• LinkedIn

UBA? – U Decide!

By: Darin Barton CISSP, CISA

This was an interesting blog to write. I wanted to discuss the merits of UBA and subtly compare it to the value SIEM provides, but somehow it quickly became a UBA vs SIEM situation which is not what I was intending. So, I brought it back into scope.

But, why did it get out of control so quickly? The landscape is evolving for both of these solutions and lines are getting blurred. Some UBA’s are suggesting that SIEM is no longer required because they do everything a SIEM can do but better. SIEM has responded by adding machine learning and they even suggest that it can do what a UBA does. At the end of the day, you need to decide for yourself which is better.

What Does a UBA Offer

UBA (User Behaviour Analytics) has been around for a few years but it’s only now that manufacturer solutions have become truly relevant and gained traction.

Essentially, a UBA take logs from many networked sources and correlates them to a specific user.  It is important to have tightly managed integration with a AAA source to ensure the logs are properly assessed to the correct individual.  The UBA solution will carefully monitor and track a user’s actions over a period of time, usually 7-14 days, to form baseline patterns.  Then, using AI algorithms, it performs frequent checks to determine if there are any pattern shifts in behaviour.  These shifts are then attributed a risk score for administrators to evaluate and take action.


In 2017, UBA stirred up a lot of questions within IT departments looking to enhance their understanding of what users are actually doing in their environments, such as:

Will UBA replace my endpoint security software?

NO, UBA will not replace your endpoint security solutions.  Slowly, more and more endpoint solutions are providing tighter API integration into UBA solutions which is highly beneficial as it avoids the need to deploy endpoint agents to get the same information another platform could provide.

Does UBA replace my SIEM?

NO, UBA does not replace your SIEM.  Some UBA manufacturers will suggest that their product is the “SIEM You’ve Always Wanted” or it’s a “SIEM on Steroids” (whatever that means).  UBA is focused on user specific actions,  behaviours and patterns and being able to decipher when those actions become a risk to an organization.  This is very important and a SIEM does not offer this type of in-depth user behaviour analytics.

Does UBA present privacy issues?

NO, UBA does not present any additional privacy concerns.  While a UBA does provide deeper insights into user activity, this activity is within a business environment and your organization should already have a basic privacy policy to guide your actions.  For example, if you have the ability to inspect SSL traffic you would typically leave “verified” on-line banking and healthcare sites off the decryption list for privacy reasons.

In my opinion, UBA solutions that provide as close to “real-time” monitoring and alerting as possible are what you should be looking for. This is important because its value greatly diminishes if you are being notified of anomalous behavior well after the fact. Through the use of UBA collectors and endpoint agents you can greatly reduce the processing and alerting time through a UBA, so look to solutions that can take advantage of these options.

UBA Solutions of Interest

If you are interested in a UBA solution then check out these manufactures:

  • Exabeem:  A very intuitive UBA for companies with limited resources.  It’s built-in expert analysis makes it easier for administrators to make decisions based on platform recommendations and risk score values.  A very nice product.
  • Niara:  Recently purchased by Aruba/HPE.  This solution is very in-depth and chalk full of detail.  Excellent for larger Enterprises with dedicated endpoint security staff.

Are UBA and SIEM the Same?

No, they are not the same but conceptually they lean into the same spaces.  SIEM was born out of the customer need to make log collection, auditing and correlation easier (correlation meaning the ability to tie several log events together to show a pattern of attack or odd behaviors).  No administrator could effectively monitor a decentralized (or even centralized) logging environment on their own and make heads or tails out of them.  Many breaches have occurred under the watchful eye of  security analysts at the helm of a log collector.  So, centralizing this effort by bringing all logs, events and alerts into one location to identify attack patterns, trends and anomalous behaviors should be considered essential.

SIEM manufacturers saw the writing on the wall when UBA began making fast tracks into their patch which could result in SIEM potentially becoming obsolete.  The manufacturers response was to introduce “machine learning” – making significant changes to their platforms by taking better advantage of the information and data they were already collecting.  Using similar AI algorithms, a SIEM can now provide detailed insights into the behavior patterns of machines.  If you already have a SIEM, this should be available to you in future major version upgrades.

It’s my belief that within 3 years, all SIEM will have true user behaviour analytics integrated into their platforms.  Likewise, UBA solutions will move deeper into the SIEM space with enhanced machine learning, resulting in a highly competitive market.


A UBA solution makes a lot of sense.  Users are the number one source of infection in a network due to their nasty link-clicking and web exploration habits.  Knowing if their normalized working patterns change significantly can be a strong indicator of an infected device or a device that has become a newly minted attack vector.

I highly recommend that you explore the viability of this solution for your enterprise.

:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and currently employed with Access 2 Networks Inc. (A2N).