Skip to the main content.
Partner Programs
Technology Partners
Featured Report

netenrich-gartner-emerging-tech-security-report

  • Netenrich /
  • Blog /
  • Situational Awareness Is Key to Faster, Better Threat Detection

2 min read

Situational Awareness Is Key to Faster, Better Threat Detection

Threats start with risks. Understanding risks is really just situational awareness. And that awareness leads to faster and better detection. The convergence of situational awareness, stitching risks and events together to find patterns that show malicious intent or misuse, is the point of User and Entity BEHAVIORAL ANALYTICS.

With machine learning, the right data (and enough data), and the right patterns, we can reduce mean time to detect and mean time to resolution (hint, integrate SOAR and workflow). It’s not rocket science and it doesn’t take a thousand rules.

 

UEBA is just one step in the threat detection  journey

Risk mitigation driven by situational awareness can go a long way toward preventing the unthinkable at a business. So, if you’re thinking about Cybersecurity Mesh Architecture (CSMA) now and tying vulnerabilities and configurations to events and actions, you’re thinking the way we are at Netenrich.

UEBA is just one step on the journey. It’s part of why we offer vulnerability management and patch management services and link the analytics to workflow and playbooks.

RISKS+IDENTITY+SIEM+UEBA+TIP+SOAR = Netenrich Resolution Intelligence Cloud

Resolution Intelligence Cloud is a platform that aggregates everything, converging collection, detection, and response at Google scale and speed.

 

What log sources should you apply UEBA to?

It depends on where you keep your business-critical data. For example, where is your intellectual property, customer data, employee data, or financial transactions data? That’s the key data.

You need to collect those logs to get visibility around how users are interacting with the business-critical data.

Finally, make sure you have enough context around the data so that an analyst can make sense of the events. Threat intelligence, geo location, and peer attributes are incredibly valuable to show with an event, and to compare events from one user to another.

The tables below outline the key data sources and use cases to help you gain situational awareness and improve threat detection and response.

 

Key data sources

Collected data about From For
Identity IAM, HR, Physical Access Peers, Entitlements, Hire/Fire
Authentication AD, SSO, VPN, Citrix Source, App Requested
Application File Share, Banking, CRM, DB Records Accessed/Transactions
Email End User Events Data Exfiltration Channel
Proxy End User Events Data Exfiltration Channel
Firewall In/Out Bytes
Threat intel TIP - OSINT - MISP Enrichment & Context
Geo Location MaxMind Enrichment & Context

 

 

Use cases — Triggers and log sources

Trigger Log Source
Activity by Terminated User Authentication (VPN, AD, SSO, Citrix)
Rare Login - Unusual Country Authentication (VPN, AD, SSO, Citrix)
Rare File or Folder Accessed SharePoint, Box, Windows
Rare Transaction Application Log
Spike in Events Any
Spike in Total Bytes Firewall, Proxy, Flow
Spike in Total Currency Transacted Application Log
Unusual File or Folder Accessed SharePoint, Box, OneDrive
Rare Login - Unusual Time Authentication (VPN, AD, SSO, Citrix)
Physical Security - Unusual Door or Location Badge Reader/Physical Access
Email to Competitor Domain Email
Employee Risk - Resume/CV Sent Email
Employee Risk - Browsing Job Sites Proxy
Physical Security - Login without Badging In Badge Reader, Auth
Impossible Travel Authentication (VPN, AD, SSO, Citrix)+GEOIP [MaxMind]
Physical Security - Lexus/Nexus Finding Lexus/Nexus

 

Netenrich Earns Google Cloud SecOps Service Delivery Expertise Certification

Netenrich Earns Google Cloud SecOps Service Delivery Expertise Certification

As the first, exclusive pure-play Google Chronicle SecOps partner, Netenrich is 100% committed to the Chronicle SecOps and Mandiant technology stacks...

Read More
Identity Behind Hunters International Ransomware Group’s Dedicated Leak Site Exposed

Identity Behind Hunters International Ransomware Group’s Dedicated Leak Site Exposed

This article focuses on my research to uncoverthe identity of Hunters International ransomware group’s (Surface Web) Dedicated Leak Site (DLS). It...

Read More
Unveiling Alpha Ransomware: A Deep Dive into Its Operations

Unveiling Alpha Ransomware: A Deep Dive into Its Operations

Alpha ransomware, a distinct group not to be confused with ALPHV ransomware, has recently emerged with the launch of its Dedicated/Data Leak Site...

Read More