Skip to the main content.
CONTACT US
SCHEDULE A DEMO
CONTACT US
SCHEDULE A DEMO
Partner Programs
Technology Partners
Featured Report

netenrich-gartner-emerging-tech-security-report

  • Netenrich /
  • Blog /
  • Situational Awareness Is Key to Faster, Better Threat Detection

2 min read

Situational Awareness Is Key to Faster, Better Threat Detection

Threats start with risks. Understanding risks is really just situational awareness. And that awareness leads to faster and better detection. The convergence of situational awareness, stitching risks and events together to find patterns that show malicious intent or misuse, is the point of User and Entity BEHAVIORAL ANALYTICS.

With machine learning, the right data (and enough data), and the right patterns, we can reduce mean time to detect and mean time to resolution (hint, integrate SOAR and workflow). It’s not rocket science and it doesn’t take a thousand rules.

 

UEBA is just one step in the threat detection  journey

Risk mitigation driven by situational awareness can go a long way toward preventing the unthinkable at a business. So, if you’re thinking about Cybersecurity Mesh Architecture (CSMA) now and tying vulnerabilities and configurations to events and actions, you’re thinking the way we are at Netenrich.

UEBA is just one step on the journey. It’s part of why we offer vulnerability management and patch management services and link the analytics to workflow and playbooks.

RISKS+IDENTITY+SIEM+UEBA+TIP+SOAR = Netenrich Resolution Intelligence Cloud

Resolution Intelligence Cloud is a platform that aggregates everything, converging collection, detection, and response at Google scale and speed.

 

What log sources should you apply UEBA to?

It depends on where you keep your business-critical data. For example, where is your intellectual property, customer data, employee data, or financial transactions data? That’s the key data.

You need to collect those logs to get visibility around how users are interacting with the business-critical data.

Finally, make sure you have enough context around the data so that an analyst can make sense of the events. Threat intelligence, geo location, and peer attributes are incredibly valuable to show with an event, and to compare events from one user to another.

The tables below outline the key data sources and use cases to help you gain situational awareness and improve threat detection and response.

 

Key data sources

Collected data about From For
Identity IAM, HR, Physical Access Peers, Entitlements, Hire/Fire
Authentication AD, SSO, VPN, Citrix Source, App Requested
Application File Share, Banking, CRM, DB Records Accessed/Transactions
Email End User Events Data Exfiltration Channel
Proxy End User Events Data Exfiltration Channel
Firewall In/Out Bytes
Threat intel TIP - OSINT - MISP Enrichment & Context
Geo Location MaxMind Enrichment & Context

 

 

Use cases — Triggers and log sources

Trigger Log Source
Activity by Terminated User Authentication (VPN, AD, SSO, Citrix)
Rare Login - Unusual Country Authentication (VPN, AD, SSO, Citrix)
Rare File or Folder Accessed SharePoint, Box, Windows
Rare Transaction Application Log
Spike in Events Any
Spike in Total Bytes Firewall, Proxy, Flow
Spike in Total Currency Transacted Application Log
Unusual File or Folder Accessed SharePoint, Box, OneDrive
Rare Login - Unusual Time Authentication (VPN, AD, SSO, Citrix)
Physical Security - Unusual Door or Location Badge Reader/Physical Access
Email to Competitor Domain Email
Employee Risk - Resume/CV Sent Email
Employee Risk - Browsing Job Sites Proxy
Physical Security - Login without Badging In Badge Reader, Auth
Impossible Travel Authentication (VPN, AD, SSO, Citrix)+GEOIP [MaxMind]
Physical Security - Lexus/Nexus Finding Lexus/Nexus

 

Transforming the SOC: Embracing Adaptive MDR and Autonomic Security Operations

Transforming the SOC: Embracing Adaptive MDR and Autonomic Security Operations

The traditional Security Operations Center (SOC) is at a critical juncture. The familiar image of analysts constantly reacting to a relentless...

Read More
Netenrich Adaptive MDR™: Not Your Average MDR Solution

Netenrich Adaptive MDR™: Not Your Average MDR Solution

“In cybersecurity, the only constant is change.” This age-old adage continues to ring true as organizations navigate a shifting threat landscape with...

Read More
Red CryptoApp: A New Threat Group in the Ransomware World

Red CryptoApp: A New Threat Group in the Ransomware World

This is a preliminary report based only on the data leak site (DLS), listed victims, and other observed patterns. A detailed investigation will...

Read More