19 Top UEBA Vendors

Monday Aug 7th 2017 by Cynthia Harvey
Share:

User and entity behavior analytics uses machine learning to protect against insider threats and external attacks. We review the top UEBA products.

Organizations that want to add advanced analytics or machine learning capabilities to their IT security arsenal have a relatively new option: user and entity behavior analytics (UEBA).

Although UEBA solutions have only been around for a few years, they are quickly becoming popular among large enterprises. According to Gartner, sales of standalone UEBA solutions are doubling each year and could top $200 million this year. In addition, many vendors are incorporating UEBA capabilities into other security tools, such as security information and event management (SIEM), network traffic analysis, identity and access management (IAM), endpoint security, data loss prevention or employee monitoring tools. Gartner analyst Avivah Litan predicts that within five years, the standalone UEBA products that survive will evolve into next-generation SIEM solutions, while other UEBA offerings will find their way into other security technologies.

How UEBA solutions work

UEBA solutions identify patterns in typical user behavior and then pinpoint anomalous activities that do not match those patterns and could correspond with security incidents.

For example, imagine that a company has a developer named Bob on staff. Every morning, Bob logs in to the network around 8 a.m., sometimes from home and sometimes from the office. He first checks his email and the company collaboration platform. Then he spends most of his time each day writing code in his IDE, working within the company's cloud-based dev and test environments, and visiting development-related websites. He has access to many different corporate databases that are integral to the applications he is creating. He frequently works through lunch, but he always takes a one-hour lunch break at noon on Thursdays. And he usually logs off for the day around 6 or 7 p.m.

Then one day after Bob logs out at noon on a Thursday, he logs back in from home. And instead of checking his email or opening up his IDE, he goes straight to the database full of customer information and begins looking up specific names. He doesn't appear to copy or transfer any information digitally, but he does look up about twenty-five individuals, all of whom happen to be executives at Fortune 500 companies.

This type of activity is obviously a little suspicious. Maybe Bob just skipped his usual lunch date and is feeling a little nosy and needs some disciplinary action. Or maybe his password has been compromised and hackers are looking for data they can use to mount a spear-phishing attack against the company's customers. Or maybe an advanced persistent threat has paid Bob a lot of money to get them some information from the company database.

This type of behavior might go undetected by other security solutions, but UEBA solutions could spot it and flag it in real time or near-real time, allowing security personnel to investigate and respond very quickly.

To describe this type of capability, the industry seems to be coalescing around the term "user and entity behavior analytics," which is Gartner's preferred name for the technology. However, some vendors continue to use the phrases "user behavior analytics" or simply "behavior analytics." Some vendors say the three terms mean slightly different things, while others use them interchangeably. This buying guide includes products that use all three descriptors.

Some experts believe UEBA products will slowly be absorbed into other types of products, such as SIEM, IAM or endpoint security solutions. Gartner's Avivah Litan has gone so far as to write, "By 2022 – there will be no more UEBA market." Certainly there have been many acquisitions in this space, and it will be interesting to see how many of the vendors in this buying guide continue to offer standalone UEBA products over the next five years.

Minimum features of UEBA products

What should a UEBA solution offer? This buying guide includes only standalone UEBA products. It is not comprehensive, but does include the majority of the best-known UEBA products currently on the market.

In order to be included in the buying guide, the UEBA solutions had to provide the following capabilities:

  • Monitor and analyze the behavior of users and other entities
  • Detect anomalous behavior that could indicate an insider attack or compromise of user credentials
  • Use advanced analytics to detect multiple kinds of threats
  • Offer the ability to correlate multiple anomalous activities that could be related to a single security incident
  • Provide real time or near-real time performance

Top UEBA solutions

Solutions are arranged in alphabetical order, along with features we were able to obtain from vendor information. At the bottom of this article is a chart breaking down some of the features of these products.

Balabit
Dtex
E8 Security
Exabeam
Forcepoint
Fortscale
Gurucul
Haystax Technology
HPE Niara
Interset
Microsoft
Palo Alto Networks
Preempt
RedOwl
Securonix
Splunk
Varonis
Veriato
ZoneFox

Balabit Blindspotter

Founded in 2000 in Budapest, Balabit is now headquartered in New York with offices in Budapest, German, Hungary, France, Luxembourg, Israel and the UK. It has received $8 million in funding from C5 Capital. It describes itself as a "leading provider of privileged access management (PAM) and log management solutions." It claims more than 1 million corporate users, including users at 25 of the Fortune 100 companies.

