User Entity and Behavior Analytics (UEBA) is a way to identify attacks and high risk behaviors by correlating different data sources and observing behavioral patterns. This allows attacks to be observed that are only apparent with context from multiple sources, rather than just a single event in isolation.
Our goal is to provide UEBA capabilities for your applications as well as GitLab itself. We will help proactively identify malicious traffic, potentially compromised user accounts or infrastructure components, anomalous use of the GitLab platform, and various high-risk behaviors so that actionable remediation steps are possible.
Because UEBA solutions are often broad and require complex data setups, we will instead take a "build up, then out" approach. This way, we can provide immediate value in small increments. We will add new anomaly detection capabilities as distinct features. These can be configured and improved incrementally, independent of other detection capabilities. Over time, these features will converge, joining underlying analytics and detection capabilities to provide more horizontal insights and detection capabilities.
Our UEBA goals align with the goals of our Defend Guiding Principles in that we strive to offer these capabilities "batteries included" with minimal to no configuration for initial usage. We will default to presenting actionable insights but will leave the decision to block up to you unless specifically configured otherewise.
Another UEBA goal is that GitLab will feed back our results to other stages, so any necessary actions can be taken there, in addition to defending the app itself. An example could include creating an issue about access controls for a specific region of the app that is being exploited by malicious users.
In the spirit of MVC, we will look to productize existing capabilities developed by our own security team. This will include a signal-based system that detects behaviors from pre-defined rules. It may also include a machine learning (ML) model that can identify runner abuse, specifically when used for cryptomining. This will help lay the foundation for future behavioral models by starting to define how they are configured by end users as well as the underlying deployment and upgrade model. We will also investigate making our signal-based early alerting system available as an early UEBA capability. In addition to providing valuable new capabilities for our users, it will also allow us to dogfood on our security tools within GitLab itself.
We will also start investigating open source UEBA platforms to see if there is a suitable option to form the backbone of our horizontally-focused security data analytics and visibility capabilities. This will be a key piece in allowing our UEBA abilities to extend beyond GitLab and into user applications and infrastructure.
Many of today's UEBA products are focused on the desktop environment, using deployed agents to gather data and monitor behavior. Most solutions are run as a physical appliance or in an on-premises data center. Virtual machines for cloud deployment are in the minority; cloud-native UEBA is even less common.
Additionally, there continues to be a convergence of UEBA features with adjacent products such as SIEMs or acquisition of standalone vendors by larger security companies. According to Gartner, "by 2022, 95% of all UEBA deployments will be 'as a feature' of broader security platforms." This indicates we are potentially already past the inflection point of standalone UEBA systems being a viable future option—especially given the minority of cloud-native offerings today.
eSecurity Planet has a UEBA buying guide which has a list of competitive offerings.
There is no feature available for this category.
The category is very new, so we still need to engage customers and get feedback about their interests and priorities in this area.