V2Security 2022
21/03/2022

Find Insider threats with UEBA

CapMon IT-security

Find Insider threats with UEBA

Today,  company’s data are often being compromised by hackers who, via an employee / user account, gain direct access to the company’s IT infrastructure. If you want to avoid this scenario, UEBA will be the solution for optimizing your SIEM.
UEBA is the next generation SIEM

SIEM is a mature technology, and the next generation based on UEBA (User Entity Behavior Analysis) has entered the market. These are solutions that can build on top of existing SIEM solutions which are using Artificial Intelligence (AI) to relate to data and data values. You will be able to look at human behavior patterns. This can help detect up to 50% more insider threats, targeted attacks and fraud than with traditional SIEM.

The threat often comes from within

Imagine an employee or external consultant with privileged access to IT systems who intends to carry out a cyber attack on the organization. Unfortunately, this happens and it can be extremely difficult to detect this through logs or regular security incidents. UEBA solutions help you establish a baseline for a user’s typical behavior and detect abnormal user activity.

Compromising user accounts

It is common for hackers to infiltrate an organization and compromise a privileged user account or trusted user on the network and then continue the attack from there.
Traditional security tools have difficulty detecting a compromised user if the attack pattern is unknown or if the attack moves sideways through an organization by
by changing credentials, IP addresses or assets.

UEBA can help quickly detect and analyze activities that the hacker performs through the compromised account. UEBA technology can detect these types of attacks because they will almost always force activators to behave differently, ie. deviate from established behavioral patterns / baselines.

Internet of Things (IoT)

IoT poses a growing problem. Cameras, sensors, alarms, medical equipment and production equipment are increasingly connected to the companies’ infrastructure. These types of equipment are typically very easy to attack, and therefore they are used as an input to steal data or access other IT systems. With UEBA, you can track an unlimited number of connected devices, establish a behavioral baseline for each device or group of similar devices, and instantly detect whether a device is deviating from normal.

It could be:

  • Connections to or from unusual addresses or devices
  • Activity at unusual times
  • Device functions that are not typically used
    is activated

This is done by putting a large number of safety score points on each incident. The higher the score the worse.

Let’s take an example:

A user logs in in Aalborg, and after 5 minutes he logs on in Copenhagen. This incident scores, for example, 5 safety points.

A user attempts to log in to the company’s critical systems without having access. A safety score of 6 points is set.

When a user reaches a given point score, it triggers an alarm on that user, and one can quickly see what behavior the user is having right now in one’s infrastructure.

Well that sounds great, why do not we just buy it? It solves many of our problems and secures us even more!

A costly investment – and yet?

UEBA may be a costly investment. But if you look at the analyzes that calculate the cost of a crash caused by hacker attacks, and if you compare these costs against the price of these advanced next generation SIEM solutions, then I think that the Danish market will accept the solutions with open arms.

Markedet i Danmark et så småt er ved at modnes i kraft af de stadig flere virksomheder, der har været igennem et massivt hackerangreb.

I CapMon har vi via MSSP partnerskab med Exabeam inkluderet UEBA i vores portefølje.

Om Exabeam løsningen

Exabeam is a powerful security management platform that makes security managers more efficient. They are equipped with advanced computer science that can track and examine the data on employee behavior that has been collected. Exabeam enables the security team to detect, investigate and respond to cyber attacks much faster.

The solution is so intuitive and simple to use that you can put a student to handle 1st level SOC.

You get:

  • A unique defense against hacker attacks
  • Detection using behavior
  • Survey and response in minutes
  • SIEM reinforcement / migration

CapMon can provide the Exabeam solution as a Cloud or On-Premise solution.

We can offer to deliver the solution as a SaaS solution (Software as a Service) or implement the solution at the customer.

Via a support package, we subsequently make our experts available.

We are ready to help companies in Denmark optimizing the IT security.