Transforming Logs and Alerts into Actionable Intelligence with UEBA Functionality

By Jacob Bolm, Woodrow Brown ·

For information security practitioners, the stored value in security data can reduce both costs and risk. The progression of the treatment of log data is a testament to the recognition of this value. Computer logging facilities began as a first-in-first-out (FIFO) rolling buffer with a finite capacity. Organizations then moved to log management programs where log data was aggregated and stored. Next, Security Information and Event Management (SIEM) systems were put in place. Today, User and Entity Behavior Analytics (UEBA) solutions are at the forefront of unlocking the value of data and a growing number of companies are turning to UEBA to help solve their security challenges.

These solutions provide advanced analytics and machine learning capabilities that enable you to automate the detection of advanced threats. Based on my field experience at Optiv, you should consider adding UEBA to your enterprise security arsenal and here’s why:

  • UEBA solutions combine the expert system and machine learning elements of artificial intelligence to present visual representations of interaction. Solutions using these techniques are not without false positives, but the gains in efficiency can outweigh the drawbacks.
  • Both security solutions and organizations generate large amounts of data. There’s a high demand for a limited supply of experts in security analytics, which has raised the cost of employing these specialized resources. UEBA technology is pre-loaded with analytical tools and statistical models built to crunch large volumes of data. The premise is that once normal activities are known, abnormal activities can be identified and brought to an analyst’s attention thus reducing the workload on existing resources.
  • UEBA solutions process logs to identify normal and abnormal events related to users in the environment. Abnormal events increase the risk associated with a user’s activity. The solutions visualize links between users and the objects they interact with to provide a framework for analysts to research the user’s behavior overtime.

When it comes to selection of a UEBA product, it’s important to assess your current environment to determine which technology will best achieve your desired results as well as integrate with your existing security technology. Over the past few years, LogRhythm has made a number of product enhancements to address user-based threats through UEBA to meet many of the above requirements. It is delivering these capabilities through the extension of its existing real-time analytics platform and the introduction of a new cloud-based analytics service.

  • LogRhythm TrueIdentity collapses the many account types and account identifiers in use by an individual to a single Identity construct, providing critical identity context for downstream monitoring dashboards, analytics, and reports. Further, LogRhythm distinguishes between the Origin Identity (that which causes an event to occur, e.g., the admin modifying a user account) and the Impacted Identity (what which is acted upon by the Origin Identity, e.g., the modified user account); this higher fidelity identity contextualization only adds to the benefits of utilizing LogRhythm’s UEBA.
  • LogRhythm has been leveraging its AI Engine (AIE) technology to monitor and alert on suspicious user behavior via content delivered through its complementary Knowledge Base (KB) modules.  The LogRhythm UEBA Module has more than 60 new UEBA-specific AIE rules designed to detect unusual or malicious user activity within an organization, addressing the following use cases:
    • Insider Threat (e.g., unusual file modifications, unusual file accesses, data exfiltration)
    • Compromised Account (e.g., abnormal authentication activity, abnormal user application behavior, compromised hosts, lateral movement following an attack, concurrent logins from multiple locations, account activity from blacklisted locations, brute force attacks)
    • Privileged Account Abuse (e.g., suspicious temporary account activity, unusual account privilege escalation, abnormal account administration)
  • LogRhythm recently updated its UEBA module to align analytics content with the cyber-attack lifecycle, identifying threats of great risk that appear to be progressing towards their ultimate aims, whether data exfiltration, sabotage, or something similarly concerning.
  • LogRhythm CloudAI is a behavioral analytics engine that is used in conjunction with the AI Engine to perform analytics techniques (e.g., machine learning, advanced statistical analysis) on user and host logs to accurately and quickly detect anomalous behavior and activity. With on-premises technologies, these techniques would traditionally be very expensive from a memory and hardware perspective, but with cloud infrastructure, new possibilities are unlocked.
    • All CloudAI user activity analysis is displayed in the CloudAI tab in the web console, and can be added to Cases or investigated in the same way that any other alarm or log can. As the host and user logs come into CloudAI for the first time, it learns how to distinguish between normal (expected) behavior and abnormal behavior. An event score is generated by CloudAI as it notices suspicious activity; the higher the score, the more suspicious the activity. Analysts can help teach CloudAI what is normal and expected for a specific user or set of users to tune the solution and identify threats with greater precision in the future.

If considering a UEBA solution, it will be most successful if organizations already have robust logging, log management and log retention in place for their critical business assets. Organizations should ensure the UEBA solution integrates with their existing SIEM and ticketing system. A team should be in place or constructed to manage the solution and respond to actionable alerts. Successful UEBA implementations will show risk and cost reduction. Security issues will be uncovered sooner and security violations will have less of an impact on the business. Hours and resources associated with log analysis and incident response time will decrease. The good news… you can achieve these results with a review of your security operations strategy and maturity, product implementation and integration services for your SIEM and UEBA technologies and if required, managed security services.

Want to know more and see UEBA in action? We invite you to see how the National Hockey League Players’ Association (NHLPA) has used UEBA functionality to transform their logs and alerts into actionable intelligence by attending an upcoming use case and brief demo webinar.  Click here to view the onDemand webinar.

Jacob Bolm

Managing Consultant, Architecture and Implementation Solutions

Jacob Bolm is a managing consultant for Optiv’s architecture and implementation solutions professional services practice, and has been focused on SIEM technologies for the past 6 years. As an industry veteran, Jacob’s passion and focus is around providing holistic IT Security monitoring solutions tailored around the unique needs of each client and industry.

woodrow-brown

Woodrow Brown

Director, Partner Research and Strategy

Woodrow Brown has over a decade of leadership, service delivery and research experience. As director of partner research and strategy at Optiv, Brown's team provides objective analysis of cyber security products, enabling our clients to make informed decisions for technology selection. Cutting through industry spin, Brown delivers research that provides an accessible understanding of how security technologies function.