Leveraging UEBA Capabilities in Your Existing SIEM

By on

This blog post was written by Kristen Jacobsen.

User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts.
There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include:

  • Increasing concerns over insider threats, whether intentional or accidental.
  • The rise of credential theft.
  • The need to add additional context to SIEM and orchestration systems for more effective continuous monitoring, detection, and remediation.

Some SIEM vendors, like McAfee, not only deliver integrations with UEBA solutions, but also already include UEBA capabilities in their products. McAfee Enterprise Security Manager employs a combination of intelligent anomaly detection and user and entity specific rules, along with other correlation models, to perform many UEBA functions efficiently and effectively—right out of the box!

McAfee Enterprise Security Manager factors in anomalous behavior—including user activities—as part of its continuous monitoring and incident prioritization. User behaviors are incorporated into calculations of security and risk to help security teams identify and prioritize security events. Some of the user behaviors that McAfee Enterprise Security Manager detects as unusual activities include: creation of new accounts or account lockouts, possible data exfiltration behaviors (emailing sensitive data outside the network), an increase in traffic to business applications, and events like late-night logins from unexpected locations or simultaneous remote logins to multiple locations.

Security professionals agree that speed and accuracy is of the essence when it comes to detecting, analyzing, and triaging threats. McAfee Enterprise Security Manager addresses this requirement by using multiple types of correlations to gather, parse, and process the user behavior data it receives.

An additional component of the McAfee SIEM solution is the McAfee Advanced Correlation Engine, which is purpose-built to analyze huge volumes of data without impacting your SIEM’s performance. It performs four types of correlation—rule-based, risk-based, standard deviation, and historical—for a real-time look at threats initiated by users against high-value assets and sensitive data.

Leave a Comment

Similar articles

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to ...
Read Blog
You’ve probably heard of the popular video conferencing platform, Zoom. This platform enables its millions of users in various locations to virtually meet face to face. In an effort to enhance user experience and work around changes in Safari 12, Zoom installed a web server that allows users to enjoy one-click-to-join meetings. Unfortunately, a security ...
Read Blog