Additional features:

  • Automated response
  • Integration with Balabit Privileged Session Management, SIEMs, log management solutions, LDAP and/or Active Directory
  • Risk scoring
  • Screen content analysis
  • Behavioral biometrics that identify keystroke and mouse movements

Markets and use cases: Corporate security operations teams , especially those in finance and telecommunications

Delivery: On-premises software

Pricing: Quotes available on request

Dtex Enterprise

Launched in Australia in 2000, Dtex Systems now makes its home in San Jose. It has raised $15 million in funding from Norwest Venture Partners and Wing Venture Capital. Its UEBA platform is its primary product offering.

Additional features:

  • Visualizations
  • Dashboards
  • Forensic audit trail
  • Expert tuning
  • Alert review
  • Integration with third-party solutions available in Platinum edition

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None; the Dtex collector sends around 1-2 MB per user to the server per day.

Pricing: The Dtex Signal product, which only provides visibility into user behavior, starts at $2 per user per month. The Enterprise and Platinum versions, which incorporate analytics, have quotes available on request.

E8 Security Fusion Platform

Named for a mathematical concept, E8 Security was founded in 2013 by a team with extensive experience in big data analytics, security and machine learning. Its Fusion UEBA platform is its only product, and it detects both internal and external threats. The company has raised $21.8 million in funding from Allegis Capital, March Capital Partners, Strategic Cyber Ventures and The Hive.

Additional features:

  • Integrates with other security solutions
  • One-click search and filter
  • Unsupervised machine learning
  • Hadoop-based
  • Agentless

Markets and use cases: Enterprise security operations teams

Delivery: On-premises software

Pricing: Quotes available on request

Exabeam Advanced Analytics

Now four years old, Exabeam offers a SIEM platform that integrates with its standalone products for log management, UEBA, incident response, querying and cloud integration. Headquartered in San Mateo, Calif., it has raised $65 million in funding, including a $30 million round that closed earlier this year. The company's lead investors include Lightspeed Venture Partners and Cisco Investments. According to the firm, Exabeam Advanced Analytics is "the world’s most deployed behavioral analytics platform."

Additional features:

  • Integrates with other Exabeam products and most SIEM products
  • Accepts data from hundreds of different sources
  • Patented session data model
  • Risk scoring
  • Ransomware detection and prevention
  • Session timelines
  • Alert prioritization

Markets and use cases: Any large organization. Exabeam has a special advisory board and programs for federal government agencies.

Delivery: Physical appliance or cloud-ready virtual machine

Endpoints: Unlimited

Throughput/bandwidth limits: None; scales horizontally

Pricing: Quotes available on request

Forcepoint Insider Threat

Forcepoint claims that its user behavior monitoring technology has been protecting governments and other organizations for more than 15 years. It was previously known as Websense, which was founded in 1994. It was renamed Forcepoint in 2016 after Raytheon bought the company for $1.9 billion and combined it with the Raytheon Cyber Products and Stonesoft organizations. Forcepoint currently claims more than twenty thousand customers.

Additional features:

  • Distributed architecture
  • Daily consolidated risk scores for individuals
  • Risk prioritization
  • Customizable policies
  • Visualizations
  • Video replay of users' screens
  • Timelines
  • Forensics
  • Agent-based

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Fortscale

Fortscale specializes in user behavior analytics, specifically at analytics designed to counter insider threats. It offers two products: Fortscale UEBA for SOC, which is designed for companies to deploy in their security operations centers, and Fortscale Presidio, a UEBA engine that other security vendors can embed in their products. Founded in 2012 in Tel Aviv, Israel, it has raised $39 million in funding, including a $7 million round that closed in February 2017. Key investors include Blumberg Capital, CME Ventures, Evolution Equity Partners, Intel Capital and Valor Capital Group

Additional features:

  • Integration with DLP and other security solutions
  • Multivariate risk scoring
  • Smart alerts
  • One-click investigation capabilities
  • Alert forwarding
  • Hadoop-based
  • Darknet analysis
  • Agentless

Markets and use cases: Security vendors, organizations of all sizes

Delivery: On-premises software (runs on Linux only) or embedded in other security solutions

Pricing:Quotes available on request

Gurucul Risk Analytics (GRA)

Gurucul offers three different types of security analytics: UEBA, identity analytics and cloud security analytics. All are based on its Predictive Identity Based Behavior Anomaly Engine (PIBAE). Details about the company's financials are difficult to come by, but it was founded in 2009 by security veterans who had worked for identity management vendor Vaau, which was acquired by Sun Microsystems and then by Oracle. Its headquarters are in Los Angeles.

