Why SIEM is Not Enough for User Behavior Analytics

20 Jan Why SIEM is Not Enough for User Behavior Analytics

LinkedInTwitterFacebookGoogle+Share

Many who are new to user behavior analytics (UBA) struggle initially to understand the difference between their SIEM (security information and event management) system and UBA. The question often arises “If I have SIEM, do I really need UBA?”

The answer is a resounding yes, you need both, and here’s why. SIEM tools can collect massive amounts of data from the event logs generated by your company’s devices, platforms, and network equipment. That data is necessary to analyze what’s happening with the firewalls, routers, switches, bridges, applications, computers, and other devices within your network. This information is also necessary for UBA systems to perform user behavior analytics. But remember that an SIEM system’s main focus is on getting the event data from all the various equipment within your enterprise, and making it digestible for other tools to do the analysis work. It’s true that most SIEM tools do contain some analytics capability, but these capabilities are generally high level–that is, focused on equipment and system events rather than users.

UBA tools, on the other hand, focus exclusively on users and their behaviors. They digest the enormous data sets collected by SIEM products, and perform the specific user analytics that SIEM systems are not designed to perform. By focusing less on system events, and more on specific user activities, UBA can learn user patterns and then zero in on malicious or rogue employees and external hackers when their behaviors differ from legitimate users.

While it’s possible for administrators to create complex rules and thresholds to detect some user behaviors within SIEM tools, this approach is neither effective nor sustainable. That’s because both the environment and legitimate user behaviors are constantly changing, which will cause a very high number of false positives to be generated—further straining an already overburdened security staff.

Fortscale is specifically optimized for analyzing user behavior, and unlike SIEM solutions or other machine analytics platforms, Fortscale doesn’t use rules and thresholds to define behavior. Fortscale learns users’ normal behavioral patterns, and constantly compares those patterns to behaviors obtained from a variety of sources. The result is a powerful UBA system that helps your security staff instead of burdening them, and provides enhanced security with a quick ROI.

Contact us to learn more.