Defeating Threats Through User Data: Applying UEBA to Protect Your EnvironmentLearn how to detect and respond to threats faster by focusing on user activity and behavior

PAGE 3

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

3 Users Are Your Weakest Link

4 The Spectrum of Attacks • Known-Known Attacks

• Known-Unknown Attacks

• Unknown-Unknown Attacks

6 Focus on User Activity and Behavior • Understand the Users in Your Organization and Potential User-Based Risks

7 Use Cases of User-Based Threats • Account Compromise

• Malicious Insider Threat

• Data Exfiltration

• Privileged Account Abuse and Misuse

9 Detect User-Based Threats Faster with UEBA • Prepare Your Data

• Tie to an Identity

• Surface User-Based Threats with Full-Spectrum Analytics

— Scenario-Based Analytics

— Behavior-Based Analytics

— Link Scenario- and Behavior-Based Analytics to Detect User-Based Threats Across the Full Spectrum

• Effectively Respond to User-Based Threats

12 The Power of LogRhythm UEBA • Identify, Investigate, and Prioritize Threats with LogRhythm’s Machine Data Intelligence Fabric

• Consolidate and Establish Identities to Improve Your Analysis

• Detect Known and Unknown Threats with Scenario- and Behavior-Based Analytics

• Streamline Your Security Operations Team

• Access Data with Analytics as a Service

14 Focus on User Activity and Behavior with UEBA

14 About LogRhythm

15 Glossary

Users Are Your Weakest Link

You’re facing a constant barrage of threats, some of which you don’t even know exist. The reality is that your users are behind many threats and breaches — whether maliciously or accidentally. Case in point: 69 percent of organizations reported a recent insider data exfiltration attempt, and 28 percent of breaches involved internal actors.1 As the typical point of entry for an attack, users are a difficult vector to monitor and secure. To confront the tidal wave of attacks, you need to hone your attention on users by harnessing the power of user and entity behavior analytics (UEBA).

UEBA technology monitors user activity data captured in logs, audit trails, and purposed sensors for known threats and behavioral changes — uncovering activities that might otherwise go undetected — while reducing your time to detect and respond to threats. Like you, chief information security officers (CISOs) often struggle to focus on users due to a lack of available technology.

This white paper uncovers how UEBA reduces your organizational risk and enables you to respond more quickly to attacks. It also dives into the different types of users, threats, and use cases that UEBA can address. Learn how UEBA technology gives you a single view of users and accelerates the qualification and investigation processes of potential threats to minimize your organization’s risk.

UEBA Defined

UEBA solutions use analytics to build standard profiles and behaviors of users and entities (e.g., hosts, applications, network traffic and data repositories) across time and peer group horizons. Activity that is anomalous to these standard baselines is flagged as suspicious, and packaged analytics applied on these anomalies can help discover threats and potential incidents.

Source: Market Guide for User and Entity Behavior Analytics (Gartner)

1 2018 Data Breach Investigation Report, Verizon, April 2018

WWW.LOGRHYTHM.COM

Table of Contents

PAGE 5

Defeating Threats Through User Data: Applying UEBA to Protect Your EnvironmentDefeating Threats Through User Data: Applying UEBA to Protect Your Environment

Known–Known Attacks

In Figure 1, known–known attacks are represented on the left end of the spectrum. This means that tactics, techniques, and procedures (TTPs) of both the vulnerability and the exploit or method being used to target that vulnerability are known by the information security (InfoSec) community. These attacks are common and are high in volume because the tools to develop them are widely available and can be easily leveraged by even lower skilled hackers. The examples below are across the different stages of an attack and they include:

Common phishing emails: This is an attempt to infiltrate a network with an initial compromise of a system and associated users to the system, in

which the attacker falsely represents himself or herself as a legitimate company or person. It may also be an attempt to commit fraud, such as soliciting money to pay a fake invoice. The attack uses email that contains malicious links or attachments, often laden with commodity malware, to a broad list of targets.

