How to Leverage Behavioral Analytics to Reduce Insider Threat: Your Questions Answered - Exabeam

How to Leverage Behavioral Analytics to Reduce Insider Threat: Your Questions Answered

Published
May 26, 2016

Author
Barry Shteiman

Last Thursday, we presented a webinar and discussed how UEBA technology can improve Insider Threat detection as well as overall SOC operational efficiency and noise reduction. I would like to thank the participants who were very active and showed interest by asking lots of questions. We felt we owed everyone the answers to the questions that were asked and may or may not have been answered during the webinar. And took the privilege to remove questions that were not tied to UEBA subject matter. Here are the questions asked during the live event…

 

Q: How do you prevent false positives?  Example, Barbara is on vacation in Borneo, and is validly just working from her vacation?

A: UEBA is all about signals and context. It is very common for a company to set the state of a user as “on-vacation” based on either their out-of-office message, or a vacation calendar and then have that information applied to user behavior detection.

 

Q: How do you gather and link your various data sources? Is this done in Exabeam or another tool? 
A: Generally, we gather information either off a SIEM where it’s always gathered, or direct if an environment wants to send us the data directly. In any case, all of the linkage and analysis is done on the Exabeam platform.

 

Q: Are security teams able to develop custom rules or use cases? Additionally, can you adjust vendor rulesets?

A: Yes, and yes. Many of our customers learn about our platform by using it for a while, and then start adopting by adding custom use cases that apply to them.

 

Q: Does Exabeam have any capability to determine file share access for unstructured or structured data?

A: Yes. If you collect those logs, we can model them and find anomalies. 

 

Q: How does Exabeam know who a user’s peer is? Is that something that has to be configured manually?

A: Both manually by determining peers by IDM known information, or dynamically by applying machine learning.

 

Q: Does Exabeam also address Entity Behavior Analysis, which is different from User, given the lack of Active Directory when monitoring machine-to-machine?

A: Yes. Our modeling and detection platform is very broad, which means we can detect any anomaly modeled for any item. Active Directory is not a requirement, although it does add a lot of contextual information about authentication.

 

Q: Can you comment on why some vendors list their product as UBA versus UEBA?

A: I would say that it’s a market adoption nuance. Historically, the space was called UBA, and then Gartner changed the scope to include not only User but User and Entity.

 

Q: Is there a preferred SIEM vendor? QRadar, Splunk, LogRhythm?

A: Nope, we support all SIEMs.

 

All and all, the amount of enthusiasm that was shared by the attendees was fantastic. It really encourages us to continue the effort that is being put into UEBA to make sure we are at the top of the detection game and that we actually solve a problem!

 

If you missed the webinar, click here to view the archived recording (registration required).

Recent UEBA Articles

Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

Read More

An Outcome-based Approach to Use Cases: Solving for Lateral Movement

Read More

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Read More

Using Advanced Analytics to Detect and Stop Threats [White Paper]

Read More

Understanding Insider Threat Detection Tools

Read More



Recent Information Security Articles

SIEM Gartner: Get the 2021 Magic Quadrant Report

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More

The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security

Read More

Human Managed Selects Exabeam to Drive Faster Decision-making

Read More