I had the opportunity to meet with Harish Sekar, Manager of Bus Dev for ManageEngine, during their user conference in Dallas to discuss the user and entity behavior analytics (UEBA) that were integrated into ManageEngine’s SIEM solution, Log360.
Five years ago, an admin or IT manager had to turn on a few settings to get information about network activity. Now, with ongoing attacks, you cannot keep asking admins or IT to reconstruct their environment every time an attack takes place. Today, IT just has to feed the logs in, and Log360 automatically scores user behavior based on activity patterns, time inside, and resources touched to help analyze and identify the wrongdoers, be they clueless employees or bad actors. Don’t spare anyone if they’re doing something that’s not safe; it’s still a problem.
In the past, no one had any clue what was going on, and they waited for an email or a call when an attack occurred. Now, compliance requirements take precedence; people have to know what’s going on in real-time. UEBA lets IT know about compromises and attacks, which user is responsible, and the entities involved. Everything is on the radar. Log360 gives them a score and if the score indicates a potential threat, an email will be sent.
Previously, IT would set up a honey pot dummy with projected user info to see how many people swarmed around. Now, UEBA shows where people are snooping around and the information generating the most interest.
According to Verizon’s 2018 Data Breach Investigations Report, over a quarter of the 53,308 cyberattacks in 2017 involved insiders. Insider threats can be particularly difficult to detect with conventional threat detection systems, as it’s hard to spot the signs of someone using their legitimate access to data for nefarious purposes when both vulnerabilities and exploits are unknown. UEBA delivers more robust and accurate threat detection by using machine learning to set a baseline of a user’s normal activity and then flag any deviations from that baseline.
“In today’s IT security landscape, rigid alert rules and conventional threat detection systems no longer make the cut. The need of the hour is a system that can learn and adapt to continuous change,” said Manikandan Thangaraj, director of program management at ManageEngine. “Log360 UEBA does just that and improves the accuracy of threat detection, helping SOC personnel qualify and investigate threats that actually merit investigation.”
Highlights of UEBA
UEBA monitors user activity captured in logs to identify behavioral changes. User activities that would otherwise go unnoticed are flagged, reducing the time it takes to detect and respond to threats. The highlights include:
- Anomaly detection: Identifies deviant user and entity behavior, such as logins at unusual hours, excessive login failures, and file deletions from a host that is not generally used by a particular user.
- Score-based risk assessment: Generates a risk score for each user and entity based on how dangerous their behavior is. This helps security administrators determine which threats merit investigation.
- Threat corroboration: Identifies indicators of compromises and indicators of attacks, exposing major threats including insider threats, account compromises, and data exfiltrations.