Thursday, September 5, 2019

UEBA Use Cases

With integration of UEBA in SIEM we wish to solve various cases. Some of the use cases that would particularly be of interest to the system administrator and security analyst can be listed as below

1. Account Misuse or Malicious Insider
Account misuse or Malicious Insider is a condition when employee of an organization with certain level of privileged access tends to perform attack against an organization. It is quite difficult to detect such situations only looking at the log files. Also, regularly monitoring security events will not solve the problem. Insider is someone who know what is where and how it can be accessed. Moreover, insider also happens to know workaround to go undetected.

We can, however, detect such malicious intent of an insider by defining a baseline of who access what, when and/or how. Here, UEBA helps by baselining user's behavior and detecting when things do not confirm to normal behavior.


2. Compromised Accounts
Once attacker infiltrate into an organization, they compromise privilege account or they try to escalate the privilege of the account they infiltrated with. It is because only privilege level account can be used to access sensitive and confidential information within an organization. During the process of escalation of account or actual compromise events various audit log gets recorded. UEBA detects various bad activities from compromised account.

3. Internal Reconnaissance
With Internal reconnaissance attacker collects internal information about a target network. This allows attacker to effectively move through the network and conduct further activities. Attacker uses several methods including hosts, networks, and processes enumeration which lists all relevant information to develop an understanding of where an attacker has landed on a network, and to plan their next move. UEBA can easily detect internal reconnaissance using various machine learning techniques.

4. Lateral Movement
Once attacker infiltrate into an organization they then begins to look for the sensitive information. During this process they move laterally through a network as they search for the key data and assets that are ultimately the target of their attack campaigns. Without UEBA, lateral movement is very difficult to detect.

5. Data Exfiltration
Unauthorized transfers of data, manually or automatically via malicious programs, over a network is known as data exfiltration. This is one of the serious concern in today's business. Leak of business critical information would cost a lot to that organization. This use case always remains the most 'looked for' use cases in business. However, to ascertain whether or not exfiltration has happened we need to trace long history of sequence of events. Without UEBA this will be very difficult.

6. Incident Prioritization
Tons of incidents are generated every hour and it is quite impossible to correctly handle all of such incidents. In this scenario we require something that could prioritize incidents according to their severity, thus allowing system administrator to properly handle each notification in turn.

UEBA needs to rank the incidents as per their priority so that security professionals can focus on the most likely threats to their critical business assets.

No comments:

Post a Comment