SIEM | UEBA
Security Monitoring is a combination of people, processes and technology. In a Security Operations Center we need technology to make visible what is going on in a network. We then need security analysts to analyse warnings and events and to take immediate action if necessary. The most commonly used technique for this is Security Information and Event Management (SIEM) which is nowadays often used in combination with advanced User Entity and Behavior Analytics (UEBA) software.
Security Information and Event Management (SIEM)
What is SIEM?
Security Information and Event Management (SIEM) helps you to find the events that require your attention and takes the information security of your organization to a higher level.
By correlating data (log-files) from multiple sources such as for example firewalls, servers, PCs, switches and antivirus systems, a SIEM system brings incidents to light that in case of using separate security solutions, or the human eye, otherwise will be overlooked. SIEM helps you to get the maximum out of your security and to reduce the chance of an incident dramatically.
SIEM makes the detection process much more efficient. With SIEM you detect and analyze incidents in a real short timeframe and you immediately see where the biggest risks are for your organization. This allows you and your team members to invest time and attention in remedying and preventing incidents instead of detecting them.
With a good SIEM solution you also are able to quickly and adequately meet all requirements in the field of rules and legislation. Based on the collected and correlated data, SIEM indicates on which points your security deviates from the standard(s) and norms and how you can remedy this. The dashboards and reports show this easily and quickly for auditors, supervisors and other stakeholders.
Our SIEM services
Custodian offers a wide range of SIEM services that range from SIEM consulting & analytics services to Co-Managed SIEM, Managed SIEM and next generation ‘SIEM as a Service’. In most cases you remain the owner of your SIEM-platform and Custodian provides services on top of this, with the exception of “Next-Gen SIEM as a Service.
With “Next-Gen SIEM as a Service”, Custodian relieves you of your Security Monitoring as much as you want! In this case we provide Security Monitoring (next gen SIEM, UEBA and SOAR) as a Service.
A Next Gen SIEM platform reinforces top-down monitoring of network and cloud application-activities with applied analysis techniques that recognize security incidents as they occur. These new techniques have emerged as a result of available better security analysis techniques and the collection of ever-increasing and varied types of activity data, allowing SIEM suppliers to apply new methodologies for business data analysis. As a result, Managed Security Service Providers (MSSPs) and end-user organizations are better able to identify deviant behavior – and act accordingly – as soon as it happens.
One of the most important parts of such a system is increasingly being referred to as User and Entity Behavior Analytics (UEBA) – and this appears to be indispensable in quickly identifying malicious activities before they lead to the actual theft of sensitive data from corporate networks or servers.
The 5 most important features of a Next-Gen SIEM
- Machine Learning approach
• Built-in UEBA for advanced threat detection
• Online delivery of content with Threat Model Exchange
- Big data architecture
• Scalable platform for data collection
• Open data model to enable data exchange
- Threat Hunting Framework
• Fast and scalable search for rapid detection
• Link analysis to reduce user actions
- Automated incident response
• Built-in play books for automated response
• API framework for integration with security solutions
- Easy to implement
• Fully automated connector and content bet
• SaaS and our managed services offer in combination with our state-of-the-art Data Lake solutions
What is UEBA?
User and Entity Behavior Analytics (UEBA) give you more of a comprehensive way to make sure that your organization has top-notch IT security, while also helping you detect users and entities that might compromise your entire system. UEBA can be defined as a security solution that analyses the user behaviours that are connected to an organization’s network and entities or end-points such as servers, applications, etc. to figure out the anomalies. It keeps a track of where do people usually login from and what applications or file servers they use, what is their degree of access, etc. UEBA then correlates this information to gauge if a certain activity performed by the users is different from their daily tasks and establishes a baseline of what is usual behavior. If something unusual happens that doesn’t comply with the baseline, UEBA detects it and sends alerts of the probable threat.
Why is UEBA important?
Cyber attacks are on the rise, and hackers continue to attack the vulnerabilities in your system. Even a minimal vulnerability in the system can serve as an access point for the attackers. Organizations of all sizes spend more money than ever to protect their network and assets due to the increasing threat landscape. According to IDC, security budgets will increase by 40% in 2020. Hackers can break into your firewalls, send emails with malicious attachments or gain access to your firewalls and endanger your system.
Why would you need UEBA
Traditional cyber defence products were not designed to deal with the sophisticated, carefully-crafted and targeted attacks that enterprises now face. They still need to deal with the deadly “advanced” attacks that arrive without any warning and evade perimeter defences. SIEMs are a capable security management tool, but typically lack effective and intelligent threat detection and response. They can be bypassed by advanced attackers with relative ease, and focus more on real-time threats than extended attacks.
Some of the problems associated with relying on SIEM correlation rules include:
- You can’t find attacks because the rules lack context or miss incidents that have never been seen before
- Rules require too much maintenance
- Improperly filtered rules can make incident response execution slow
UEBA overcomes the limitations of SIEM correlation rules:
- Reduces false positives
- Eliminates alert fatigue
- Enables teams to prioritize alerts
- UEBA makes it possible for your security experts to focus on the most credible, high-risk alerts
- Tracks anomalous user behaviour not only within your organization/ network, but it can also be associated with your cloud services, machines, mobile devices, and IoT assets
- User behaviour analytics saves time because teams don’t have to dig into logs
Preventive measures are no longer enough. Your firewalls are not going to be 100% foolproof, and hackers and attackers will get into your system at one point or another. This is why detection is equally important: when hackers do successfully get into your system, then you should be able to detect their presence quickly in order to minimize the damage.
Benefits of UEBA
Hackers and cyber attackers are now able to bypass the perimeter defences that are used by most companies. Earlier, you could say that you’re secure if you had web gateways, firewalls, and intrusion prevention tools in place. This is no longer the case in today’s complex threat landscape, especially when you have very porous IT perimeters that are very difficult to manage and oversee.
Let’s have a look at some of the benefits of UEBA:
- Fuses various types of risk information to make up a final score for risk ranking
- Enables prioritization and effective response
- Provides automated incident response, allowing teams to respond to security incidents rapidly and with less effort
- With UEBA, you can model:
- The normal processes so you can catch the anomalous ones
- The time and the day of the week a user performs any activity on the system
- Which IP addresses specific devices connect to on a regular basis
UEBA strengthens security by monitoring users and other entities, detecting anomalies in behaviour patterns that could be indicative of a threat. It takes a more proactive approach to security and gains more visibility into user and entity behaviour. Hence, today’s enterprises are able to build a stronger security posture and more effectively mitigate threats and prevent security breaches.
UEBA solutions significantly help to reduce the load security teams deal with on a regular basis. Instead of security teams sifting through potentially millions of alerts per day, a UEBA solution can do the sifting. They identify critical breaches and notify security teams quickly, so teams can focus on responding to the most important threats. Additionally, they provide underlying data for the breaches, which can significantly improve response investigations.