2021-07-15T03:13:00Z
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
  • 5
  • 1337

What are the main differences between UEBA and SIEM solutions?

Hi community members,

Let's discuss what are the main differences between UEBA (User and Entity Behavior Analytics) and SIEM (Security Information and Event Management) solutions.

4
PeerSpot user
4 Answers
Real User
Top 5
2021-08-27T20:33:54Z
Aug 27, 2021

SIEM vs UEBA


1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data.


2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time Interval" or simple If X happens. UEBA rules look for anomalies - If X Happens and it's NEVER Happened Before. "If Y happens and other Users (or machines E in UEBA), runs an executable or executes a transaction they've never done"


3. SIEMs group by field in rules is normally an IP address. In UEBA the group is the user or machine and may join events (threats - See Mitre ATT&CK Framework https://attack.mitre.org/). With SIEM I target a 99.999% event reduction with UEBA I look for another order of magnitude (99.9999%) reduction by cross-correlating user movement throughout the enterprise as they move from one host to another, and as they show up in various logs with variations on their user name (or no user field at all with IP to User lookup). 

4. UEBA enriches data to give it context - Who is the user? What Department are they in? Is this IP/URL on a black list? Has the user had a bad employee review from HR? Does the user have risks from Lexus/Nexus-like bankruptcy, divorce, or pending court case?


5. UEBA rules commonly link events over longer periods of time with risk scores (probabilities an event represents a compromise), and scores grow as more threats are seen over days, weeks, or months.


6. SIEMs typically work with security devices logs (Firewalls, IDS, AV...), while some of the best UEBA use cases are based on application logs. EX: ATM Machine 1 ran an EXE the other 500 ATMs have never run AND Connected to a Foreign IP address, AND Spit out $5,000 in 10 minutes when normal cash withdrawals are <$500/hour.


7. SIEM rules compare events in real-time to new events. UEBA rules have to "learn normal" by building profiles about the user/entity's past actions to compare new events to determine if they match prior behavior patterns. UEBA rules are often based on 3X spikes by hour/day/week/month vs. X happened Y times static thresholds. 

Search for a product comparison in Security Information and Event Management (SIEM)
Navin Rehnius - PeerSpot reviewer
Security Engineer at a tech services company with 201-500 employees
Real User
Top 5
2021-07-23T09:26:02Z
Jul 23, 2021

SIEM is the platform where we can see all of the security events. Here we can analyze, investigate, correlate, create reports, dashboards, etc.


UEBA is used to find out the unusual behaviour, compare data with various sources and analyze the found issues.


Hope it is informative!!

Thanks!!!

Tjeerd Saijoen - PeerSpot reviewer
CEO at Rufusforyou
Reseller
Top 5Leaderboard
2021-07-19T09:22:21Z
Jul 19, 2021

Many SIEM solutions like QRadar are using UEBA in a SIEM solution.


User and Entity Behavior Analytics (UEBA) use machine learning to detect anomalies in the behavior of users and devices connected to a corporate network.

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
2021-07-17T03:52:49Z
Jul 17, 2021

Hi @Ken Shaurette , @Nuwan Chathuranga , @Muhammad Moqeet ​and @Paresh-Makwana. Can you help please? ​

Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
655,711 professionals have used our research since 2012.
Related Questions
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Nov 17, 2022
Hi community,  I am a Service Delivery Manager at a medium-sized tech services company. I am researching PSIM (Physical Security Information Management). What are the main use cases and benefits of products that fall under this category? Thank you for your help.
See 1 answer
IA
Principal Consultant Cyber Security at Servian
Nov 17, 2022
Physical security of an information management system assures security by implementing protective controls to a location that hosts your most confidential data. For example, when you access data centers physically to access servers, storage, routers, switches, etc. Similarly, when you are accessing the location (warehouse, IT department, finance or HR department) with malicious intentions to discover the possibility of a targeted attack which could be by inserting the infected USB drive, stealing confidential documents, taking pictures, finding the ways to access the data centers from elevators to the reception to the data center. ISO27001:2013 explains in detail what protective controls must be there to ensure physical security like access cards, port security, identification, CCTV, Biometrics, preventing WIFI access outside the location, fire alarm system, assembly points, etc.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 5, 2022
Hi dear professionals, Can you share with the community 2-3 top pain points you've been experiencing during the Security Information and Event Management (SIEM) solution purchase? How have you been able to overcome them, if at all? Thanks for sharing your knowledge with other peers.
See 2 answers
JK
CEO at a tech consulting company with 1-10 employees
Jun 30, 2022
1. License models are not communicated transparently which makes planning complicated. You have to talk to multiple people at multiple vendors in several meetings to fully understand the cost scaling factors. That is quite time-consuming. You can overcome this when you just dictate price limits - yes you can actually do that. 2. Planning and conducting a PoC can be a challenge. Depending on how a PoC process is being setup by the vendor. You can overcome this if you ask for the PoC Procedure Plan right from the initial contact with the vendor and use it for internal planning.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
Volume versus costs.Using an intermediate (free) tool to store, transform data and  forward only the sumarization (smartdata) of what really matters.
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 4, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Community Spotlight #17
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summ...
Download Free Report
Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
655,711 professionals have used our research since 2012.