Pass-the-hash attacks: This technique allows an attacker to move laterally by stealing a user password hash and reusing it without cracking

the password to create a new authenticated session on the same network. Sophisticated threat-detection platforms identify when attackers are attempting to use this technique, pretending to be an authenticated user.

The Spectrum of Attacks The attacks your organization faces are numerous. They include everything from drive-by malware that capitalizes on accidental or careless users to targeted attacks that use new techniques to exploit unknown vulnerabilities. And the volume of attacks is growing. In 2017, attacks targeting businesses nearly doubled,2 and they are increasing in frequency. On average, a hacker attack occurs every 39 seconds.3

By understanding the Spectrum of Attacks, which represents the known or unknown quality of a vulnerability and associated exploit, you will be in a better position to detect user-based threats against your organization.

2 2017 was ‘worst year ever’ in data breaches and cyberattacks, thanks to ransomware, TechRepublic, Jan. 25, 2018 // 3 Hackers Attack Every 39 Seconds, Security Magazine, Feb. 10, 2017

WWW.LOGRHYTHM.COM WWW.LOGRHYTHM.COM

4 The Heartbleed Bug, Synopsys, April 29, 2014 // 5 2018 Data Breach Investigation Report, Verizon, April 2018 // 6 What is Stuxnet, who created it and how does it work?, CSO, Aug. 22, 2017

Did you know?

59% of employees steal proprietary corporate data when they quit or are fired. Source: Heimdal Security

PAGE 4

• Brute-force

• Commodity malware

• Spear phishing

• Rootkit

• Session hijacking

• Zero-day

• Insider threat

• Custom malware

SPECTRUM OF ATTACKS

KNOWN—UNKNOWN UNKNOWN—UNKNOWNKNOWN—KNOWN

Figure 1: The Spectrum of Attacks

Known–Unknown Attacks

In the middle of the spectrum, vulnerability is known, but a specific exploit has yet to be developed or used against the vulnerability and is subsequently discovered. This is classified as a “known–unknown” attack. This type is less common and exists in lower volumes than known–known activities because an exploit code needs to be developed or modified by a threat actor. Examples include:

Heartbleed vulnerability: Hackers used this vulnerability to read sensitive data stored in the memory of systems that were using vulnerable

versions of secure sockets layer (SSL) and transport layer security (TLS) encryption.4 Threat researchers agree that there were innumerable exploits written for the Heartbleed vulnerability.

WannaCry ransomware: Threat actors used this ransomware cryptoworm to target computers with Microsoft Windows. The ransomware

encrypts files and demands a ransom payment from users in bitcoin to release the data. This attack exploited the well-known EternalBlue vulnerability.

Unknown–Unknown Attacks

At the far-right end of the spectrum, vulnerability and exploits are both unknown — called “unknown–unknown” attacks. This makes them difficult to detect and more dangerous. These activities are fairly uncommon, but they can have devastating consequences. For example, 68 percent of detected breaches took months or longer to discover.5 Examples include:

Zero-day attacks: Zero-day attacks target previously unknown security vulnerabilities. Stuxnet, a malicious computer worm, is one

example. Stuxnet used a flaw in a shortcut file ending with the .lnk extension and launched an exploit code, which can sabotage industrial equipment without changes appearing in a monitoring system. The worm, believed to have been created by the United States and Israel6, crippled Iran’s nuclear program by altering the software application managing the uranium enrichment centrifuge.

Insider threats: An insider threat originates within an organization, such as current or former employees, contractors, or third-party

associates. This could involve the theft or release of sensitive documents. For example, a contractor for a U.S. intelligence agency used his credentials to access and leak top-secret government surveillance data.

Known threats leverage understood tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). TTPs are best detected through scenario-analytics approaches.

Unknown threats use techniques and methods that are not currently understood. They use zero-day exploits and custom malware that evade signature analytics.

A vulnerability is a weakness or unknown functionality in the protocol, application, or event that leaves systems exposed and allows adversaries to act.

An exploit or method is the action attackers take to use the vulnerability. Numerous methods of attacks exist and can include malware, brute-force attacks, spear phishing, and zero-day attacks.

WWW.LOGRHYTHM.COM WWW.LOGRHYTHM.COM PAGE 7

Focus on User Activity and Behavior An effective security program monitors and correlates endpoint, network, and user data to provide comprehensive visibility into an environment. Focusing on your users’ activities gives you an important vantage point in identifying threats before they become damaging breaches. Theft, misuse, and exploitation of user accounts are fundamental tactics used by attackers in each phase of the Cyberattack Lifecycle (also known as the Cyber Kill Chain7).

Whether an account has been compromised or the user is behind the attack, a user account is normally involved during a cyberattack, leaving a trail of rich forensic

Understand the Users in Your Organization and Potential User-Based RisksWhen it comes to protecting your organization, unfortunately, users are often the weakest link in your defenses. It’s important to understand the different types of users and the varying degrees of risk they pose to your organization. While the intent to cause harm for each type of user varies, the potential for each to cause a damaging breach remains equally high.

By looking at each user type that exists within your environment, you can recognize threats across the Spectrum of Attacks. After all, different users are prone to attacks across the entire spectrum.

Typically, the types of users that exist in your organization include:

• The Accidental User typically will fall victim to a known–known attack. Example: An employee opens the attachment in an email with clear indications of phishing.

• The Careless User is the prime target for a known– known attack. Example: An employee inadvertently posts information about the company’s network on a public discussion inviting infiltration attempts with commodity malware.

• The Victimized User is prone to a more sophisticated unknown–unknown attack. Example: An executive, targeted by a spear phishing attack, clicks on a link that contains malware.

• The Malicious User is usually involved or behind an unknown–unknown attack. Example: An employee deliberately exfiltrates data or provides credentials to an outsider.

Use Cases of User-Based ThreatsNow that you understand the different types of users that exist, it’s important to know the key use cases and the role each user plays. By focusing on the user and user’s activity data, you can monitor for specific types of attacks along the known-unknown spectrum to minimize damage to your organization.

7 The Cyber Kill Chain, Lockheed Martin 8 Market Guide for User and Entity Behavior Analytics, Gartner, April 23, 2018 // 9 IBID // 10 IBID

PAGE 6

1. Account Compromise

Regardless of the attack vector or malware used in this type of attack, you should be able to detect if a hacker has acquired and improperly used valid credentials. Account compromise may occur from a known attack (e.g., pass-the-hash or a successful phishing attack as described above), which is optimally detected via pattern matching or advanced correlation across log data.

There may be unknown attacks that compromise an account, which will only be recognized via a behavior shift. Advanced persistent threats (APTs) and unknown–unknown threats often operate with legitimate user accounts, which can make them difficult to detect with simple analytics, such as pattern matching, thresholds, or correlation rules. However, because a compromised account behaves differently, you can perform behaviorial profiling to recognize anomalies related to account logins, data access, and other parameters.

Use Case User Type User Threats

1. Account Compromise Accidental, careless, victimize Phishing, watering holes, pass-the-hash

2. Malicious Insider Threat Malicious Espionage

3. Data ExfiltrationAccidental, careless, victimized, malicious

Command-and-control, remote access trojans, TOR

4. Priviledged Account Abuse & Misuse

Malicious, careless Privacy/compliance violations, data misuse

Table 1: Classifying Use Cases, Users, and Threats

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

evidence that reveals nefarious activities. As a result, the best way to defend threats across the attack spectrum, regardless of whether the attack is known or unknown, is to focus on your users.

User activity data contains the insight you need to recognize known activity and discover behavioral changes indicative of threats across the Spectrum of Attacks. Not all users are the same. Understanding the types of users will provide insights into the data they produce and the best way to discover anomalies that may lead to a user-based threat.

Figure 2: Four Types of Users

Each user type needs to be monitored in different ways to understand if an individual is a threat in your environment. Unfortunately, the challenge heightens because you don’t know which employees fall into each category — meaning that each individual, including executives, needs to be equally scrutinized.

1. Unusual authentication patterns (e.g., dormant account access)

2. Lateral movement following an attack

3. Concurrent logins from multiple locations

4. Account activity from blacklisted locations

POTENTIAL INDICATORS

Did you know?

A Verizon survey found that 81 percent of user threats involve stolen or weak credentials Source: 2017 Data Breach Investigations Report

WWW.LOGRHYTHM.COMWWW.LOGRHYTHM.COMPAGE 8

3. Data ExfiltrationTo stop a threat before damage occurs, you should monitor in real time for indicators that an attack appears to be progressing toward data exfiltration. This can help you catch insiders and external hackers alike. It can also enhance your existing data loss prevention (DLP) systems through centralized anomaly detection through advanced analytics. After detection, playbooks and automated responses can decrease your team’s mean time to respond (MTTR) — ultimately protecting your organization from a data breach.

Detect User-Based Threats Faster with UEBA Your job is to protect your organization from threats. Because many indicators of compromise (IOC) can be found in user activity and behavior, UEBA helps you stay one step ahead of the variety of user-based threats across the spectrum. UEBA not only helps you monitor for known threats and behavioral changes in user data, it also provides visibility to uncover user-based threats that might go undetected.

UEBA is the most effective way to harness the power of user data and address user-based threats within your organization. It detects threats across the full spectrum of known and unknown threats, then qualifies them as security or operations relevant. UEBA not only minimizes the time it takes to detect these threats, but it also helps you rapidly respond before they can result in a devastating breach. At its core, UEBA solutions consist of four main elements: normalize your data, associate to identity, identify anomalies, and determine threat.

Prepare Your DataYour organization collects and generates an extraordinary amount of data from diverse sources. Before you analyze that data, you must first normalize it and enrich it to enable effective search and machine analytics. Without successfully preparing data for analytics, your UEBA solution will inherently include blind spots, creating false negatives by missing important activities, or worse, creating false positives by mischaracterizing innocuous anomalies as threats.

Data processing begins by parsing machine data into metadata fields specifically structured to enable security analytics. Applying a uniform schema to processed data is table stakes for UEBA. A close examination will reveal wide variance between the power of these capabilities from solution to solution. For example, in a log message that shows an admin changing the permissions of a different user, the schema must be able to distinguish between the admin and the impacted user. Data normalization enhances the accuracy of parsed data by adjusting values based on known variances.

Data enrichment describes the process of adding metadata derived from the log with additional contextual data to enable more effective analysis. Using geolocation to convert an IP address into an inferred location is an example of data enrichment in action. Decoding esoteric log message codes into a meaningful and vendor-agnostic classification

(e.g., Windows Event ID 4624 = successful account log-on) is a more sophisticated example. Data classification is particularly valuable to effectively analyze diverse equipment and vendors (e.g., understanding the common meanings behind numerical codes from Check Point, Cisco, Palo Alto, etc.). It is also useful to understand common activities that analytics can leverage, such as all authentications, the authentication type, location, and time used by an account regardless of the underlying infrastructure.

Tie to an IdentityFor UEBA to function effectively, associating normalized data to an identity is critical. In any given environment, users and hosts coexist. UEBA solutions should monitor users and their associated hosts’ activities together to achieve greater visibility and help you detect threats. Because so many different types of identifiers exist — each with potentially different taxonomies, naming conventions, and formats — it’s difficult to see the full picture of a given user’s behavior.

By themselves, individual actions from different users and hosts are disparate data points that mask security relevant activities. Yet when those actions are associated and corroborated together into common identities, they tell an important story. UEBA solutions should enable the development of two different types of identities:

PAGE 9

As you deploy UEBA, start small and focus on your privileged users before you broaden your efforts. You can widen your scope from there to prevent alarm fatigue.

The Zero Trust Model premise is built on strong identities, authentication, trusted endpoints, network segmentation, access controls, and user and system attribution. It serves to protect and regulate access to sensitive data and systems. It is made up of two principles — you don’t trust anything on or off your network, and you apply security controls only where they are needed.

