Don’t get stuck with dead end User Behavior Analytics

UBAAs the frequency of sophisticated cyberattacks continue to increase, User Behavior Analytics (UBA) has taken center stage. It now seems like every vendor in security, no matter its product, wants to be in the UBA space.

Even after weeding out the pretenders, the number of UBA players is daunting. But savvy customers now talk about the dangers of getting locked into “first-generation UBA” and are looking for a more mature, stable next-gen solution.

Why are most UBA products dead ended? The reason is that many of the current UBA solutions were formulated as what in the startup world is known as MVP, or Minimum Viable Product. The idea is that if a fledgling startup has limited skilled engineers and nothing more than a vague sense of what a customer really needs to solve a specific problem, they quickly (and cheaply) pull a solution together to test the market. Once the solution requirements become apparent, they follow that up with the “real” product based on customer feedback and a lot of serious engineering.

Great in theory if you are building a mobile app, but the enterprise customer is left holding the bag with a stiff bill and an obsolete product as rev 2.0 shows up—after they discover 1.0 is mostly “minimum”.

Here are some signs that you are talking to a UBA vendor with a lot of “M” and very little “V” that will lead to nothing but a cliff:


All UBA vendors claim they are a big data platform. Under the covers, that typically means some type of SQL or MongoDB. Analyst reports highlight concerns for MongoDB in the areas of read/write management and performance, yet that type of technology is typical in the UBA space because it is fast and easy. Enterprises recognize that without the storage and compute scale of the Hadoop ecosystem, UBA will never support the breadth of machine learning, threat hunting and investigation support that security teams require, and getting there is a complete re-write, not a product upgrade.


Walking through the show we saw a plethora of single-dimensional UBA products that utilize (pick one) auth logs, files, network, endpoint or external threat feeds as their primary source of data. Again, easy to implement, but completely incapable of delivering the precision and full fidelity of automated attack detection, proactive attack discovery and triage/response that effective UBA requires. You may not need all these sources at once, but adding to your seminal data captured over time will enhance analytics results and speed of response.

Entities, not just users

Gartner called this one last fall by renaming the category UEBA (user and entity behavioral analytics). If a behavioral analytics solution cannot profile and track users, data, apps, servers and really any device with an IP address (e.g. “entities”), it’s a 1.0 MVP.

We’ll finish it on site

This is straight out of the MVP playbook. What this really means is, let’s not ship a complete product, but instead spend several months and thousands in professional services fees to make it work. Many UBA players sell against SIEM (security information and event management), highlighting its difficulty to implement, but then repeat the same mistake. There is no question that the UBA market is exploding, and with good reason. The promise of using the full range of IT security information to drive innovative machine learning to find attacks that have evaded real-time defenses is very real. Couple that with highly accelerated incident investigation and response and you attack the security skill set challenge from both directions.

The market is now signaling it’s ready for next-gen UBA—don’t settle for MVP.

Don't miss