Strengthen Network Security
with UEBA Cyber Security
In the world of cyber security, security teams are trending away from using prevention-only approaches, according to a 2018 Gartner report called Market Guide for User and Entity Behavior Analytics. As security teams shift toward balancing cyber threat prevention with the newer detection and incident response (IR) approaches, they are increasingly adding technologies like user and entity behavior analytics (UEBA) to their conventional SIEMs and other legacy prevention systems.
The evolution of Gartner UEBA & UEBA Meaning:What is UEBA Security, UEBA baselines user behavior and entity behavior activities, and combines it with peer group analysis, and then searches for and analyzes anomalous activity in order to detect potential or actual intrusions and malicious activity. UEBA goes beyond fact-based security and simple correlation rules, and leverages both user behavior and entity behavior-based analytics, and models threats based on individual user behaviors.
Gartner created the UEBA acronym several years ago when it renamed “user behavior” analytics (UBA). They added the “E” to emphasize the importance of “entity behavior” other than just user behavior, such as with cloud applications or unmanaged endpoints. The E “recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior,” according to Gartner.
Why UEBA Security improves UBA and legacy SIEMs :User behavior and Entity Behavior Analytics represents an important improvement over UBA and legacy SIEM systems for a number of reasons. First, it overcomes the limitations of SIEM correlation rules—and the reality that in many cases the whole model of correlation rules is broken. Some of the problems associated with relying on SIEM correlation rules include:
- You can’t find attacks because the rules lack context, or miss incidents that have never been seen before, thus generating false negatives.
- Rules require too much maintenance.
- Improperly filtered rules can make incident response execution slow because administrators need to filter the application of rules to determine which data is relevant, and which data is irrelevant in your event landscape.