Skip to the main content.
CONTACT US
SCHEDULE A DEMO
Partner Programs
Technology Partners
Featured Report

gartner-hype-cycle-for-security-operations-report-2024

 

  • Netenrich /
  • Blog /
  • Situational Awareness Is Key to Faster, Better Threat Detection

2 min read

Situational Awareness Is Key to Faster, Better Threat Detection

Threats start with risks. Understanding risks is really just situational awareness. And that awareness leads to faster and better detection. The convergence of situational awareness, stitching risks and events together to find patterns that show malicious intent or misuse, is the point of User and Entity BEHAVIORAL ANALYTICS.

With machine learning, the right data (and enough data), and the right patterns, we can reduce mean time to detect and mean time to resolution (hint, integrate SOAR and workflow). It’s not rocket science and it doesn’t take a thousand rules.

 

UEBA is just one step in the threat detection  journey

Risk mitigation driven by situational awareness can go a long way toward preventing the unthinkable at a business. So, if you’re thinking about Cybersecurity Mesh Architecture (CSMA) now and tying vulnerabilities and configurations to events and actions, you’re thinking the way we are at Netenrich.

UEBA is just one step on the journey. It’s part of why we offer vulnerability management and patch management services and link the analytics to workflow and playbooks.

RISKS+IDENTITY+SIEM+UEBA+TIP+SOAR = Netenrich Resolution Intelligence Cloud

Resolution Intelligence Cloud is a platform that aggregates everything, converging collection, detection, and response at Google scale and speed.

 

What log sources should you apply UEBA to?

It depends on where you keep your business-critical data. For example, where is your intellectual property, customer data, employee data, or financial transactions data? That’s the key data.

You need to collect those logs to get visibility around how users are interacting with the business-critical data.

Finally, make sure you have enough context around the data so that an analyst can make sense of the events. Threat intelligence, geo location, and peer attributes are incredibly valuable to show with an event, and to compare events from one user to another.

The tables below outline the key data sources and use cases to help you gain situational awareness and improve threat detection and response.

 

Key data sources

Collected data about From For
Identity IAM, HR, Physical Access Peers, Entitlements, Hire/Fire
Authentication AD, SSO, VPN, Citrix Source, App Requested
Application File Share, Banking, CRM, DB Records Accessed/Transactions
Email End User Events Data Exfiltration Channel
Proxy End User Events Data Exfiltration Channel
Firewall In/Out Bytes
Threat intel TIP - OSINT - MISP Enrichment & Context
Geo Location MaxMind Enrichment & Context

 

 

Use cases — Triggers and log sources

Trigger Log Source
Activity by Terminated User Authentication (VPN, AD, SSO, Citrix)
Rare Login - Unusual Country Authentication (VPN, AD, SSO, Citrix)
Rare File or Folder Accessed SharePoint, Box, Windows
Rare Transaction Application Log
Spike in Events Any
Spike in Total Bytes Firewall, Proxy, Flow
Spike in Total Currency Transacted Application Log
Unusual File or Folder Accessed SharePoint, Box, OneDrive
Rare Login - Unusual Time Authentication (VPN, AD, SSO, Citrix)
Physical Security - Unusual Door or Location Badge Reader/Physical Access
Email to Competitor Domain Email
Employee Risk - Resume/CV Sent Email
Employee Risk - Browsing Job Sites Proxy
Physical Security - Login without Badging In Badge Reader, Auth
Impossible Travel Authentication (VPN, AD, SSO, Citrix)+GEOIP [MaxMind]
Physical Security - Lexus/Nexus Finding Lexus/Nexus

 

Intelligent Defense: How Netenrich Adaptive MDR™ Overcomes the Limitations of Traditional SIEMs

Intelligent Defense: How Netenrich Adaptive MDR™ Overcomes the Limitations of Traditional SIEMs

Traditional SIEMs just aren’t cutting it anymore. They rely on outdated, reactive measures that lead to inefficiencies, false positives, and missed...

Read More
Navigating the Gartner® Hype Cycle™ for Security Operations 2024: A Strategic Perspective

Navigating the Gartner® Hype Cycle™ for Security Operations 2024: A Strategic Perspective

Staying informed about emerging technologies is essential in cybersecurity. The Gartner® Hype Cycle™ for Security Operations 2024 report highlights...

Read More
Score Big with the Ultimate 49ers VIP Experience

Score Big with the Ultimate 49ers VIP Experience

Are you ready to take your NFL game day to the next level? Netenrich and Google are teaming up to offer an exclusive opportunity that combines the...

Read More