Additional features:

  • Large library of machine learning algorithms
  • Fuzzy logic-based link analysis
  • Granular, self-tuning risk modeling
  • Signature-less
  • Modular architecture
  • Transaction scoring
  • Risk-ranked timelines
  • Hybrid behavior analytics that incorporates UEBA and identity analytics
  • Hadoop-based

Markets and use cases: Corporate security operations

Delivery: Appliance, virtual machine, cloud or bare metal

Pricing: Quotes available on request

Haystax Technology Constellation Analytics Platform

Headquartered in McLean, Va., Haystax counts employees at many federal government agencies and financial institutions among its 50 million users. According to its website, it also "helped secure the last seven Super Bowls." Founded in 2012, it has raised just $4 million in funding, but it has already made three acquisitions: Digital Sandbox in April 2013, FlexPoint Technology in May 2013, and NetCentrics Corporation in August 2014.

Additional features:

  • Integrated view of insider trustworthiness
  • Bayesian analysis
  • Low rate of false positives
  • Collaborative visualization
  • Threat alerting
  • Asset cataloging
  • Event monitoring
  • Incident reporting
  • Agentless

Markets and use cases: Federal government, financial industry, corporate IT security, public safety

Delivery: Software or cloud-based

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request

HPE Niara

HPE announced its plans to acquire behavioral analytics startup Niara in February 2017. Terms of the deal were not disclosed. Founded in Sunnyvale, Calif., in 2013, Niara had received $29.4 million in funding before being purchased. HPE has said that it plans to incorporate Niara into its Aruba ClearPass network security portfolio. HPE acquired Aruba for $3 billion in 2015.

Additional features:

  • Interactive visualizations
  • Ingests data from nearly any source
  • Integrated forensics
  • Entity360 risk profiles
  • Risk scoring
  • Enables long-term historical investigations
  • Integration with SIEM and other security solutions
  • Agentless

Markets and use cases: Corporate security operations teams

Delivery: On-premises or cloud software or appliance; also available as an on-premises Hadoop application

Endpoints: Unlimited

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Interset

Based in Ottawa, Canada, Interset was previously known as FileTrek and offered cloud-based software for sharing and tracking enterprise content. Over time, the company developed big data analytics and security capabilities, and in 2014, it launched its Behavioral Analytics Platform. Today, the company is solely focused on security analytics and UEBA. It received $10 million in investment funding as Interset and $10 million when it was still known as FileTrek.

Additional features:

  • Scalable to more than 250,000 users
  • Used by multiple U.S. intelligence agencies
  • Flexible, extensible analytics engine
  • More than 200 machine learning models
  • Integrates with most SIEM systems
  • Hadoop-based
  • Optional agent

Markets and use cases: Corporate security operations teams

Delivery: On-premises or cloud

Endpoints: Unlimited

Throughput/bandwidth limits:None (Bandwidth usage is very light)

Pricing:Available on request

Microsoft Advanced Threat Analytics

In November 2014, Microsoft announced its acquisition of Aorato, a security intelligence startup based in Israel. Before its acquisition, Aorato had received $11 million in equity funding. In 2015, Microsoft added Advanced Threat Analytics to its Enterprise Mobility Suite and also made it available as a standalone product. Somewhat confusingly, Microsoft considers Advanced Threat Analytics part of its Cloud Platform, but the product is available only for on-premises deployment.

Additional features:

  • SIEM integration
  • Attack timelines
  • Mobility support
  • Organizational security graph
  • Email alerts
  • Deep packet inspection
  • Agentless

Markets and use cases: Small businesses

Delivery: On-premises software

Endpoints: Hundreds of thousands supported

Throughput/bandwidth limits: None

Pricing: Quotes available on request and negotiable under various licensing strategies. Estimated price for a standalone license is $80 per user, $61.50 per operating system per year.

Palo Alto Networks LightCyber Magna

Palo Alto Networks recently acquired LightCyber, and it's not clear how long the company plans to offer LightCyber's UEBA solution as a standalone product. Eventually, LightCyber may be incorporated within Palo Alto's next-generation firewall. For now, the company appears to still be offering its Magna Platform. Before its acquisition, LightCyber had received $36.5 million in funding. It was founded in 2011.

Additional features:

  • Network to Process (N2PA) technology
  • Malware detection
  • Magna Cloud Expert System sandbox examination system
  • Flexible deployment
  • Low volume of highly actionable alerts
  • Network traffic analysis
  • Integration with other security tools
  • Quarantine capabilities
  • Agentless

Markets and use cases: Corporate security operations teams

Delivery: Hardware or virtual appliance, on-premises or cloud

Pricing: Quotes available on request

Preempt

Although founded in 2014, Preempt only emerged from stealth in the summer of 2016. It refers to its UEBA product as a "behavioral firewall," and it also offers an authentication solution and a free password health inspector. The company has raised $10 million in funding.

