A Crash Course on Security Analytics — And How to Spot a Fake UEBA From a Mile Away

  1. Understand how security analytics can help them in a key pillar of their mission: to make sure that the organization can efficiently detect, investigate, and respond to threats and incidents.
  2. Spot fake UEBA from a mile away.

Classifying analytics based on sophistication

There are several types of analytics. Some are more powerful than others, and each has their pros and cons. These analytics methods can be classified and ranked based on their level of sophistication, which usually translates to their effectiveness.

Figure 1. Main analytics methods in cybersecurity

Analytics in depth

These analytics methods are not mutually exclusive, and maximum protection is achieved by running several of these analytics in conjunction. This can be referred to as “analytics-in-depth”, similar to the “defense-in-depth” approach that is prevalent in organizations.

Pros and cons of different analytics methods

The output of the basic methods of pattern matching, thresholds and correlation rule-based systems is binary, and an alert is triggered as soon as a specific condition is met:

  • Pattern matching: as soon as the data has matched a specific pattern, an alert is generated
  • Thresholds: as soon as the data has reached or crossed a specific threshold, an alert is generated
  • Correlation rule-based systems: as soon as the data has matched a specific “if — then — else” rule, an alert is generated
Figure 2: Pros and cons of analytics methods
Figure 3. Sweet spot for security analytics

UEBA beyond detection

UEBA has been a real breakthrough for detecting threats and incidents. It allows organizations to be alerted when an anomaly is notable enough that it deserves attention from the security team. The best UEBA can actually do much more.

  • Detection — via understanding of normal behaviors, and identification of anomalous or risky behaviors
  • Triage of incidents — via scoring and prioritization of alerts generated across the whole organization, including from third-party tools
  • Investigation — via stitching of all the normal and abnormal events into the operational model of a particular incident
  • Response — via complementing SOARs’ static playbooks with decision support for most likely appropriate actions

Two simple ways to uncover “fake” UEBA

Readers should beware of “fake” UEBA in the market, as many vendors seem to exaggerate what they really have. “Fake” UEBA is nothing more than standalone simple statistical modeling methods marketed as UEBA. There are two easy litmus tests that organizations can do to uncover fake UEBA.

Exabeam is a pioneer in UEBA

Exabeam has a history of innovation and disruption in the security analytics space with the first UEBA that:

  • Is part of an analytics-in-depth approach that collectively includes statistical modeling, correlation rule-based systems, thresholds, and pattern matching
  • Understands “normal” for users and entities
  • Alerts on notable anomalies that deserve the attention of the cybersecurity teams
  • Prioritizes third-party alerts with “dynamic alert prioritization” to surface the most relevant alerts
  • Enriches and contextualizes all logs and events via advanced analytics rather than via static playbooks
  • Is bundled with valuable content for maximum efficiency of detection, investigation and response



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.