User Entity Behavior Analysis (UEBA) and Security Information and Event Management (SIEM) are different and complimentary. SIEM is about all aspects of security event analysis. UEBA is specifically focused on a user-centric view of system activity with the goal of detecting when a user’s behavior departs from their norm. UEBA is enhanced by leveraging data collected and enriched by a SIEM, and SIEM capabilities are expanded by ingesting UEBA events for further correlation.
One of the best ways to understand this is to take an actual source of security events and apply UEBA to it. In this webinar, we are going to look at UEBA from very specific source of data – the Windows Security Log. What types of behavior can you track for a user using the Windows security events?
From domain controllers you can track:
- When a user normally logs on
- What computer the user authenticates from
- What other computers they access
If you collect more logs - and if you can correlate activity to the actual user identity behind the events - there’s much more behavior you can track:
- Which websites does this user normally access?
- What programs does this user normally run?
- What other accounts does this user logon as?
- What systems does this user access possibly under alternate credentials?
- Which file shares does this user normally access?
Performing this kind of user-centric behavior requires a lot more than collecting logs. In addition, you must:
- Be able to correlate activity to user IDs, even when activity is often identified in different ways, in different formats, and using different keys from one log and event to another
- Capture a dynamic baseline for each user over time to ensure your analytics are based on behavior not event correlation
In this webinar, I will identify the most important events from the Windows Security Log for UEBA, identify which roles generate them and challenges in correlation. In addition, we’ll discuss alternative logs that augment user behavior analysis.
Then Matt Willems, Technical Product Manager, UEBA, from LogRhythm will show us this kind of user behavior analysis in action. He’ll highlight:
- Examples of identity construction from user identifiers such as AD credentials and email addresses (both corporate and personal)
- Dynamic baselining – what is normal in your environment vs a threshold/whitelist/blacklist
- Two UEBA use cases leveraging above data
- Authentication from an abnormal location
- Authentication at an unusual time – from a black listed location
- An interesting one that combines UEBA and traditional SIEM context and correlation
I think you will enjoy this theory plus applied approach to the subject of UEBA. Please join us for this real-training-for-free session.