UEBA2018-10-22T10:13:14+00:00

User and Entity Behavior Analytics (UEBA): Accelerated detection and response

Advanced attacks and pervasive threats to your organization often rely on compromised credentials or coercing users into performing actions that damage enterprise security. To identify these types of attacks, you need a powerful solution that allows analysts to quickly determine normal versus abnormal activity on your network.

The UEBA module provides industry leading time-to-value, allowing same-day, zero professional-services deployment to create immediate insights. This is possible because our UEBA module is built on top of the most flexible and scalable SIEM solution on the market.

With UEBA 2.0, your analysts will benefit from:

Dramatic increase in threat-hunting capabilities of your SIEM with UEBA
With UEBA your LogPoint rules gets a new best friend: Entity Risk Scoring. With Entity Risk Scoring your alerting, dashboards, reports and search templates all consume knowledge from the UEBA.

No more pre-defined rules
Using threat modeling based on advanced Machine Learning, LogPoint UEBA easily eliminates false positives, enabling your analysts to achieve situational awareness before, during and after responding to breaches – meaning they are more effective and spend their time on genuine threats. If any changes of behavior occur, the models are automatically adjusted erasing the tedious task of re-writing rules to define what is allowed.

Hassle-free deployment
Unlike other solutions, the UEBA 2.0 platform will be available as a service, thus removing unnecessary hassles for hardware and deployment.

Facts about UEBA

UEBA, short for User and Entity Behavior Analytics is a security process focusing on monitoring both suspicious user behavior as well as other entities such as cloud, mobile or on-premise applications, endpoints, networks and external threats.

Utilizing Machine Learning, UEBA builds baselines for every entity in the network and actions are then evaluated against these baselines.

This allows analysts to answer the question “What is normal?” and “What is abnormal?” instead of creating complicated predefined rules to define “What is allowed?” enabling analysts to achieve situational awareness before, during and after responding to breaches.

Providing value to your organization

We are here to make your security analytics more efficient by providing better than ever detection capabilities and at the same time reducing alert-fatigue.

With UEBA 2.0, suspicious user behavior can be detected in the cloud, on-premise and inside business applications – with an unparalleled time-to-value.

  • Drastically reduce the detection time of malware outbreaks by using algorithm driven analytics to detect beaconing, lateral movement, or weaponization.
  • Outputs from the UEBA module can be correlated with SIEM events, making the original events more insightful than ever.
  • Discover suspicious user behavior by statically or dynamically enriching the original log data using the information from machine learning.
  • Incidents can be visualized using dashboards and search templates for faster threat hunting.

The Power of UEBA and SIEM

When a SIEM solution, enhanced with top-notch security analytics, supports analysts in threat hunting, time spent on eliminating false positives is drastically decreased, empowering your team to focus on threats which really matter.

Having SIEM as a data source supported by security analytics not only provides a more valuable pool of log data, but it also enables your SOC team to work smarter, not harder by cutting detection and response time in half.

UEBA 2.0 easily connects to LogPoint through a plugin. As a result, there is no need to do any mapping or customization which lowers time to value dramatically.

The deployment architecture is easily scalable for increasing the number of entities and data volume. Our common taxonomy readily gives access to over 400 machine learning models for all devices.

Detected anomalies are used as enrichment sources. Since logs and raw logs can easily be investigated based on the detected anomalies, investigation and forensics can take place immediately.

How do we do it?

1. The Overview page

This gives you on overview of the level of risk your organisation is exposed to. This is a good place to get a general overview of your current risky entities and to start an investigation if any of your users or entities are showing an increased risk score. With LogPoint UEBA, we instantly provide you with the number of active risky entities, eliminating the struggle of combing trough each and every detected anomaly.

2. The Explore tab

Moving forward to the Explore tab, your analyst can get a detailed overview of anomalies with the possibility of drilling down on extreme risk by user or entity. Looking at the Matrix of Anomalies, we can easily see that user ozell.cruzado has a risk score of 100 indicating highly suspicious activity. Let’s look into this.

3. User risk profile

When looking at the risk profile of the user, there are several important clues to pay attention to. Looking at the Matrix of Anomalies, we can see that for the most part the user was behaving normally, but at some point his behavior showed a significant deviation from the baseline resulting in an increase of his risk score. Going forward, we will explore what exactly the Matrix of Anomalies is trying to show us and what is the nature of the potential threat.

4. Risk behavior timeline

With LogPoint, you can easily filter out the events causing the increased risk score, along with the number of events arranged into a transparent timeline of risky behavior.

5. Context on unusual user behavior

By further investigation, the UEBA module provides your analyst with detailed context on why the user’s behavior is highly unusual based on their individual baseline and peer behavior. Going even further, you can also explore raw events.

Detect User Based Threats with UEBA 2.0: Predefined Use Cases

Our predefined use cases enable swift value without the time consuming configuration. Right out of the box, we support all critical capabilities for UEBA from the widest set of data sources on the market.

Since UEBA models and machine learning is built on the LogPoint taxonomy, no changes are required in your infrastructure to provide sources for UEBA analysis. The sources already available in your LogPoint SIEM are ready to add instant value to your UEBA.

With LogPoint UEBA 2.0, you will get the following capabilities right out of the box:

Use caseSources
Outside to inside attack
Compromised account
  • Authentication Logs
  • Directory Service Logs
  • Operating System Logs
  • File Share Logs
  • VPN Logs
  • Resource Access Logs
  • Operating System Logs
  • IP Repository Logs
Compromised machine
  • Web Prox Logs
  • Directory Service Logs
  • Endpoint Logs
Internal recon
  • Authentication Logs
  • IP Repository Logs
  • File Share Logs
  • Operating System Logs
  • Resource Access Logs
  • Endpoint Logs
Lateral movement
  • Authentication Logs
  • IP Repository Logs
  • File Share Logs
  • Operating System Logs
  • Resource Access Logs
  • Endpoint Logs
Data staging/theft
  • Endpoint Logs
  • Directory Service Logs
  • IP Repository Logs
  • Printer Logs
  • Web Proxy Logs
Insider attack
Account misuse
  • Authentication Logs
  • Directory Service Logs
  • Endpoint Logs
  • Operation System Logs
  • File Share Logs
  • VPN Logs
  • Resource Logs
  • IP Repository Logs
  • Printer Logs
Internal recon
  • Authentication Logs
  • IP Repository Logs
  • File Share Logs
  • Operating System Logs
  • Resource Access Logs
  • Endpoint Logs
Data staging/theft
  • Endpoint Logs
  • Directory Service Logs
  • IP Repository Logs
  • Printer Logs
  • Web Proxy Logs
Monitoring and compliance
Privileged user monitoring
  • Authentication Logs
  • Directory Service Logs
  • Endpoint Logs
  • Operation System Logs
  • File Share Logs
  • VPN Logs
  • Resource Logs
  • IP Repository Logs
  • Printer Logs
Application monitoring
  • Authentication Logs
  • IP Repository Logs
  • File Share Logs
  • Operating System Logs
  • Resource Access Logs
Compliance monitoring
  • Web Proxy Logs
  • Directory Service Logs
  • Endpoint Logs
  • Authentication Logs
  • IP Repository Logs
  • File Share Logs
  • Operating System Logs
  • Resources Access Logs

Licensing

With LogPoint UEBA licensing, you can pick and choose the most important users and entities in your organization, so you only monitor where it really matters to you.