1. Show normal activity along with anomalous activity

"Normal" activity is what a user and their coworkers usually do, and is needed to provide context. For example, does the user routinely access a specific server or sensitive database? Does the user routinely access the network via a VPN from Ukraine? Does the user routinely upload large files to Dropbox? And do the user's coworkers routinely do this too? UEBA should have the ability to show both normal and anomalous behavior in a user's session timeline. This allows investigators to understand the situation in a broader context, significantly reducing the time required for data collection, validation, and subsequent investigation.

Normal behavior is also evidence that the detection is not derived from a static correlation rule, since the rule is only applied when anomalous conditions are met - under non-malicious conditions, nothing will be displayed.

2. Automatically establish identity by linking hosts to IP-to-user

Hostnames are highly variable and generally not very useful as an identifier. IP addresses are constantly reassigned and account credentials are commonly shared (especially administrative accounts). Host IP-to-user mapping ensures that activity on a specific host is tied to a specific person using a specific IP address at a given time. UEBA should provide the ability to reliably and automatically tie hosts to IPs and identities, even in the case of shared accounts, making threat detection more effective. Connecting these dots manually requires effort, and doing so automatically drastically reduces the time required for investigation and remediation.

3. Detect lateral movement

Lateral movement is a key indicator of a compromised account. During the reconnaissance phase, hackers move throughout a network looking for valuable information, often switching user credentials or devices to obfuscate their movements and avoid detection. UEBA should have the ability to track lateral movement even when users change accounts, machines, or IP addresses. This capability ensures both effective detection and more accurate incident investigation.

4. Automatically create a timeline of all incidents

Activity data is generated in the form of events, but detection and response require a timeline. Stitching together multiple events into a comprehensive timeline typically requires hours or days of intensive manual effort. A complete timeline should include all of a user’s activities as well as all other entities they interacted with during the session from logon to logoff, using data from all relevant endpoint, network, security, and other systems. UEBA should be able to quickly and automatically generate a coherent timeline of user activity. Many UEBA tools don’t provide a timeline for incident investigation, and some only provide a partial timeline. An automatically generated timeline provides a good interface that is easy to use even for less experienced analysts. And instead of presenting scattered individual events, it presents results with context and risk scores, allowing you to quickly extract the true nature of the threat and investigate how to resolve it if necessary.

5. Deploy quickly to realize value

When considering your UEBA options, look for deployment capabilities that are available within a day, don't require professional services for configuration and deployment, and provide built-in use cases so you don't have to customize from the ground up. Your UEBA should be designed and functional enough to be deployed and operational within 48 hours, with true value within a week.

6. Easily accommodate future needs at no extra cost

Your UEBA should be able to scale and extend to new features without expert services or new engineering builds from the vendor. Vendors that require lots of services to set up and tune your deployment often require the same level of effort, with corresponding costs, every time you make a change to your environment, add a new data source, or try to address a new use case. You shouldn't be penalized for driving business initiatives. An effective UEBA becomes more and more valuable as your needs change over time.

7. Deploy without giving vendors VPN access

Many UEBA solutions require extensive services and a lot of customization during deployment and after they are in production. This work is usually performed by external or off-shore engineers, which requires VPN access to the network. For many companies in highly regulated industries, this is problematic. A UEBA should have the ability to be deployed and supported without VPN access for external vendors. A UEBA should minimize security risks, not introduce new ones.

You also need an evaluation that reflects what you want to achieve in your production environment (i.e. no external VPN access) so you know what you are getting into up front.

8. No agents or network taps to deploy

Some UEBA solutions require the deployment of additional infrastructure to collect the required data, typically endpoint agents (installed on each device) or network taps. This creates dependencies and can extend the pilot period by several months. UEBA should have the ability to operate without installing external agents or taps. While taps and agents may provide useful additional information, some UEBA solutions, such as those that analyze log data, provide value without requiring the deployment of additional infrastructure.

9. Achieve proactive threat hunting capabilities

Threat hunting with a UEBA solution requires performing simple or complex searches of collected security data. It should not require deep understanding of a proprietary query language, meticulous attention to syntax, or stitching together multiple simple search results. It should also not take hours to return results. Threat hunting capabilities with auto-generated timelines and extensive dropdowns should accommodate a variety of arguments, work with sessionized (i.e., finely indexed) data, and return a complete incident timeline. It should not generate yet another set of seemingly unrelated event records.

10. SOAR integration for automation

SOAR (Security Orchestration, Automation, and Response) is a key consideration in the context of UEBA. After discovering a threat, a typical SOC analyst workflow requires multiple products with multiple interfaces and multiple credentials. This multi-window approach is often referred to as “swivel-chair incident response,” and the manual work reduces visibility, speed, and productivity. SOAR is an add-on to UEBA solutions, providing a centralized approach and one console to load data and drive actions to other systems. Essentially, integrating UEBA technology with SOAR tools automates incident response. Look for a UEBA solution with semi-automated or fully automated incident playbook handling. This allows SOC analysts to realize increased productivity and speed up incident response for better enterprise security.

Summary

ORION CASSETTO
Exabeam, Inc. Director, Product Marketing

video on demand

The threat is in full view! Realizing effective log analysis with machine learning
～What is Exabeam, the next-Next-Gen SIEM Platform Exabeam?～

As targeted attacks and internal fraud continue to increase in recent years, an increasing number of companies are building mechanisms (such as SIEM) to correlate and analyze logs from multiple security products in order to implement appropriate security operations. . This is because it is difficult to visualize the impact of each incident using only the logs of security products that have already been installed, and threats may be overlooked. However, building such a system requires security-related knowledge, analytical know-how, and ideas. In this seminar, we will introduce “Exabeam” which realizes log analysis by UEBA (User Entity Behavior Analytics) technology and efficiency of conventional SIEM operation.

Click here to watch