The Security Information Event Management (SIEM) solution is not the same as User & Entity Behavior Analytics (UEBA). Both solutions complement each other, but one is not a replacement for the other. Sure, you can try to make custom rules for the SIEM to accomplish several of the things UEBA can do, but the problem is that UEBA has far more functionality than a SIEM. So what is the real difference between a SIEM and UEBA?

What is SIEM?

SIEM combines all security events from device logs and centralizes that data into one source for security analysis, reports, and alerting. It also stores, analyzes, and correlates a multitude of security information, authentication events, anti-virus events, audit events, intrusion events, etc. Any anomalous event captured in a rule alerts a Security Operations Center (SOC) to take action. Also, SIEM tools can help compliance managers meet strict regulatory requirements.

SIEM systems aggregate logs by receiving standard feeds from SNMP traps, or Syslog, or sometimes with the help of agents or a collector.  These feeds come from user devices, network switches, servers, firewalls, anti-virus software, intrusion detection/prevention systems, etc. Once all of the data is centralized, it runs reports, “listens” for anomalous events, and sends alerts.

The SIEM has rules and alert tuning to limit the false positives notifications. After events are sent to the system, the SIEM will process these events through the rules and create an alert. Once the alert is created a security analyst will review the alert to determine if there is an issue. Most of the SIEM alerting is well optimized, but some alerts will always require human intervention. SIEM tools are a best choice if you want a high-level overview of all devices, platforms, network, and their events generated.

What is UEBA?

UEBA solutions can audit and analyze an individual’s file and application access, then connect this data to flag that an individual as engaged in suspicious behavior. It also helps with insider and external threats by utilizing some principles of a SIEM. It is more automated, with its machine learning backend that allows baselining on user behavior by monitoring file access, logins, network activity, etc. over a period of time. Baselining in UEBA is different from trending provided by other tools because this is the learning part of the UEBA software. Once the baseline is set, the tool begins to “learn” the normal behavior of a user and trigger alerts on abnormal behavior. UEBA can identity user deviations and continue to adapt (machine learning) if the behavior is consistent. It can also determine if an employee’s credentials are being used by outsiders and spot insider data theft.

UEBA is typically reading enormous amounts of data, often through an agent or a collector similar to a SIEM.  The rules of a UEBA tool are normally canned, but additional rules can be added or modified. The UEBA standard is to use the canned rules to allow the tool to learn user behavior and detect variances. For example, it can automatically spot thousands of “file delete” actions in a short time window, unusual directory visits, or launches of rarely used apps, any of which can indicate that a user is behaving uncharacteristically.

What if I have SIEM–should I consider having UEBA too?

SIEM can read UEBA logs and analyze them within the SIEM tool. Both SIEM and UEBA have important roles in security and can complement and accelerate the detection of devices.  Most importantly, they are essential to aid in preventing insider attacks within the organization.

  • SIEM provides a high level overview of devices, platforms, and network
  • UEBA analyzes User Behavior abnormalities – giving deep insight into what users are doing in your environment
  • SIEM is good to have for compliance reporting
  • SIEM can monitor more events, such as access activity, data access, application activity, and event management
  • UEBA can protect organizations from insider threats

If you would like help figuring out what SIEM or UEBA tools would be best for your organization, contact our Security Services at info@peters.com or 630-832.0075 for a complimentary consultation.