UEBA is the process of profiling/baselining user-related host/network/application activities for detecting suspicious/malicious behavior and intrusions by identifying meaningful anomalies or deviations from “normal” patterns of behavior.
This feature is state of the art, and constitutes the gold-standard contemporary approach to unearthing elusive and potentially catastrophic insider threats that go unnoticed by traditional SIEM solutions.
The cyber-threat landscape is evolving. The volume, velocity, complexity and sophistication of attacks are consistently becoming more advanced, and they very often bypass conventional/traditional security defenses.
UEBA focuses on detecting insider threats, such as compromised employees, or employees who may attempt to steal sensitive data, perform fraudulent attempts and carry out targeted attacks.
The ClearSkies™ SaaS NG SIEM capitalizes on the User & Entity Behavior Analysis (UEBA) behavioral and predictive analytic capabilities, which are integrally complemented by ClearSkies™ NG Endpoint Detection & Response (EDR).
The SIEM utilizes supervised and unsupervised Machine Learning (ML) and Artificial Intelligence (AI) modeling for continuous re-baselining of users’ and entities’ relationship behavior towards the effective detection of abnormal behavior.
Deviations from any user’s normal behavior are analyzed to identify what caused this behavioral change, triggering an alert for further investigation before it is too late.
Behavioral Analysis Moods indicate how the Agent categorizes activities into suspicious and/or malicious, and what “Actions” will be triggered for each. They are assigned to each user based on strategic organizational security objectives and risk appetite. The Behavioral Analysis are described below:
Relaxed
Overview:
This “Mood” adopts a lenient approach to the behavioral analysis for log and event data collected, where the “Actions” applied are for informative purposes only.
Response actions:
“Monitor and Alert” activities categorized as suspicious and/or malicious.
Neutral
Overview:
This “Mood” adopts a moderate approach to the behavioral analysis of the Agent for the log and event data collected, where the “Actions” applied are less restrictive.
Response actions:
“Monitor and Alert” activities categorized as suspicious, and “Alert, Block and/or Quarantine” activities categorized as malicious.
Aggressive
Overview:
This “Mood” adopts a strict approach to the behavioral analysis of the Agent for the log and event data collected, where the “Actions” applied are restrictive.
Response actions:
“Alert and Block” activities categorized as suspicious, and “Alert, Block and/or Quarantine” activities categorized as malicious.