User and Entity Behavior Analytics (UEBA): Accelerated detection and response
Advanced attacks and pervasive threats to your organization often rely on compromised credentials or coercing users into performing actions that damage enterprise security. To identify these types of attacks, you need a powerful solution that allows analysts to quickly determine normal versus abnormal activity on your network.
The UEBA module provides industry leading time-to-value, allowing same-day, zero professional-services deployment to create immediate insights. This is possible because our UEBA module is built on top of the most flexible and scalable SIEM solution on the market.
With UEBA 2.0, your analysts will benefit from:
Dramatic increase in threat-hunting capabilities of your SIEM with UEBA
With UEBA your LogPoint rules gets a new best friend: Entity Risk Scoring. With Entity Risk Scoring your alerting, dashboards, reports and search templates all consume knowledge from the UEBA.
No more pre-defined rules
Using threat modeling based on advanced Machine Learning, LogPoint UEBA easily eliminates false positives, enabling your analysts to achieve situational awareness before, during and after responding to breaches – meaning they are more effective and spend their time on genuine threats. If any changes of behavior occur, the models are automatically adjusted erasing the tedious task of re-writing rules to define what is allowed.
Unlike other solutions, the UEBA 2.0 platform will be available as a service, thus removing unnecessary hassles for hardware and deployment.
Facts about UEBA
UEBA, short for User and Entity Behavior Analytics is a security process focusing on monitoring both suspicious user behavior as well as other entities such as cloud, mobile or on-premise applications, endpoints, networks and external threats.
Utilizing Machine Learning, UEBA builds baselines for every entity in the network and actions are then evaluated against these baselines.
This allows analysts to answer the question “What is normal?” and “What is abnormal?” instead of creating complicated predefined rules to define “What is allowed?” enabling analysts to achieve situational awareness before, during and after responding to breaches.
Providing value to your organization
We are here to make your security analytics more efficient by providing better than ever detection capabilities and at the same time reducing alert-fatigue.
With UEBA 2.0, suspicious user behavior can be detected in the cloud, on-premise and inside business applications – with an unparalleled time-to-value.
- Drastically reduce the detection time of malware outbreaks by using algorithm driven analytics to detect beaconing, lateral movement, or weaponization.
- Outputs from the UEBA module can be correlated with SIEM events, making the original events more insightful than ever.
- Discover suspicious user behavior by statically or dynamically enriching the original log data using the information from machine learning.
- Incidents can be visualized using dashboards and search templates for faster threat hunting.
The Power of UEBA and SIEM
When a SIEM solution, enhanced with top-notch security analytics, supports analysts in threat hunting, time spent on eliminating false positives is drastically decreased, empowering your team to focus on threats which really matter.
Having SIEM as a data source supported by security analytics not only provides a more valuable pool of log data, but it also enables your SOC team to work smarter, not harder by cutting detection and response time in half.
UEBA 2.0 easily connects to LogPoint through a plugin. As a result, there is no need to do any mapping or customization which lowers time to value dramatically.
The deployment architecture is easily scalable for increasing the number of entities and data volume. Our common taxonomy readily gives access to over 400 machine learning models for all devices.
Detected anomalies are used as enrichment sources. Since logs and raw logs can easily be investigated based on the detected anomalies, investigation and forensics can take place immediately.
How do we do it?
1. The Overview page
This gives you on overview of the level of risk your organisation is exposed to. This is a good place to get a general overview of your current risky entities and to start an investigation if any of your users or entities are showing an increased risk score. With LogPoint UEBA, we instantly provide you with the number of active risky entities, eliminating the struggle of combing trough each and every detected anomaly.
2. The Explore tab
Moving forward to the Explore tab, your analyst can get a detailed overview of anomalies with the possibility of drilling down on extreme risk by user or entity. Looking at the Matrix of Anomalies, we can easily see that user ozell.cruzado has a risk score of 100 indicating highly suspicious activity. Let’s look into this.
3. User risk profile
When looking at the risk profile of the user, there are several important clues to pay attention to. Looking at the Matrix of Anomalies, we can see that for the most part the user was behaving normally, but at some point his behavior showed a significant deviation from the baseline resulting in an increase of his risk score. Going forward, we will explore what exactly the Matrix of Anomalies is trying to show us and what is the nature of the potential threat.
|Outside to inside attack|
|Monitoring and compliance|
|Privileged user monitoring|
With LogPoint UEBA licensing, you can pick and choose the most important users and entities in your organization, so you only monitor where it really matters to you.