This is a prediction made by Gartner analyst Avivah Litan in her latest blog entry, The Disappearing UEBA Market. Of course it caught our attention here at Vectra. We are not a standalone user entity behavior analytics (UEBA) company, nor do we want to be. First and foremost, we are an AI company that empowers threat hunters. But we often find ourselves in this discussion with people who believe UEBA alone will solve the world's problems (and possibly make coffee in the morning, too).
In all seriousness, it gets confusing trying to understand the nuances around technology when the end goal is always the same. The goal of Vectra is to hunt for threats. The same applies to UEBA, but with a twist: Simply put, it identifies users who act different.
Therein lies the problem. UEBA assumes that all anomalous behavior is bad, which everyone knows isn’t true. Instead of simply detecting odd behavior, it is far more important to detect the severity of real threats to key assets with the highest degree of certainty.
At the core, this is the difference between simple anomaly models versus the more vital attacker behavior models that Vectra focuses on. The specific anomalies you search for and how they are combined with heuristics and other techniques are critical.
The right mix of both lets you zero-in on the tell-tale threat behaviors that expose real cyberattackers rather than forcing you to manually figure out whether simple oddities might lead to something more serious.
Gartner’s Litan goes on to say the UEBA vendors will be absorbed into the security event information management (SIEM) market. Based on my own observations, this shift makes perfect sense—UEBA leverages logs for analysis, which already occurs in SIEMs.
Using artificial intelligence that provides real-time automated threat hunting, Vectra detects attack behaviors inside networks and prioritizes them with threat and certainty scores.
This critical information from Vectra is easily fed to UEBA, endpoint detection and response, NAC, and firewall solutions, which automates detection and response capabilities in real time.
Vectra advocates an architectural approach to achieve this ecosystem integration. This blog explains out how we fit within the Gartner adaptive security architecture and provides guidance about mapping out your ecosystem and integrating disparate security tools and systems, including SIEMs.