Skip to main content

Transforming Logs and Alerts into Actionable Intelligence with UEBA Functionality

May 24, 2018

For information security practitioners, the stored value in security data can reduce both costs and risk. The progression of the treatment of log data is a testament to the recognition of this value. Computer logging facilities began as a first-in-first-out (FIFO) rolling buffer with a finite capacity. Organizations then moved to log management programs where log data was aggregated and stored. Next, Security Information and Event Management (SIEM) systems were put in place. Today, User and Entity Behavior Analytics (UEBA) solutions are at the forefront of unlocking the value of data and a growing number of companies are turning to UEBA to help solve their security challenges.

These solutions provide advanced analytics and machine learning capabilities that enable you to automate the detection of advanced threats. Based on my field experience at Optiv, you should consider adding UEBA to your enterprise security arsenal and here’s why:

  • UEBA solutions combine the expert system and machine learning elements of artificial intelligence to present visual representations of interaction. Solutions using these techniques are not without false positives, but the gains in efficiency can outweigh the drawbacks.
  • Both security solutions and organizations generate large amounts of data. There’s a high demand for a limited supply of experts in security analytics, which has raised the cost of employing these specialized resources. UEBA technology is pre-loaded with analytical tools and statistical models built to crunch large volumes of data. The premise is that once normal activities are known, abnormal activities can be identified and brought to an analyst’s attention thus reducing the workload on existing resources.
  • UEBA solutions process logs to identify normal and abnormal events related to users in the environment. Abnormal events increase the risk associated with a user’s activity. The solutions visualize links between users and the objects they interact with to provide a framework for analysts to research the user’s behavior overtime.

When it comes to selection of a UEBA product, it’s important to assess your current environment to determine which technology will best achieve your desired results as well as integrate with your existing security technology. Over the past few years, LogRhythm has made a number of product enhancements to address user-based threats through UEBA to meet many of the above requirements. It is delivering these capabilities through the extension of its existing real-time analytics platform and the introduction of a new cloud-based analytics service.

  • LogRhythm TrueIdentity collapses the many account types and account identifiers in use by an individual to a single Identity construct, providing critical identity context for downstream monitoring dashboards, analytics, and reports. Further, LogRhythm distinguishes between the Origin Identity (that which causes an event to occur, e.g., the admin modifying a user account) and the Impacted Identity (what which is acted upon by the Origin Identity, e.g., the modified user account); this higher fidelity identity contextualization only adds to the benefits of utilizing LogRhythm’s UEBA.
  • LogRhythm has been leveraging its AI Engine (AIE) technology to monitor and alert on suspicious user behavior via content delivered through its complementary Knowledge Base (KB) modules.  The LogRhythm UEBA Module has more than 60 new UEBA-specific AIE rules designed to detect unusual or malicious user activity within an organization, addressing the following use cases:
    • Insider Threat (e.g., unusual file modifications, unusual file accesses, data exfiltration)
    • Compromised Account (e.g., abnormal authentication activity, abnormal user application behavior, compromised hosts, lateral movement following an attack, concurrent logins from multiple locations, account activity from blacklisted locations, brute force attacks)
    • Privileged Account Abuse (e.g., suspicious temporary account activity, unusual account privilege escalation, abnormal account administration)
  • LogRhythm recently updated its UEBA module to align analytics content with the cyber-attack lifecycle, identifying threats of great risk that appear to be progressing towards their ultimate aims, whether data exfiltration, sabotage, or something similarly concerning.
  • LogRhythm CloudAI is a behavioral analytics engine that is used in conjunction with the AI Engine to perform analytics techniques (e.g., machine learning, advanced statistical analysis) on user and host logs to accurately and quickly detect anomalous behavior and activity. With on-premises technologies, these techniques would traditionally be very expensive from a memory and hardware perspective, but with cloud infrastructure, new possibilities are unlocked.
    • All CloudAI user activity analysis is displayed in the CloudAI tab in the web console, and can be added to Cases or investigated in the same way that any other alarm or log can. As the host and user logs come into CloudAI for the first time, it learns how to distinguish between normal (expected) behavior and abnormal behavior. An event score is generated by CloudAI as it notices suspicious activity; the higher the score, the more suspicious the activity. Analysts can help teach CloudAI what is normal and expected for a specific user or set of users to tune the solution and identify threats with greater precision in the future.




If considering a UEBA solution, it will be most successful if organizations already have robust logging, log management and log retention in place for their critical business assets. Organizations should ensure the UEBA solution integrates with their existing SIEM and ticketing system. A team should be in place or constructed to manage the solution and respond to actionable alerts. Successful UEBA implementations will show risk and cost reduction. Security issues will be uncovered sooner and security violations will have less of an impact on the business. Hours and resources associated with log analysis and incident response time will decrease. The good news… you can achieve these results with a review of your security operations strategy and maturity, product implementation and integration services for your SIEM and UEBA technologies and if required, managed security services.

Want to know more and see UEBA in action? We invite you to see how the National Hockey League Players’ Association (NHLPA) has used UEBA functionality to transform their logs and alerts into actionable intelligence by attending an upcoming use case and brief demo webinar.  Click here to view the onDemand webinar.

    Jacob Bolm

By: Jacob Bolm

Managing Consultant, Architecture and Implementation Solutions

See More

Related Blogs

May 17, 2018

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on th...

See Details

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

June 19, 2017

Implementing an Identity Centric Approach

With the latest Verizon Data Breach Incident Report finding that 81 percent of hacking related breaches leveraged either stolen and/or weak passwords,...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.