Re: Reviews on UBA
As a partner company (Accumuli Security) we attended the HP internal UBA training course last week. This was run by the US enablement team and it showcased what is an extremely powerful tool.
We saw demos, installed the tool and ran through a number of use cases.
I believe as an existing ID View customer you are entitled to UBA Basic which provides the user management and basic Boolean logic rule based analysis that comes with ID view now - so its worth exploring.
UBA will take event data "Activities" from your existing SIEM tool and run rules over the top of the data so comparable to the ESM ID View offering.
Positives from my limited exposure so far are that UBA allows linking of multiple data sources through assigning a "unique key" across the data so you can have multiple domains, or CSV imports etc and at the time of bringing in you can assign the uniqueID to merge the data into one source. This is a lot nicer than the existing ID view connectors capability.
Negatives are obviously that the UBA interface is initially quite complex and requires learning a new product to use effectively. However, you can integrate (right-click) with ESM allow evaluation of events against users in UBA and then have pre-setup rules to run (scheduled) over the event data you're forwarding and any rules/alerts that trigger can be sent back to ESM for evaluation - thus minimizing a users exposure to the UBA interface as required.
I think UBA is a very interesting new direction for HP ArcSight and certainly goes some way to providing a "differentiating product" from that which Splunk has!
Hope that's interesting as it was only an introductory course - more to follow as we gain more exposure and hopefully deliver some POCs.