Threats start with risks. Understanding risks is really just situational awareness. And that awareness leads to faster and better detection. The convergence of situational awareness, stitching risks and events together to find patterns that show malicious intent or misuse, is the point of User and Entity BEHAVIORAL ANALYTICS.
With machine learning, the right data (and enough data), and the right patterns, we can reduce mean time to detect and mean time to resolution (hint, integrate SOAR and workflow). It’s not rocket science and it doesn’t take a thousand rules.
UEBA is just one step in the threat detection journey
Risk mitigation driven by situational awareness can go a long way toward preventing the unthinkable at a business. So, if you’re thinking about Cybersecurity Mesh Architecture (CSMA) now and tying vulnerabilities and configurations to events and actions, you’re thinking the way we are at Netenrich.
UEBA is just one step on the journey. It’s part of why we offer vulnerability management and patch management services and link the analytics to workflow and playbooks.
RISKS+IDENTITY+SIEM+UEBA+TIP+SOAR = Netenrich Resolution Intelligence Cloud
Resolution Intelligence Cloud is a platform that aggregates everything, converging collection, detection, and response at Google scale and speed.
What log sources should you apply UEBA to?
It depends on where you keep your business-critical data. For example, where is your intellectual property, customer data, employee data, or financial transactions data? That’s the key data.
You need to collect those logs to get visibility around how users are interacting with the business-critical data.
Finally, make sure you have enough context around the data so that an analyst can make sense of the events. Threat intelligence, geo location, and peer attributes are incredibly valuable to show with an event, and to compare events from one user to another.
The tables below outline the key data sources and use cases to help you gain situational awareness and improve threat detection and response.
Key data sources
| Collected data about |
From |
For |
| Identity |
IAM, HR, Physical Access |
Peers, Entitlements, Hire/Fire |
| Authentication |
AD, SSO, VPN, Citrix |
Source, App Requested |
| Application |
File Share, Banking, CRM, DB |
Records Accessed/Transactions |
| Email |
End User Events |
Data Exfiltration Channel |
| Proxy |
End User Events |
Data Exfiltration Channel |
| Firewall |
In/Out |
Bytes |
| Threat intel |
TIP - OSINT - MISP |
Enrichment & Context |
| Geo Location |
MaxMind |
Enrichment & Context |
Use cases — Triggers and log sources
| Trigger |
Log Source |
| Activity by Terminated User |
Authentication (VPN, AD, SSO, Citrix) |
| Rare Login - Unusual Country |
Authentication (VPN, AD, SSO, Citrix) |
| Rare File or Folder Accessed |
SharePoint, Box, Windows |
| Rare Transaction |
Application Log |
| Spike in Events |
Any |
| Spike in Total Bytes |
Firewall, Proxy, Flow |
| Spike in Total Currency Transacted |
Application Log |
| Unusual File or Folder Accessed |
SharePoint, Box, OneDrive |
| Rare Login - Unusual Time |
Authentication (VPN, AD, SSO, Citrix) |
| Physical Security - Unusual Door or Location |
Badge Reader/Physical Access |
| Email to Competitor Domain |
Email |
| Employee Risk - Resume/CV Sent |
Email |
| Employee Risk - Browsing Job Sites |
Proxy |
| Physical Security - Login without Badging In |
Badge Reader, Auth |
| Impossible Travel |
Authentication (VPN, AD, SSO, Citrix)+GEOIP [MaxMind] |
| Physical Security - Lexus/Nexus Finding |
Lexus/Nexus |
Rakesh Krishnan: Wed, Apr 03, 2024 @ 09:32 AM
Netenrich: Tue, Feb 06, 2024 @ 12:25 AM
David Swift