform user behavior analysis, such as performance appraisalswhere vendors parse for key words like "disgruntled" or travel records that can be used toreconcile remote access activities


GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to accessthis publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information containedin this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Thispublication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity.”


http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/about/policies/usage_guidelines.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp