How to Leverage Behavioral Analytics to Reduce Insider Threat: Your Questions Answered
Last Thursday, we presented a webinar and discussed how UEBA technology can improve Insider Threat detection as well as overall SOC operational efficiency and noise reduction. I would like to thank the participants who were very active and showed interest by asking lots of questions. We felt we owed everyone the answers to the questions that were asked and may or may not have been answered during the webinar. And took the privilege to remove questions that were not tied to UEBA subject matter. Here are the questions asked during the live event…
Q: How do you prevent false positives? Example, Barbara is on vacation in Borneo, and is validly just working from her vacation?
A: UEBA is all about signals and context. It is very common for a company to set the state of a user as “on-vacation” based on either their out-of-office message, or a vacation calendar and then have that information applied to user behavior detection.
Q: How do you gather and link your various data sources? Is this done in Exabeam or another tool?
A: Generally, we gather information either off a SIEM where it’s always gathered, or direct if an environment wants to send us the data directly. In any case, all of the linkage and analysis is done on the Exabeam platform.
Q: Are security teams able to develop custom rules or use cases? Additionally, can you adjust vendor rulesets?
A: Yes, and yes. Many of our customers learn about our platform by using it for a while, and then start adopting by adding custom use cases that apply to them.
Q: Does Exabeam have any capability to determine file share access for unstructured or structured data?
A: Yes. If you collect those logs, we can model them and find anomalies.
Q: How does Exabeam know who a user’s peer is? Is that something that has to be configured manually?
A: Both manually by determining peers by IDM known information, or dynamically by applying machine learning.
Q: Does Exabeam also address Entity Behavior Analysis, which is different from User, given the lack of Active Directory when monitoring machine-to-machine?
A: Yes. Our modeling and detection platform is very broad, which means we can detect any anomaly modeled for any item. Active Directory is not a requirement, although it does add a lot of contextual information about authentication.
Q: Can you comment on why some vendors list their product as UBA versus UEBA?
A: I would say that it’s a market adoption nuance. Historically, the space was called UBA, and then Gartner changed the scope to include not only User but User and Entity.
Q: Is there a preferred SIEM vendor? QRadar, Splunk, LogRhythm?
A: Nope, we support all SIEMs.
All and all, the amount of enthusiasm that was shared by the attendees was fantastic. It really encourages us to continue the effort that is being put into UEBA to make sure we are at the top of the detection game and that we actually solve a problem!
If you missed the webinar, click here to view the archived recording (registration required).
Understanding UEBA: From Raw Events to Scored Events
Exabeam Alert Triage with Dynamic Alert Prioritization Now Available in Exabeam Fusion and Exabeam Security Investigation
What’s New in Exabeam Product Development – November 2022
Exabeam News Wrap-up – December 1, 2022
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!