2. Malicious Insider ThreatInsider threats are a top concern because it is often difficult to detect when an attack is occurring from within. Insider threats originate from trusted users, such as a current or former employee or a contractor — typically rendering them unknown–unknown threats. They are usually motivated by the pursuit of financial gain or the desire to commit sabotage. This means that everyone, including managers and executives, should be scrutinized. To detect these threats, you should monitor for high-risk deviations from baselined behavior. In addition to activity data (e.g., time, source host, location), contextual information (e.g., email content, performance reviews, social media data) can help identify anomalous or high-risk activity that could pose a threat.

Normalize Your Data

• Parsing

• Classification

Associate to Identity

• Direct

• Inferred

• Unknown

Identify Anomalies

• Scenario-based

• Behavior-based

• Hybrid analytics

Determine Threat

• Enrich content

• Evaluate threat

• Take action

Figure 3: The Four Elements of a UEBA Platform

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

1. Deviation from peer group

2. New or unusual system access

3. Unusual login times

4. Disabled account logins

5. Unusual file access and modifications

6. Abnormal password activity

7. Excessive authentication failures

8. Multiple account lockouts

POTENTIAL INDICATORS

1. Suspicious data transfers

2. Malicious payload drops

3. Abnormal traffic patterns

4. Blacklisted communication

POTENTIAL INDICATORS

1. Suspicious temporary account activity

2. Abnormal account administration

3. Unusual privilege escalation

POTENTIAL INDICATORS4. Privileged Account Abuse and MisuseBy possessing heightened access to key systems and data, privileged users present a greater risk to your organization. To remain secure, you should closely monitor their behavior and minimize the availability of excessive or improper privileges. You should also watch for other indicators of risk, such as account lockouts, new account creation, and account sharing. This should also help you quickly clean up dormant accounts and user privileges that don’t abide by the principle of least privilege (PoLP) per the Zero Trust Model.

WWW.LOGRHYTHM.COM WWW.LOGRHYTHM.COM

• User identity: Any given user has multiple different accounts, which are represented in data sources with identifiers that vary from account to account. For example, the account identifier for Active Directory (AD) might be “domain name/user,” while the account identifier for Office365 might be “user@domain.” To achieve accurate analytics, it’s vital to associate the activity from each unique account identifier into a single identity or profile.

• Host identity: Just like users, a host’s activity is represented through multiple different identifiers. For example, a host may be identifiable via a MAC address in one log and a system name in another. By consolidating these data points into a single profile, you can gain a full view into host activity.

Surface User-Based Threats with Full-Spectrum AnalyticsAnalytics play a key role in detecting user- and entity-based threats. Effective UEBA solutions perform full-spectrum analytic techniques — supported by technology — that help you achieve visibility across the Spectrum of Attacks. Because of the sheer volume of user and host activity and the ability to recognize known threat scenarios and behavioral changes, you need technology to perform the initial assessments and identify activities that have security relevancy.

To achieve this comprehensive visibility, you need multiple and complementary analytic approaches. Scenario-based analytics help your organization identify known–known attacks — the left side of the Spectrum of Attacks. Behavior-based analytics help to identify unknown attacks, (e.g., zero-day attacks) via profiling and anomaly detection — the right side of the spectrum. A combination of these two approaches can help you detect threats across the entire spectrum including those that fall in the middle. By applying full-spectrum analytics, you can efficiently pinpoint the threats facing your organization.

Scenario-Based Analytics

Because many attacks follow a predictable sequence or pattern of activity, effective UEBA solutions apply scenario-based analytics against broad sets of environmental data to surface critical threats in real time. Scenario-based analytics recognize established TTPs and diverse techniques, including advanced statistical analysis (rate and trend analysis), to recognize known scenarios as they occur. This set of analytics addresses the left side of the Spectrum of Attacks and typically identifies known, less sophisticated attacks (i.e., accidental and careless users). When combined with vendor-provided IOCs, you can use your current understanding of threats to automatically surface inbound attacks via actionable alarms.

