CHAPTER 8

User and entity behavior analysis (UEBA)

Cyberattacks are constantly evolving, and modern hackers can bypass conventional security systems with minimal effort. Attackers keep finding new ways to hack into firewalls, send malicious programs, and even bribe employees to carry out internal attacks. Conventional security systems are rapidly becoming outdated and vulnerable to new attack trends.

If you look at infamous past attacks, you'll find that no two attacks were carried out in the same way. Still, there are some defensive strategies and tactics often used because they've proved effective. One efficient way to stay protected is by equipping yourself with machine learning techniques that can identify every type of security anomaly across your organization.

What is threat intelligence?

Threat intelligence is contextual knowledge about malicious sources that is used to identify and prevent attacks and threats based on historical evidence. Organizations use open-source threat feeds available in STIX/TAXII format or source threat feeds from third-party vendors to detect potential attacks in their network. These threat feeds add business context to conclusions from log data and thereby enable security admins to quickly track down targeted and sophisticated attacks.

Importance of employing a threat intelligence mechanism.

Organizations need to stay up to date about the latest attack vectors, or their security posture will become weak. Threat intelligence adds contextual information to log data so that threats can be detected accurately. Additionally, dynamic threat feed data helps enterprises defend against future attacks.

Threat intelligence helps secure the network by alerting administrators about anomalies and triggering corrective actions immediately to mitigate the impact of attacks.

Threat intelligence and threat feeds.

Organizations bundle threat feed data with their security system to identify different malicious or threat sources. The threat feeds are correlated with network activity to spot suspicious activities, threats, and/or exploits.

Learn more

Types of threat intelligence.

Threat intelligence is categorized as:

  • Strategic

    This provides a bird's-eye view on the threat landscape, i.e. a big picture of how threats and attacks have changed over time. It identifies historical trends, patterns of attacks, and how attacks are carried out. Knowing the source and motive of an attack is important, as it provides insights on the attacker's possible future course of action.

    Strategic threat intelligence provides key insights such as the attributes of the intrusion or attack; target industry/geographical location; and statistics on breaches, malware, and information theft.

  • Operational

    This defines the nature and purpose of the attack, i.e. information about the capabilities of the attacker. By providing context for security incidents and events, operational intelligence helps administrators uncover potential risks, understand attackers' methodologies, and conduct thorough investigation into incidents.

  • Tactical

    Tactical intelligence describes the indicators associated with the attack in great detail. It provides insights on the techniques, tools, and tactics of an attacker. This is the most basic form of threat intelligence, and is often used for machine-to-machine detection of threats.

  • Technical

    Technical information provides information on malware and campaigns (threat feeds). It gives the administrator an idea of what to look for, making it easy to analyze an incident. It primarily focuses on the technical clues of an attack, such as subject lines of phishing emails or fraudulent URLs.

 

Chapter 2

Different functions of SIEM

Learn about the different capabilities of an ideal SIEM solution.

 

Chapter 3

Component of SIEM Architecture

 

Chapter 4

Log Management

Learn about log management and why it is necessary.

 

Chapter 5

Incident Management

Learn about security incidents and how they are handled.

 

Chapter 6

Threat intelligence

Learn about security audits, real-time monitoring, and correlation and how they are useful to mitigate cyberthreats.

 

Chapter 7

Cloud security

Learn why it is important to secure data that is stored online on cloud computing platforms.

 

Chapter 8

User Entity and Behavior Analytics

Learn why UEBA is critical to maximize cybersecurity.

 

Chapter 9

Data protection

Learn why it is important to adhere to compliance regulations.