3 Questions to Ask Your UEBA Provider

  • How much has your threat hunting model matured over time?
  • How are you leveraging new detection strategies in your threat hunting process?

Dedicated or integrated UEBA: which is better?

Cyberthreats are growing in both complexity and volume, and security operations center (SOC) teams are already struggling to stay ahead. Meanwhile, enterprises continue to generate mountains of data at astonishing rates. Analytics-driven SIEM is a must in centralizing data and analyzing collected data sets for threats, no doubt — but is having a separate tool for user behavior analysis a good option? Think about the challenges an already burdened SOC team would have to face:

  • Separate data provisioning for the new UEBA tool
  • Dedicated analysts for monitoring

Challenges with existing UEBA solutions

Having thrown the idea of a dedicated UEBA tool out of the window, here are some challenges that many integrated UEBA solutions are struggling with:

  • Optimized data sets: UEBA solutions are not designed to work with raw or unstructured data. They require high-quality data preparation, normalization, enrichment and grouping.
  • Dynamic baselines: It’s important to keep tabs on the dynamic baselines that are created, in order to make sure they remain aligned with the rapidly evolving threat landscape in your organization. A “set and forget” strategy doesn’t work here.
  • The emerging need for ML: Use of machine learning (ML) is a necessity, as analyzing large volumes of data is like searching for a needle in a haystack — without ML, it’s nearly impossible. Combined with automation, ML models can go a long way in making a security team’s job easier.

Questions for your UEBA vendor

If you already have a SIEM that can includes UEBA features, the answers to the following questions will serve as a guide to help you better streamline and plan your threat hunting process. If you don’t have one, they can help you better evaluate a UEBA solution from a technical perspective:

  1. Is there a built-in data preparation process? Simply ingesting raw log data and expecting a UEBA solution to magically come up with outliers or behavioral anomalies is unrealistic. UEBA solutions work best with “rich datasets” that have been enriched with contextual information related to the organization, the threats or risks encountered over time and so on. It is crucial to understand this, and to ask your vendor if there are provisions for this kind of enrichment. For example, you may be able to import a CSV or Excel file with relevant data into a UEBA solution. Using that data, the software can append relevant information to detected events. Many solutions also feature integration with external apps via APIs.
  2. How often do detection rules or models need to be updated? The key phrase to keep in mind here is dynamic thresholds. How these are created and how often they need to be updated are factors which affect your security teams’ overall accuracy and response times. How? Suppose the software creates dynamic thresholds, but there is no provision to monitor them, such as in a report or dashboard This leaves your SOC without any insight into the detection frequencies and approximate threshold values. This would have a negative impact on your teams’ accuracy and lead to a rise in false positives. These false positives, in turn, waste your analysts’ time investigating threats that don’t exist.
  3. If machine learning is being used, what is the model updating process like? Most UEBA vendors are already using ML due to the immense benefits it offers, in terms of statistical analysis and the ability to learn from the data set itself. For these solutions, it’s crucial to understand what kind of risks the ML model is designed to detect. Some ML models may even stop at flagging outliers. Complete dependence on ML or artificial intelligence is not yet practical in the field of cybersecurity, so remember to ask vendors about how to fine-tune these models, and to what extent this can be automated. Don’t fall for slogans like “Sit back and relax — ML and AI will do everything.” While this may sound attractive, no platform can live up to these kinds of promises.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.