A UEBA-powered SIEM solution can enable organizations to arrive at benchmarks of expected activity for every user and entity. Any activity that does not fall within this expected range will be considered an anomaly. While anomalies can be detected in this way, organizations still need to decide how much risk an anomalous action carries. This assigned weight can be used while calculating an overall risk score for the user or entity. Not being able to define how much weight it should carry while determining a risk score could lead to improper prioritization and alert fatigue.
Risk score customization refers to the ability to tailor how risk scores are calculated and assigned to anomalous activities based on an organization’s unique security requirements, priorities, and threat landscape. Risk score customization in anomaly detection improves the accuracy of threat detection and reduces false positives.
What is risk score customization in UEBA?
Risk score customization is an add-on functionality that certain UEBA-powered SIEM vendors offer, which enables organizations to adapt their risk scoring mechanisms to better align with their specific security needs. The risk score may be a numerical value between zero and 100, and it indicates the risk level of users and entities in the network at any given time. However, the factors that determine what constitutes a risk might differ for different organizations, and that's why having the ability to customize risk score is crucial. Simply put, what might be risky for one organization need not be risky for another, or the degree of risk the action might carry may be different.
How does risk score customization work?
Customizing risk score means adjusting the factors that contribute to it based on the organization's unique security requirements.
Here are the key components of risk score customization:
Weight: Weight is an indicator that's used to quantify the importance of an event or event categories based on the scenario. Different activities and behaviors are assigned different weights based on their perceived risk. For example, multiple file permission changes might be weighted more heavily than a single unusual file permission change made by a user. Customizing these weights allows organizations to prioritize the risks that are most relevant to them.
Time decay: This refers to the rate at which the risk score of an activity decreases over time if no further suspicious behavior is observed. Customizing time decay factors helps ensure that old activities do not continue to contribute to the overall risk score indefinitely. The higher the decay factor, the higher the reduction in risk score. For example, a decay factor of 80 would reduce the risk score faster than if the decay factor was 20.
To learn more about how UEBA calculates the overall risk score, read: How does risk scoring in anomaly detection work?
The significance of UEBA risk score customization in anomaly detection
Risk score customization in UEBA enhances the accuracy, relevance, and effectiveness of anomaly detection. Here's how it can help organizations:
- Improved accuracy: Customization minimizes false positives and false negatives by ensuring that the risk scoring mechanism identifies genuine threats and reflects the organization’s actual priorities and risk appetite. For instance, unusual activity by a privileged user might warrant a higher score than similar behavior by a regular employee.
- Enhanced threat detection and response: By providing a more accurate and relevant risk score, custom risk scoring helps security teams prioritize their responses to critical threats such as insider threats or APTs, improving overall security efficiency.
- Contextual relevance: Customized risk scores provide better context for security alerts, allowing security teams to understand the significance of an anomaly within the broader context of the organization's operations.
- Adaptability: Every organization has a distinct operational environment. Risk score customization ensures that the UEBA solution adapts to the organization's specific security needs, making anomaly detection more relevant and actionable and ensuring that it remains effective over time.
- Compliance and reporting: Customizing risk scores helps organizations align anomaly detection with regulatory requirements, ensuring accurate monitoring and reporting of high-risk events.
Thus, risk score customization empowers organizations to detect and respond to anomalies swiftly, strengthening their overall security posture.
Custom risk scoring in Log360
ManageEngine Log360 is a unified SIEM solution integrated with UEBA, SOAR, DLP, and CASB capabilities. Apart from providing a comprehensive dashboard that tells you about anomaly trends, recent anomalies, top 10 anomalous activities, anomalies based on categories, risk levels, and more, Log360 also helps improve risk scoring accuracy by factoring in peer group analysis, seasonality, user identity mapping, and anomaly modeling, and it enables you to customize your risk score.
The custom risk scoring feature in Log360 allows you to define the weight and decay factor for multiple categories (or card groups) and subcategories, which are basically the anomaly reports for a particular category. They are further sorted into the following five groups:
- Overall anomalies
- Insider threats
- Data exfiltration
- Compromised accounts
- Logon anomalies
Risk score customization provided by Log360.
To gain in-depth insights into how anomaly detection works and what features a UEBA solution requires to improve risk scoring and threat detection accuracy, read this e-book. To learn how a unified SIEM solution with UEBA capabilities like ManageEngine Log360 can help your organization set up custom risk scores and improve your security posture, sign up for a personalized demo.
Frequently asked questions
- Why is risk score customization important in UEBA?
-
Risk score customization ensures that the scoring model aligns with an organization’s specific security requirements, operational context, and priorities. By customizing scores, organizations can:
- Reduce false positives by tailoring thresholds to their environment.
- Focus on high-priority threats, improving resource allocation.
- Identify and alert security teams about high-risk events and users for compliance purposes.
- How does risk score customization help reduce false positives?
-
By tailoring the risk scoring mechanism to an organization’s unique environment, UEBA can filter out benign anomalies that may appear suspicious in a generic context. For example, travel-related login anomalies can be deprioritized for employees who frequently work remotely or travel, thereby reducing unnecessary alerts. In situations like this, peer group analysis also plays a major role in determining the risk score.
- Can risk score customization help detect insider threats?
-
Yes, customization is particularly valuable for detecting insider threats. By assigning higher weights to activities such as accessing sensitive data, downloading large files, or unusual lateral movements within the network, organizations can prioritize potential insider risks for investigation.
- What are some common activities that affect risk score?
-
Common activities that affect risk score include multiple failed login attempts, unusual access patterns, unauthorized file access, and abnormal download patterns. Each of these activities is assigned a weight based on its perceived risk.
- Can UEBA risk scores adapt to changes in user or entity behavior over time?
-
Yes. UEBA solutions use machine learning to continuously update behavioral baselines. As user or entity behavior evolves, the anomaly model recalibrates its risk scoring to remain accurate and relevant.
