1. Compromise of User Credentials

User account credentials are the key to legitimate access. And according to the Verizon 2018 Data Breach Investigations Report, the most common attack vector in data breaches is through stolen credentials. Traditional security tools are unable to detect and identify unauthorized access, giving attackers access to sensitive data and internal resources.

2. Privileged User Security Compromise

Privileged users are granted access to high-value resources such as confidential information databases, user rights management systems, and authentication systems. Once a hacker obtains a privileged user's credentials, they can easily attack these high-value assets. UEBA solutions are expected to monitor suspicious activity by retired employees and contractors to identify human error in handling sensitive data and excessive access to sensitive data.

3. Oversight of executive assets

Hundreds of millions of dollars are stolen each year through webmail schemes that trick executives into authorizing wire transfers. Access to executive computer assets, such as CEO and CFO laptops, allows hackers to steal data such as sensitive earnings, mergers and acquisitions, budget plans, product and service plans, and competitive information there is. An effective UEBA solution requires the ability to automatically build asset and behavioral models that identify executive systems and monitor anomalous access and usage.

4. Detection of Compromised Systems, Hosts and Devices

Attackers often gain control of systems, hosts, and devices within an organization's network and carry out covert attacks for months or even years. UEBA solutions must monitor multiple vectors of attack, including user accounts, servers, network devices, untrusted communication sources, insecure protocols, and other indicators of malicious behavior. In addition, virus and malware monitoring capabilities should detect when protection is disabled or removed, and when threats are updated.

5. Insider Access Abuse

The difficulty in detecting insider threats is that "trusted" behavior is not alerted by most security tools. In other words, threat actors appear to be legitimate users. A UEBA solution must be able to detect when a user (privileged or not) is performing high-risk activities outside of normal norms. Techniques used in UEBA include methods for detecting abnormal times or frequencies, abnormal data or logins accessing systems, or changes or escalation of critical system privileges; Examples include detecting malware communicating with an attacker or detecting data exfiltration.

6. Detection of lateral movement

The process of lateral movement involves systematically moving across networks in search of sensitive data and assets. For example, an attack might begin with the compromise of a low-privileged employee account. Once inside, hackers look for vulnerabilities in other assets to replace accounts, machines, and IP addresses. Opportunity arises when an attacker secures an administrator account. Lateral movement is extremely difficult to detect with traditional security tools because attacks are fragmented and scattered throughout your IT environment, spanning different credentials, IP addresses, and machines. All of these seemingly unrelated events appear to be normal behavior. UEBA solutions use behavioral analytics to connect the dots between 'irrelevant' activities and stop attacks before damage is done.

7. Data exfiltration detection

Data exfiltration occurs when sensitive data is illegally transferred outside an organization. This can occur when users manually transfer data over the Internet or copy it onto physical devices and take it outside the company. Also, data exfiltration can occur unintentionally. Inadvertent data exfiltration often occurs when local systems are infected with malware. In this use case, the UEBA solution detects network traffic to command and control centers and identifies compromised systems transferring data to unauthorized persons. UEBA monitors for unusual amounts of network traffic compared to a baseline for users or machines transferring data on protocols that allow large data transfers.

8. Account lockout

Account lockout prevents users from accessing their accounts. This security feature is intended to protect your account from those who try to guess your username and password. A lockout occurs when the number of failed login attempts exceeds the configured number of login attempts. In some cases, you may need to contact your administrator and ask them to grant you login privileges to your account again. It can take several hours for an administrator to investigate each request. This UEBA use case automates the risk assessment process and helps you make quick decisions about account risk. Effective implementation of a UEBA solution has the potential to save up to an entire year's labor costs for large enterprises.

9. Service Account Abuse

Service accounts are used in place of regular system accounts to run certain application services. Service accounts are intended for added security. Even if it is compromised, the damage is limited compared to a general account compromise. However, typical security tools have limited or no access to service accounts. This constraint is strange. This is because service accounts are highly privileged and a valuable target for attackers. For example, SAP's "Firefighter" account is often granted greater privileges for this critical application. Service account abuse is a very important use case for UEBA. Leveraging behavioral analytics capabilities, the UEBA solution automatically identifies service accounts and flags any anomalous behavior among them.

10. Security Alert Survey

Investigating security alerts with traditional security tools is a tedious task. Alerts typically consist of obfuscated data in raw log files that are extremely difficult to interpret, even for experienced security analysts. Even if the wording of the alert calls for “immediate action,” the investigation itself requires a lot of work, including manually correlating various log files, interpreting their meaning, and sifting through ancillary data to generate hints. or spend a lot of time trying to find the root cause of alert incidents. UEBA can dramatically improve the productivity of SOC analysts when used in conjunction with modern SIEM (Security Information Event Management) solutions. Auto-generated timelines make for a threat-hunting interface that works well for inexperienced analysts.

The detection capabilities and advanced notifications for attacks that UEBA use cases provide will be of enormous and immeasurable benefit to organizations. This allows security teams to stay on top of the crisis and quickly neutralize emerging threats. The Exabeam Security Management Platform's UEBA capabilities address all ten security use cases described above.

ORION CASSETTO
Exabeam, Inc. Director, Product Marketing

video on demand

The threat is in full view! Realizing effective log analysis with machine learning
～What is Exabeam, the next-Next-Gen SIEM Platform Exabeam?～

As targeted attacks and internal fraud continue to increase in recent years, an increasing number of companies are building mechanisms (such as SIEM) to correlate and analyze logs from multiple security products in order to implement appropriate security operations. . This is because it is difficult to visualize the impact of each incident using only the logs of security products that have already been installed, and threats may be overlooked. However, building such a system requires security-related knowledge, analytical know-how, and ideas. In this seminar, we will introduce “Exabeam” which realizes log analysis by UEBA (User Entity Behavior Analytics) technology and efficiency of conventional SIEM operation.

Click here to watch