A UEBA solution aligns analytics to identify activities within its Cyberattack Lifecycle, and more importantly, progression across this lifecycle. UEBA also helps you better understand the risk of each threat and procedural steps to mitigate the threat. In addition, UEBA helps you minimize false positives and guides your team to focus on critical alerts by performing profiling and anomaly detection using a range of analytical approaches.

Behavior-Based Analytics

In addition to scenario-based analytics, behavior-based analytics strengthen UEBA capabilities through anomaly detection. Behavior-based analytics use supervised and unsupervised machine learning (ML) to surface anomalous behavior. This technique addresses the right side of the attack spectrum — where more sophisticated, unknown–unknown attacks occur — (e.g., victimized and malicious users). Key techniques include:

• Behavioral Profiling: Recognizes changes in user behavior by detecting and characterizing deviations from baselined activity.

• Peer Group Analysis: Recognizes outliers in the behavior of a group of users by comparing users to their peers.

ML helps analysts focus on problems that require intuition and creativity, and helps your security operations team scale as threats evolve. To enable rapid adoption, your UEBA solution should primarily operate with unsupervised machine learning, growing smarter through the raw analysis of new data. To grow even wiser and to determine true threats, you should also use supervised machine learning.

PAGE 11PAGE 10

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

When threats target your network, they usually follow a predictable path to achieve their goal. Understanding this process, called the Cyberattack Lifecycle, is critical for rapid detection and response. The end goal of an attack is exfiltration, corruption, and disruption.

In unsupervised learning, the tuneless algorithm has all the information and context it needs to fully understand the training data provided to it, so it can learn on its own.

In supervised learning, the algorithm benefits from additional information and organizational context, either within the training data or provided separately, for the machine to get smarter. Supervised learning is often necessary for data sets with benign anomalies, especially if the intent of using machine learning is to predict future anomalies that aren’t benign.

Figure 4: The Cyberattack Lifecycle

TargetAttainment

Exfiltration,Corruption,Disruption

InitialCompromise

Command & Control

LateralMovementReconnaissance

Link Scenario- and Behavior-Based Analytics to Detect User-Based Threats Across the Full Spectrum

While scenario- and behavior-based analytics each provide independent value, there is greater value in using them as complementary approaches. Scenario-based analytics detect known threats in real time, while behavior-based analytics flag potentially threatening anomalies in user behavior. By implementing both approaches, you can achieve complete coverage across the Spectrum of Attacks, allowing you to monitor and minimize the risk associated with all types of users. Combining these techniques enables corroboration beyond deterministic or non-deterministic analytics alone.

As we have seen in the exploration of user types and use cases, attack lifecycle progression may utilize known and unknown attacks. Corroborating known and unknown attacks together provides greater visibility to the full attack, its priority, as well as its scope, and root cause. If each activity is seen in isolation, the priority may not be fully realized, allowing attacks to go unnoticed for longer periods of time. Corroborating across analytic techniques ultimately expedites investigation and allows for task automation. This enhanced corroboration improves your likelihood of detecting true threats and reduces the generation of false-positives.

WWW.LOGRHYTHM.COM WWW.LOGRHYTHM.COM

Effectively Responding to User-Based ThreatsOnce you discover suspicious activity indicative of a true threat, there’s more work to do. Your UEBA solution shouldn’t just alert you to something concerning; an effective solution should help you further qualify, investigate, and neutralize the threat, and then assist in recovery.

After flagging a potential threat, a UEBA solution helps you qualify and investigate through search analytics. Purpose-built dashboards and data visualizations enable you to explore and assess data associated to a specific identity or event. These visualization tools should be highly configurable to offer custom views of your datasets. Forensic search capabilities should allow you to conduct unstructured and structured queries during your response.

