Scribd
Upload
13 views

Exabeam UEBA - Public

Uploaded by

syedmurtuza556
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Exabeam UEBA - Public

Uploaded by

syedmurtuza556
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Exabeam UEBA

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


Three Pillars of UEBA

Data Sources
UEBA solutions are able to ingest data from a general
data repository such as a data lake or data warehouse,
or through a SIEM

Use Cases
UEBA solutions provide information on the behavior of
users and other entities in the corporate network. They
should perform monitoring, detection and alerting of
anomalies

Analytics
UEBA solutions detect anomalies using a variety of
analytics approaches–statistical models, machine
learning, rules, threat signatures and more.

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


UEBA Use Cases
Insider Threats

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


Insider Threats
1. Negligent insider
A negligent insider is an employee or contractor with privileged access to IT systems, who unintentionally
puts their organization at risk because they do not follow proper IT procedures. For example, someone
who leaves their computer without logging out, or an administrator who did not change a default
password or failed to apply a security patch. Identifying normal vs abnormal activity for a user is key to
detecting a user that has been compromised by negligence.

2. Malicious insider
A malicious insider is an employee or contractor with privileged access to IT systems, who intends to
perform a cyber attack against the organization. It is difficult to measure malicious intent or discover it
through log files or regular security events. UEBA solutions help by establishing a baseline of a user’s
typical behavior and detect abnormal activity.

3. Compromised insider
It’s common for attackers to infiltrate an organization and compromise a privileged user account or
trusted host on the network, and continue the attack from there. UEBA solutions can help rapidly detect
and analyze malicious activity that the attacker carries on via the compromised account.

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


Insider Threats

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


How are employees compromised
Phishing a cybercrime in which a target individual is contacted via email or text message by someone posing as a legitimate
institution in order to lure the individual into providing sensitive data, such as personally identifiable information (PII), banking and
credit card details, and passwords. Some phishing schemes may also try to entice a target to click on a link that triggers a malware
download.

Malware infection a cybercrime when a machine is infected with malicious software – malware – infiltrates your computer.
The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials. A Malware
infection can be initiated by clicking on a link, downloading a file, or plugging in an infected USB, among other ways.

Credential theft a cybercrime aimed at stealing the username and password – the credentials – of a targeted individual.
Credential theft can be done in a variety of ways. Phishing and malware infection, mentioned above, are common. Some criminals
may engage in social engineering, which is the use of deception to manipulate individuals into divulging their credentials. A bogus
call from the IT helpdesk, where the user is asked by the attacker to confirm their username and password, is a common
technique.

Pass-the-hash a more advanced form of credential theft where the hashed – encrypted or digested – authentication
credential is intercepted from one computer and used to gain access to other computers on the network. A pass-the-hash attack is
very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual
plain text password, especially during RDP sessions.

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


UEBA
Advanced Analytics
UEBA analytics methods

Supervised machine learning


Sets of known good behavior and known bad behavior are fed into the system. The tool learns to analyze new behavior and
determine if it is “similar to” the known good or known bad behavior set.

Unsupervised learning
The system learns normal behavior, and is able to detect and alert on abnormal behavior. It will not be able to tell if the abnormal
behavior is good or bad, only that it deviates from normal.

Reinforced / semi-supervised machine learning


A hybrid model where the basis is unsupervised learning, and actual alert resolutions are fed back into the system to allow fine
tuning of the model and reduce the signal-to-noise ratio.

Deep learning
Enables virtual alert triage and investigation. The system trains on data sets representing security alerts and their triage outcomes,
performs self-identification of features, and is able to predict triage outcomes for new sets of security alerts.

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


When there is deviation from the 1. User X accessed VPN from UAE
baseline, the system adds to the risk 2. User X accessed at 11 am for example
score of that user or machine. The
more unusual the behavior, the 3. User X will then connect to file server 192.168.168.5 for
higher the risk score. As more and example
more suspicious behavior 4. User X will connect to the printer to print a file
accumulates, the risk score increases
until it hits a threshold, causing it to 5. User X might also send an email or copy some files to USBs
be escalated to an analyst for
6. User X might also browse the internet and upload or
investigation download some data

7. User X ran an application or installed a new software

8. And so on

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


Aggregation – the risk score is made up of numerous events, so there is no need for analysts to
manually review large numbers of individual alerts and mentally combine them to detect a threat.

Aggregation Reduced false positives – one slightly abnormal event on its own will not result in a security
alert. The system requires multiple signs of abnormal behavior to create an alert, reducing the number
of false positives and saving time for analysts.
Reduce False Positives
More context — traditional correlation rules defined by security administrators may have been
Contextualization correct for one set of users or systems, but not for others. For example, if a department starts
employing shift workers or offshore workers, they will start logging in at unusual times, which would
Timeline analysis and session stitching trigger a rule-based alert all the time. UEBA is smarter because it establishes a context-sensitive
baseline for each user group. An offshore worker logging in at 3am local time would not be
considered an abnormal event.

Timeline analysis and session stitching - When analyzing security incidents, the
timeline is a critical concept which can tie together seemingly unrelated activities. Modern attacks are
processes, not isolated events.

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


DEMO
• Overview on the user full identity
• Is the user associated with any active incident?

• Track the user risk trends and from which activity


the risk score is assigned:
ü Session

ü Web Activity

ü End Point Activity

ü External Source Activity

ü Database Activity

ü File Activity

ü Cloud Activity

ü Account lockout Activity

• Risk Reason and score with each activity

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Detailed info about the rule used to trigger that event and ML model and data insights

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Timeline View

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Timeline View – Data Insights

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - Assets

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - Locations

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - Time

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - VPN

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - Application

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights - Database

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Directory Service

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Email

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Endpoint Activity

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – File Access

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Other

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Physical Access

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Priviliges Access

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Users

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Web Activity

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


• Data Insights – Workstations

Copyright © 2024 Exabeam, Inc. All Rights Reserved.


Thank you

You might also like