3 Questions to Ask Your UEBA Provider

  • How much has your threat hunting model matured over time?
  • How are you leveraging new detection strategies in your threat hunting process?

Dedicated or integrated UEBA: which is better?

  • Separate data provisioning for the new UEBA tool
  • Dedicated analysts for monitoring

Challenges with existing UEBA solutions

  • Optimized data sets: UEBA solutions are not designed to work with raw or unstructured data. They require high-quality data preparation, normalization, enrichment and grouping.
  • Dynamic baselines: It’s important to keep tabs on the dynamic baselines that are created, in order to make sure they remain aligned with the rapidly evolving threat landscape in your organization. A “set and forget” strategy doesn’t work here.
  • The emerging need for ML: Use of machine learning (ML) is a necessity, as analyzing large volumes of data is like searching for a needle in a haystack — without ML, it’s nearly impossible. Combined with automation, ML models can go a long way in making a security team’s job easier.

Questions for your UEBA vendor

  1. Is there a built-in data preparation process? Simply ingesting raw log data and expecting a UEBA solution to magically come up with outliers or behavioral anomalies is unrealistic. UEBA solutions work best with “rich datasets” that have been enriched with contextual information related to the organization, the threats or risks encountered over time and so on. It is crucial to understand this, and to ask your vendor if there are provisions for this kind of enrichment. For example, you may be able to import a CSV or Excel file with relevant data into a UEBA solution. Using that data, the software can append relevant information to detected events. Many solutions also feature integration with external apps via APIs.
  2. How often do detection rules or models need to be updated? The key phrase to keep in mind here is dynamic thresholds. How these are created and how often they need to be updated are factors which affect your security teams’ overall accuracy and response times. How? Suppose the software creates dynamic thresholds, but there is no provision to monitor them, such as in a report or dashboard This leaves your SOC without any insight into the detection frequencies and approximate threshold values. This would have a negative impact on your teams’ accuracy and lead to a rise in false positives. These false positives, in turn, waste your analysts’ time investigating threats that don’t exist.
  3. If machine learning is being used, what is the model updating process like? Most UEBA vendors are already using ML due to the immense benefits it offers, in terms of statistical analysis and the ability to learn from the data set itself. For these solutions, it’s crucial to understand what kind of risks the ML model is designed to detect. Some ML models may even stop at flagging outliers. Complete dependence on ML or artificial intelligence is not yet practical in the field of cybersecurity, so remember to ask vendors about how to fine-tune these models, and to what extent this can be automated. Don’t fall for slogans like “Sit back and relax — ML and AI will do everything.” While this may sound attractive, no platform can live up to these kinds of promises.




The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flag Network Airdrop

Flag Network Airdrop

How I was able to takeover s3 bucket of a trading site

SCAM alert and legal notice from Crypviser

Technicals on 4th October Facebook Outage? (BGP)

AMA with EPID Community about YetuSwap

So what makes Yield Optimizer a step ahead of PrivacySwap’s traditional farming?

{UPDATE} ユニメモ Hack Free Resources Generator

Do Online Games Pose Greater Cyber Risks?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.

More from Medium

My Experience in General Assembly So Far

Houston, We Have a Testing Data Problem

Credit Card fraud and Imbalanced classes

A Medic’s Machine Learning Diary: Day 1