Ethical Hacking Tutorials

Ethical Hacking Tutorials, Tips and Tricks

An Overview of UBA, SIEM and SOAR Solutions: What Are the Differences?

In pursuit of safeguarding proprietary data, companies are increasingly integrating information security systems into their IT departments. The motivation boils down to the crucial role of information in business processes nowadays. Since the range of available information security systems is continuously expanding, companies need to have an idea of the types of these systems and, most importantly, know how to distinguish them from each other.


Information security implies protection of the entire information environment. It’s not only the data proper that needs to be safeguarded, but the defenses should also span data media and the whole infrastructure. Therefore, InfoSec solutions are supposed to secure the technical, administrative and legal aspects while also monitoring user behavior to prevent data leaks and disclosure of trade secrets.

In order to make sure an information security solution fully meets an organization’s requirements, data protection mechanisms are typically broken down into normative (informal) and technical (formal) ones.

The informal techniques include administrative as well as moral and ethical norms, such as the code of conduct, standards for workplace behavior, corporate culture, etc. The formal ones cover software and various technical components (hardware and other equipment).

Software-based protection mechanisms can be implemented via standalone applications or complex systems. The latter include UBA, SIEM and SOAR solutions. These are the most common InfoSec approaches. They are being integrated into businesses on a large scale at this point, although SOAR emerged quite recently. Let’s try to figure out why these three types are the most popular across the board.


Insights into UBA, or catching a wrongdoer red-handed

 UBA (user behavior analytics) is the most common cybersecurity instrument of this kind. This system leverages machine learning and data processing technologies to detect anomalous user activity.

Here’s how UBA works:

  1. It collects information on the typical user behavior patterns in a specific environment. For example, it can determine the list of applications and websites that the employee routinely uses in the workplace.
  2. It generates a model of typical behavior.
  3. It identifies activity that deviates from the norm, instantly logging it and flagging the instance as a potential threat.


In order to build a typical behavior model, UBA employs its underlying data science principles. In a data compromise scenario, the intruder’s activity will differ dramatically from the account owner’s behavior.

Let’s exemplify this workflow. Suppose we need to build a model of how an employee named Abdullah uses VPN servers. We can begin with recording connection attributes, including session start and end times, destination country, IP addresses, etc. every time he goes online. Then, for each of these attributes, we can generate a model and analyze it, thus determining what’s the norm and what’s the anomaly. In this example, we will build a model based on the countries hosting the VPN servers Abdullah connects to.

Every time Abdullah goes online, we will log the information on destination country. Next, we will aggregate the details harvested during a certain timeframe and sort the countries in our list by frequency of connections.

Once the threshold of normal behavior has been defined, UBA can easily spot anomalous activity. The solution will raise red flags on any VPN connections to countries that are beyond the range of normal connection frequencies.

UBA is also capable of identifying privileged account abuse and suspicious connection times. Most of an organization’s employees have clear-cut work schedules, coming and leaving at about the same time. When a staff member is up to an inside job, planning to copy proprietary data from their computer and further hand it over to a third party, he or she may stay late a work so that colleagues don’t notice the shenanigans. Behavior analytics systems can detect such activity.


The principles of UEBA systems

   UEBA (user and entity behavior analytics) is an extended version of UBA that allows for monitoring not only specific individuals but also machines within the network, that is, the entire IT perimeter. UEBA systems collect information on hosts, applications, network traffic, and data storage frameworks. This way, it can analyze the interaction between operators and hardware to ensure a complete transparence of work processes and identify a broader spectrum of threats related to the users as well as the entities of IT infrastructure.


SIEM: let everybody in and nobody out

Essentially, SIEM (security information and event management) is a system for collecting and correlating events related to information security. The original idea underlying its emergence was to harvest and log these events and then juxtapose them to identify potential threats. Such a solution additionally enables organizations to verify their compliance with the common InfoSec standards, such as GDPR, PCI-DSS, and others and also facilitates reporting.


SIEM components

By looking at the name of this system, we can see that it’s a combo of two technologies, namely SIM (security information management) and SEM (security event management). SIM is tasked with aggregating all the information in a single place and allows for managing it efficiently. SIM accommodates centralized logging management features, including log searching and reporting required for audits.

SEM, in its turn, is intended to detect and manage threats. The modus operandi of SEM resembles real-time threat analysis combined with the use of correlation rules for incident detection. It also goes with incident management features that allow for ticketing (server administration) and deliver security functions.


Automation and monitoring with SOAR

Tools for data collection and analysis are already here. What’s next? Security management isn’t restricted to the threat detection stage alone. Analysts and incident response teams still need to provide feedback on the incidents they discovered. The evolution of SIEM through adding automation of different cases to the mix has given rise to a new category of systems that has, in fact, outstripped the prototype. It was dubbed SOAR. However, depending on the essence of such a system, it can have a different interpretation:

  • Security operations, analytics, and reporting (SOAR);
  • Security orchestration, automation, and response (SOAR).


SOAR is a specially crafted solution for aggregating threat data coming from different sources and then analyzing this data. The fundamental features of SOAR include:

  • Integration of technologies/tools required for decision-making based on security system condition reports and estimates of a possible risk level;
  • Automation of processes;
  • Incident management involving an end-to-end approach (assigning priorities, logging all incident response actions, decision-making in compliance with the company’s policies);
  • Visualization of data that has to do with the key metrics, employee reports, and documentation.


A huge benefit of using SOAR is that it allows for complete automation of information security management processes, from assigning priorities – all the way to incident response. As opposed to log analysis provided by SIEM, SOAR solutions have absorbed a whole range of different technologies that sustain the activity of service centers and monitoring services. SOAR can integrate data on threats to the security system that’s streaming in from different sources. This is achieved by means of three main modules:

  1. The Security Incident Response module facilitates the process of identifying incidents. It also imports information from solutions being applied and customizes processes.
  2. In order to prioritize vulnerabilities, SOAR systems engage the Vulnerability Response module. It helps determine the degree of business-critical systems’ susceptibility to threats.
  3. The Threat Intelligence module is intended to spot the signs of a possible compromise and track down threats at deeper levels. Its main benefit is that it supports different standards applicable for exchanging threat data. Furthermore, this module allows for adding custom sources and exchanging information with external systems.



When choosing an information security solution, a company’s executives should understand which specific processes it’s supposed to control. SIEM, UBA, SOAR or any other system won’t solve InfoSec problems automatically. Instead, it will help automate the routine procedures that are otherwise performed by an operator. As a rule, major companies have their own internal data protection systems. If that’s the case, it’s worth analyzing the instruments already in place in order to avoid redundancy and system overload. Behavioral analysis and orchestration can be extremely helpful as long as there are recurrent routine tasks that can be safely automated.

Open source solutions should do the trick for small businesses. When laziness starts pushing the progress forward and various add-ons appear on top of the open source system, someday you will wake up and realize that the crudely coded robot has evolved into an orchestrator or UBA.

Updated: February 16, 2019 — 2:30 am

Leave a Reply

Your email address will not be published. Required fields are marked *

Ethical Hacking Tutorials © 2018
Skip to toolbar