UEBA solutions that provide embedded security orchestration, automation, and response (SOAR) accelerate threat qualification and investigation to expedite mitigation. Case management and incident management workflows support the standardization of key processes and let multi-tier SOC teams work seamlessly together. Automated actions accelerate response with triggered investigatory steps and countermeasures, while playbooks make the most of security resources using collaboration, guided workflows, and best practices.

Consolidate and Establish Identities to Improve Your AnalysisLogRhythm understands identity. LogRhythm TrueIdentity™ consolidates a user’s disparate account types and identifiers — Active Directory work email, personal email, badge PIN, etc. — into a single identity. LogRhythm’s TrueHost™ feature combines multiple host identifiers into a single profile. By achieving comprehensive visibility into the activity of specific users and hosts, you benefit from greater security and operational context to power effective analysis.

Detect Known and Unknown Threats with Scenario- and Behavior-Based AnalyticsLogRhythm enables the detection and prioritization of threats across the Spectrum of Attacks through an array of analytics techniques. LogRhythm AI Engine applies scenario-based analytics in real time, leveraging diverse techniques (e.g., correlation, pattern matching, statistical analysis, etc.) to detect threats. AI Engine automatically corroborates and links related alarms, identifies threat progression along the stages of the Cyberattack Lifecycle, and elevates risk scoring as appropriate.

LogRhythm CloudAI identifies potential threats with behavior-based machine learning, complementing AI Engine’s application of field-proven threat models. It detects and characterizes shifts in how users interact with the IT environment and identifies behavior that deviates significantly from dynamically established peer groups. CloudAI forwards its anomaly-based

observations to AI Engine, enabling enhanced corroboration and improving the accuracy of threat detection and prioritization.

To further protect your SOC and organization, LogRhythm Labs — a dedicated team within LogRhythm — develops security research, threat intelligence, and threat scenarios using our Current Active Threats (CAT) module, LogRhythm’s IOC-based detection content.

LogRhythm also helps you detect phishing attacks with its Phishing Intelligence Engine (PIE). PIE determines the risk level of emails by analyzing subject lines, sender addresses, recipients, message body, links, and attachments. It automatically responds to threats by quarantining suspicious emails, blocking senders, and recursively searching for clicks.

Streamline Your Security Operations TeamLogRhythm accelerates your response to user-based threats with embedded SOAR capabilities, providing automation-enabled workflows that speed threat qualification, investigation, and remediation. Integrated playbooks streamline and standardize the work of multi-tier security operations teams, improving their effectiveness and efficiency. For less experienced analysts, playbooks provide repeatable procedures to expedite onboarding and rapidly develop necessary skill sets. LogRhythm’s SmartResponse™ framework further accelerates response through automated, approval- driven, or manually triggered investigatory steps and countermeasures.

PAGE 13PAGE 12

According to Gartner, SOAR is a security operations analytics and reporting platform that utilizes machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams. It applies decision-making logic and context to provide formalized workflows and enable informed remediation prioritization.

Source: Skybox Security

Real-time threat detection via scenario-based analytics

Anomaly detection via behavioral profiling

SPECTRUM OF ATTACKS

• Brute-force

• Commodity malware

• Spear phishing

• Rootkit

• Session hijacking

• Zero-day

• Insider threat

• Custom malware

KNOWN—UNKNOWN UNKNOWN—UNKNOWNKNOWN—KNOWN

Figure 5: The Spectrum of Attacks and Effective Responses

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

The Power of LogRhythm UEBAIt’s important to implement a comprehensive UEBA solution that helps you quickly detect, respond to, and remediate user-based threats across the full Spectrum of Attacks. LogRhythm’s UEBA solution lets you identify, qualify, investigate, and remediate threats that might otherwise go unnoticed. It empowers your analysts to monitor user behavior, applying both scenario- and behavior-based analytics to achieve visibility across the full spectrum of threats.

Identify, Investigate, and Prioritize Threats with LogRhythm’s Machine Data Intelligence FabricA clean, consistent, and predictable data set is critical to perform accurate analytics. LogRhythm’s Machine Data Intelligence (MDI) Fabric enables you to accurately identify and prioritize true threats and anomalies by helping you make sense of your organization’s log and machine data.

