User and Entity Behavior Analytics Anomaly Detection At Scale

ISG helps a multinational insurance company achieve anomaly-based risk detection using user and entity behavior analytics (UEBA) technology.



The Cyber Defense Center (CDC) of a large insurance company was interested in a user and entity behavior analytics (UEBA) solution. Its goal was to build a new capability to detect insider threats. It also wanted to be able to perform anomaly detection at scale.

The insurance company brought in ISG to lead a proof of concept and enable management of a central UEBA strategy decision. Ultimately, this resulted in the company deciding that their upcoming security information and event management (SIEM) request for proposals process should include UEBA in the same contract.

Imagining IT Differently

Imagining IT Differently

First, ISG helped to align stakeholders on how to measure return on investment (ROI) in this space. One of the main indicators of ROI within the cybersecurity domain is the measured risk that any particular investment (tool or technology) mitigates.

Compared to most security tools that only create value after finetuning has been done, a UEBA solution utilizing machine learning is always continuously learning the behavior of users and assets within its environment. This means that the better the baseline of the solution is, the fewer false positive alerts it has.


Future Made Possible

In order to provide the company with a structure for making the management decision regarding a central UEBA strategy, ISG led the following activities:

  • We defined, aligned and documented the company’s requirements for a UEBA solution based on key CDC stakeholder input.
  • Then, ISG presented on and aligned the CDC requirements to ISO standards, the data protection officer (DPO) and the workers’ council department to define and document potential limitations.
  • We conducted a proof of value with a vendor. Finally, we helped the company evaluate results to enable the management decision on a central UEBA strategy.