Additional features:

  • Automated responses to alerts
  • User risk scoring
  • Multi-factor authentication capabilities
  • Event triage and prioritization
  • Incident response
  • Forensic analysis
  • Reduced alerts
  • Integration with other security solutions

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Pricing: Quotes available on request

RedOwl

RedOwl was founded in 2011 in Baltimore, Md., and has raised $21.6 million from investors. In addition to helping identify cyberattacks, RedOwl claims that its UEBA platform can also detect workplace violence and harassment, identify unwanted release of intellectual property, flag employees who are potential flight risks and help ensure compliance with financial industry regulations.

Additional features:

  • Ingests data from any source
  • Extensible data model
  • Communications analytics
  • Visualizations
  • Roles-based dashboards
  • Natural-language processing
  • Content classification
  • Risk scoring
  • Transforms data into narratives

Markets and use cases: Corporate security operations teams and surveillance teams, especially in the financial services industry

Delivery: On-premises software, appliance or virtual private cloud

Pricing: Quotes available on request

Securonix Bolt

Securonix's most recent product, its SNYPR Security Analytics Platform, incorporates SIEM, UEBA and fraud detection capabilities. However, the company also offers a standalone UEBA solution called Bolt. The company was founded in 2008, and has offices in Addison, Texas; San Francisco; Jersey City, N.J.; Los Angeles; Atlanta, Georgia; Vienna, Va.; the UK and India. Securonix says one-third of the Fortune 500 companies use its products.

Additional features:

  • More than 1,000 one-click deploy threat models
  • 350 connectors
  • Visualizations
  • Investigation and response capabilities
  • Fraud reporting
  • Trade surveillance
  • Patient data analytics
  • Threat Model Exchange library
  • Predictive and adaptive learning
  • Integrates with SNYPR Security Analytics Platform
  • Agentless

Markets and use cases: Corporate security operations teams, especially very large enterprises

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

Splunk User Behavior Analytics

Although best known for its log monitoring and analytics solution, Splunk also offers a Hadoop-based UBA solution. Founded in 2003 to support the open source Splunk software, the company now claims more than 13,000 customers, including 85 of the Fortune 100. It is publicly traded under the NASDAQ symbol SPLK, and in 2016 it reported $950 million in revenue. Splunk employs more than 2,700 people and has its headquarters in San Francisco.

Additional features:

  • Security dashboard
  • Hadoop-based
  • Multi-dimensional behavior baseline
  • Integration with Splunk Enterprise and Splunk Enterprise Security
  • Anomaly exploration
  • Agentless

Markets and use cases: Corporate security operations teams

Delivery: On-premises software or as an AWS service

Endpoints:500,000 on a single node (additional scaling possible with additional nodes)

Throughput/bandwidth limits:None

Pricing: Quotes available on request

Varonis DatAlert

Founded in 2005, Varonis offers a variety of data management, governance and security products, including its UBA offering called DatAlert. Its focus is primarily on securing companies against insider threats. In its startup days, Varonis raised $28.79 million from equity firms before going public in 2014. Its stock is now traded on the NASDAQ market under the symbol VRNS. In 2016, it reported $164.5 million in revenue. The company headquarters is in New York.

Additional features:

  • Predictive threat models
  • Security time machine
  • Integration with other security solutions
  • Web-based dashboards
  • Alert scoring and prioritization
  • Custom alert criteria
  • Agents for some platforms, agentless for others

Markets and use cases: Corporate security operations teams

Delivery: On-premises software

Endpoints: Not applicable; UEBA occurs on servers rather than endpoints

Throughput/bandwidth limits: None

Pricing: Quotes available on request

Veriato Recon

Headquartered in Palm Beach Gardens, Fla., Veriato specializes in employee monitoring solutions, including Recon, its UEBA product. Founded in 1998, the company was formerly known as Spectorsoft. It boasts more than 50,000 customers in more than 100 countries.

Additional features:

  • Simple tuning
  • Behavioral groups
  • Alerting
  • Integration with SIEM and other security solutions
  • Psycholinguistic analysis
  • Screen snapshots
  • Keystroke recording
  • Agent-based

Markets and use cases: Corporate security operations teams and HR departments

Delivery: On-premises software

Endpoints: 200,000 with a single instance

Throughput/bandwidth limits: None

Pricing: Quotes available on request

ZoneFox

Founded in 2012, ZoneFox is a very small startup located in Edinburgh, Scotland. It secured £650,000 in funding in 2015, and it is part of the UK's CodeBase technology incubator. Late in 2016, the company announced plans to triple its headcount, hoping to employ 30 people by the end of 2017.

Additional features:

  • Detailed forensics
  • Visualizations
  • Dashboards
  • Federated security
  • Network monitoring
  • Augmented intelligence
  • Agent-based

Markets and use cases: Corporate security operations teams, especially banks, manufacturers and game developers

Delivery: On-premises software or cloud-based

Pricing: Quotes available on request

UEBA product comparison

Below is a chart comparing the 19 UEBA vendor solutions:

Top UEBA vendors

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved