How to Leverage Behavioral Analytics to Reduce Insider Threat: Your Questions Answered
Last Thursday, we presented a webinar and discussed how UEBA technology can improve Insider Threat detection as well as overall SOC operational efficiency and noise reduction. I would like to thank the participants who were very active and showed interest by asking lots of questions. We felt we owed everyone the answers to the questions that were asked and may or may not have been answered during the webinar. And took the privilege to remove questions that were not tied to UEBA subject matter. Here are the questions asked during the live event…
Q: How do you prevent false positives? Example, Barbara is on vacation in Borneo, and is validly just working from her vacation?
A: UEBA is all about signals and context. It is very common for a company to set the state of a user as “on-vacation” based on either their out-of-office message, or a vacation calendar and then have that information applied to user behavior detection.
Q: How do you gather and link your various data sources? Is this done in Exabeam or another tool?
A: Generally, we gather information either off a SIEM where it’s always gathered, or direct if an environment wants to send us the data directly. In any case, all of the linkage and analysis is done on the Exabeam platform.
Q: Are security teams able to develop custom rules or use cases? Additionally, can you adjust vendor rulesets?
A: Yes, and yes. Many of our customers learn about our platform by using it for a while, and then start adopting by adding custom use cases that apply to them.
Q: Does Exabeam have any capability to determine file share access for unstructured or structured data?
A: Yes. If you collect those logs, we can model them and find anomalies.
Q: How does Exabeam know who a user’s peer is? Is that something that has to be configured manually?
A: Both manually by determining peers by IDM known information, or dynamically by applying machine learning.
Q: Does Exabeam also address Entity Behavior Analysis, which is different from User, given the lack of Active Directory when monitoring machine-to-machine?
A: Yes. Our modeling and detection platform is very broad, which means we can detect any anomaly modeled for any item. Active Directory is not a requirement, although it does add a lot of contextual information about authentication.
Q: Can you comment on why some vendors list their product as UBA versus UEBA?
A: I would say that it’s a market adoption nuance. Historically, the space was called UBA, and then Gartner changed the scope to include not only User but User and Entity.
Q: Is there a preferred SIEM vendor? QRadar, Splunk, LogRhythm?
A: Nope, we support all SIEMs.
All and all, the amount of enthusiasm that was shared by the attendees was fantastic. It really encourages us to continue the effort that is being put into UEBA to make sure we are at the top of the detection game and that we actually solve a problem!
If you missed the webinar, click here to view the archived recording (registration required).