Log aggregators, UBA & SIEM; What are they and what are they good for?

Log aggregator 

Is a system or set of systems that collate (or aggregate) log data into a central management system. A log aggregator is often tasked with collecting, centralising and storing log data. 

Benefits 

Log storage is a must in many industries and there are some really affordable options for log storage. Many departments can use log aggregators for different metrics, ie, a marketing team can identify visits to a web page, or an IT department can see asset performance metrics. 

Downsides

Log aggregators are often sold as SIEM technologies (security incident and event management solutions) which they are not. A log aggregator is not inherently a cyber security tool although it can be configured to generate data from logs that can benefit cyber security understanding. 

UBA, User behaviour analytics 

Is a cyber security tooling that specialises in detecting insider threats. UBA looks at user behaviour to identify patterns through mathematics and AI to detect anomalies and alert on them. 

Benefits 

UBA consoles are known for their beautiful user interfaces, for security departments that find they need to impress a board on shiny tools this one certainly looks the part. For a company with the budget, a large enough team and a particular problem with insider threats, UBA is definitely worth a look. 

Downsides 

It is noisy! Despite vendor common discourse UBA is not ‘plug and play’ but rather ‘plug and refine full-time for an average of 1 to 2 years’. UBA spends time learning about a given environment, during which time analysts are expected to continuously refine down the thousands of alerts. Meanwhile, the technology learns about what is normal for a given environment so that it can identify what is abnormal. If out of the thousands of alerts something abnormal, or malicious is deemed normal it can lead to the nefarious activity being baked into the security tool as acceptable behaviour.

SIEM, security incident and event management 

A SIEMs core value is as a security tool. Like a log aggregator, a SIEM collates logs into a centralised pool but also parses them against thousands of security threats to alert on malicious activity. Unlike a log aggregator, a SIEM also does this for endpoint activity, SaaS and IaaS output, cloud and on-prem networks. 

Benefits 

Deep visibility and monitoring of varied infrastructure. The core reason for a SIEM is to pull data from multiple disparate sources for central visibility and to alert through widespread monitoring. SIEMs are highly configurable, meaning most solutions can offer a degree of bespoke business alignment. SIEMs offer the benefits of log aggregation, system monitoring, network monitoring and software monitoring but with the pure purpose of cyber defence in real-time.

Downsides

Because of the well-understood benefits of SIEM, and the licensing structures involved, they can be pretty pricey. Look at companies like PocketSIEM for affordable options, or if you have the time and inclination, explore DIY open-source alternatives. 

Best of luck!