Leveraging UEBA Capabilities in Your Existing SIEM

By on

This blog post was written by Kristen Jacobsen.

User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts.
There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include:

  • Increasing concerns over insider threats, whether intentional or accidental.
  • The rise of credential theft.
  • The need to add additional context to SIEM and orchestration systems for more effective continuous monitoring, detection, and remediation.

Some SIEM vendors, like McAfee, not only deliver integrations with UEBA solutions, but also already include UEBA capabilities in their products. McAfee Enterprise Security Manager employs a combination of intelligent anomaly detection and user and entity specific rules, along with other correlation models, to perform many UEBA functions efficiently and effectively—right out of the box!

McAfee Enterprise Security Manager factors in anomalous behavior—including user activities—as part of its continuous monitoring and incident prioritization. User behaviors are incorporated into calculations of security and risk to help security teams identify and prioritize security events. Some of the user behaviors that McAfee Enterprise Security Manager detects as unusual activities include: creation of new accounts or account lockouts, possible data exfiltration behaviors (emailing sensitive data outside the network), an increase in traffic to business applications, and events like late-night logins from unexpected locations or simultaneous remote logins to multiple locations.

Security professionals agree that speed and accuracy is of the essence when it comes to detecting, analyzing, and triaging threats. McAfee Enterprise Security Manager addresses this requirement by using multiple types of correlations to gather, parse, and process the user behavior data it receives.

An additional component of the McAfee SIEM solution is the McAfee Advanced Correlation Engine, which is purpose-built to analyze huge volumes of data without impacting your SIEM’s performance. It performs four types of correlation—rule-based, risk-based, standard deviation, and historical—for a real-time look at threats initiated by users against high-value assets and sensitive data.

Leave a Comment

Similar articles

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720). ...
Read Blog
For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!” Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they ...
Read Blog