This is a prediction made by Gartner analyst Avivah Litan in her latest blog entry, The Disappearing UEBA Market. Of course it caught our attention here at Vectra. We are not a standalone UEBA company, nor do we want to be. First and foremost, we are an AI company that empowers threat hunters. But we often find ourselves in this discussion with people who believe UEBA alone will solve the world's problems (and possibly make coffee in the morning, too).
In all seriousness, it gets confusing trying to understand the nuances around technology when the end goal is always the same. The goal of Vectra is to hunt for threats. The same applies to UEBA, but with a twist: Simply put, it identifies users who act different.
Therein lies the problem. UEBA assumes that all anomalous behavior is bad, which everyone knows isn’t true. Instead of simply detecting odd behavior, it is far more important to detect the severity of real threats to key assets with the highest degree of certainty.
At the core, this is the difference between simple anomaly models versus the more vital attacker behavior models that Vectra focuses on. The specific anomalies you search for and how they are combined with heuristics and other techniques are critical.
The right mix of both lets you zero-in on the tell-tale threat behaviors that expose real cyber attackers rather than forcing you to manually figure out whether simple oddities might lead to something more serious.
Gartner’s Litan goes on to say the UEBA vendors will be absorbed into the SIEM market. Based on my own observations, this shift makes perfect sense – UEBA leverages logs for analysis, which already occurs in SIEMs.
Using artificial intelligence that provides real-time automated threat hunting, Vectra detects attack behaviors inside networks and prioritizes them with threat and certainty scores.
This critical information from Vectra is easily fed to UEBA, endpoint detection and response, NAC, and firewall solutions, which automates detection and response capabilities in real time.
Vectra advocates an architectural approach to achieve this ecosystem integration. The Vectra Adaptive Security Architecture compliance brief explains out how we fit within the Gartner adaptive security architecture and provides guidance about mapping out your ecosystem and integrating disparate security tools and systems, including SIEMs.
Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs with nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles.