
Exabeam
Exabeam
UEBA Evaluation Guide: 10 Points

UEBA (User and Entity Behavior Analytics) solutions use AI and machine learning, advanced analytics, data enrichment, and data science to effectively combat advanced threats. UEBA solutions combine all data sources and automatically aggregate the results. Analysts get a targeted, reliable feed instead of drowning in an ocean of alerts. UEBA is valuable to businesses because of its low maintenance costs. Machine learning systems tune themselves through behavioral modeling. Organizations get a future-proof solution that can handle unknown attacks by looking for anomalies rather than fixed, finite activities.
Many vendors claim to offer UEBA capabilities, but implementations vary widely, making comparative evaluation difficult. Use the list below as guidance for selecting an effective UEBA technology.
1. Show normal activity along with anomalous activity
"Normal" activity is what a user and their coworkers usually do, and is needed to provide context. For example, does the user routinely access a specific server or sensitive database? Does the user routinely access the network via a VPN from Ukraine? Does the user routinely upload large files to Dropbox? And do the user's coworkers routinely do this too? UEBA should have the ability to show both normal and anomalous behavior in a user's session timeline. This allows investigators to understand the situation in a broader context, significantly reducing the time required for data collection, validation, and subsequent investigation.
Normal behavior is also evidence that the detection is not derived from a static correlation rule, since the rule is only applied when anomalous conditions are met - under non-malicious conditions, nothing will be displayed.
2. Automatically establish identity by linking hosts to IP-to-user
Hostnames are highly variable and generally not very useful as an identifier. IP addresses are constantly reassigned and account credentials are commonly shared (especially administrative accounts). Host IP-to-user mapping ensures that activity on a specific host is tied to a specific person using a specific IP address at a given time. UEBA should provide the ability to reliably and automatically tie hosts to IPs and identities, even in the case of shared accounts, making threat detection more effective. Connecting these dots manually requires effort, and doing so automatically drastically reduces the time required for investigation and remediation.
3. Detect lateral movement
Lateral movement is a key indicator of a compromised account. During the reconnaissance phase, hackers move throughout a network looking for valuable information, often switching user credentials or devices to obfuscate their movements and avoid detection. UEBA should have the ability to track lateral movement even when users change accounts, machines, or IP addresses. This capability ensures both effective detection and more accurate incident investigation.
4. Automatically create a timeline of all incidents
Activity data is generated in the form of events, but detection and response require a timeline. Stitching together multiple events into a comprehensive timeline typically requires hours or days of intensive manual effort. A complete timeline should include all of a user’s activities as well as all other entities they interacted with during the session from logon to logoff, using data from all relevant endpoint, network, security, and other systems. UEBA should be able to quickly and automatically generate a coherent timeline of user activity. Many UEBA tools don’t provide a timeline for incident investigation, and some only provide a partial timeline. An automatically generated timeline provides a good interface that is easy to use even for less experienced analysts. And instead of presenting scattered individual events, it presents results with context and risk scores, allowing you to quickly extract the true nature of the threat and investigate how to resolve it if necessary.
5. Deploy quickly to realize value
When considering your UEBA options, look for deployment capabilities that are available within a day, don't require professional services for configuration and deployment, and provide built-in use cases so you don't have to customize from the ground up. Your UEBA should be designed and functional enough to be deployed and operational within 48 hours, with true value within a week.
6. Easily accommodate future needs at no extra cost
Your UEBA should be able to scale and extend to new features without expert services or new engineering builds from the vendor. Vendors that require lots of services to set up and tune your deployment often require the same level of effort, with corresponding costs, every time you make a change to your environment, add a new data source, or try to address a new use case. You shouldn't be penalized for driving business initiatives. An effective UEBA becomes more and more valuable as your needs change over time.
7. Deploy without giving vendors VPN access
Many UEBA solutions require extensive services and a lot of customization during deployment and after they are in production. This work is usually performed by external or off-shore engineers, which requires VPN access to the network. For many companies in highly regulated industries, this is problematic. A UEBA should have the ability to be deployed and supported without VPN access for external vendors. A UEBA should minimize security risks, not introduce new ones.
You also need an evaluation that reflects what you want to achieve in your production environment (i.e. no external VPN access) so you know what you are getting into up front.
8. No agents or network taps to deploy
Some UEBA solutions require the deployment of additional infrastructure to collect the required data, typically endpoint agents (installed on each device) or network taps. This creates dependencies and can extend the pilot period by several months. UEBA should have the ability to operate without installing external agents or taps. While taps and agents may provide useful additional information, some UEBA solutions, such as those that analyze log data, provide value without requiring the deployment of additional infrastructure.
9. Achieve proactive threat hunting capabilities
Threat hunting with a UEBA solution requires performing simple or complex searches of collected security data. It should not require deep understanding of a proprietary query language, meticulous attention to syntax, or stitching together multiple simple search results. It should also not take hours to return results. Threat hunting capabilities with auto-generated timelines and extensive dropdowns should accommodate a variety of arguments, work with sessionized (i.e., finely indexed) data, and return a complete incident timeline. It should not generate yet another set of seemingly unrelated event records.
10. SOAR integration for automation
SOAR (Security Orchestration, Automation, and Response) is a key consideration in the context of UEBA. After discovering a threat, a typical SOC analyst workflow requires multiple products with multiple interfaces and multiple credentials. This multi-window approach is often referred to as “swivel-chair incident response,” and the manual work reduces visibility, speed, and productivity. SOAR is an add-on to UEBA solutions, providing a centralized approach and one console to load data and drive actions to other systems. Essentially, integrating UEBA technology with SOAR tools automates incident response. Look for a UEBA solution with semi-automated or fully automated incident playbook handling. This allows SOC analysts to realize increased productivity and speed up incident response for better enterprise security.
Summary
Evaluating different vendor implementations of UEBA can be difficult, but this guide of 10 key criteria will provide a clear path to make the comparison process easier.

ORION CASSETTO
Exabeam, Inc. Director, Product Marketing
video on demand
The threat is in full view! Realizing effective log analysis with machine learning
~What is Exabeam, the next-Next-Gen SIEM Platform Exabeam?~
As targeted attacks and internal fraud continue to increase in recent years, an increasing number of companies are building mechanisms (such as SIEM) to correlate and analyze logs from multiple security products in order to implement appropriate security operations. . This is because it is difficult to visualize the impact of each incident using only the logs of security products that have already been installed, and threats may be overlooked. However, building such a system requires security-related knowledge, analytical know-how, and ideas. In this seminar, we will introduce “Exabeam” which realizes log analysis by UEBA (User Entity Behavior Analytics) technology and efficiency of conventional SIEM operation.
Inquiry/Document request
In charge of Macnica Exabeam Co., Ltd.
- TEL:045-476-2010
- E-mail:exabeam-sales@macnica.co.jp
Weekdays: 9:00-17:00