LogRhythm’s MDI Fabric processes your logs into over 100 searchable fields. With out-of-the-box support for twice as many data sources as competing solutions, it accelerates time-to-value and decreases the burden on your analysts. To glean more information from your logs and to provide additional context, MDI Fabric also enriches your data. Specifically, TrueGeo™ uses IP geolocation to determine the origin and destination of activity and TrueTime™ normalizes timestamps across time zones. Additionally, a three-tier classification taxonomy automatically deciphers your data into actionable and vendor-agnostic information that enables rapid use case implementation.

LogRhythm also enables secure investigation with embedded incident response capabilities, case management, and collaborative workflows to ensure qualified threats are vetted. LogRhythm uses case dashboards and a secure evidence locker to centralize forensic data to give you greater visibility into active investigations and threats. Finally, risk-based event determination assigns a risk score to each log message based on reconfigurable parameters to help you determine which threats merit investigation.

Place Document Title Here

WWW.LOGRHYTHM.COMWWW.LOGRHYTHM.COMPAGE 14

Access Data with Analytics as a Service To get the most out of a UEBA solution, you need to use analytics as a service, or analytics software and operations that are delivered through web-based technology. LogRhythm UEBA arms your analysts with powerful data to detect emerging and active user-based threats based on observed activities and changes in user behavior. With analytics as a service, you have access to real-world data using ML algorithms to model user behavior and uncover security-relevant activity that might pose problems in your environment. Analytics as a service also accelerates your time to detect and respond to threats, minimizing your potential damage.

Focus on User Activity and Behavior with UEBAIt’s more important than ever to protect your organization from the increasingly sophisticated and numerous threats intent on doing you harm. To win this battle, you need to focus on your users and understand the different types of users and the degrees of risk that they introduce to your organization. The most effective way to accomplish this is by analyzing rich user data through the power of UEBA. It’s the only way to detect and respond to the most pressing user-based threats across the entire Spectrum of Attacks.

UEBA uncovers threats to which you were previously blind. Scenario- and behavior-based analytics provide essential visibility into your users and their activity, giving you the tools to protect your organization and reduce risk.

Effective UEBA solutions can help your team:

• Process machine data into a consistent, security-relevant schema

• Obtain a true view of actual users — not just disparate accounts

• Detect and prioritize known and unknown user-based threats

• Accelerate the qualification and investigation of potential threats

• Streamline response through security operations workflows and automation

Analytics as a service provides the following advantages:

• Rapid implementation and streamlined administration

• Scalable compute resources to apply advanced analytical techniques

• Greater access to analyst feedback for ML training

• Faster detection and response through smarter analytics

About LogRhythmLogRhythm is a world leader in NextGen SIEM, empowering organizations on six continents to successfully reduce risk by rapidly detecting, responding to, and neutralizing damaging cyberthreats. The LogRhythm NextGen SIEM Platform combines user and entity behavior analytics (UEBA), network traffic, and behavior analytics (NTBA) and security orchestration, automation, and response (SOAR) in a single end-to-end solution. LogRhythm’s Threat Lifecycle Management (TLM) workflow serves as the foundation for the AI-enabled security operations center (SOC), helping customers measurably secure their cloud, physical, and virtual infrastructures for both IT and OT environments. Built for security professionals by security professionals, the LogRhythm NextGen SIEM Platform has won many accolades, including being positioned as a Leader in Gartner’s SIEM Magic Quadrant.

www.logrhythm.com

Defeating Threats Through User Data: Applying UEBA to Protect Your Environment

Artificial Intelligence (AI): AI is the science of enabling a computer to automate something a human would do that requires intelligence, analysis, and decision making.

Behavior-Based Analytics: This type of analytics uses supervised and unsupervised machine learning (ML) to surface anomalous behavior.

Cyberattack Lifecycle: When a threat breaches a network, it starts with an initial intrusion and ends with a final attack execution. This process is known as the Cyberattack Lifecycle (also referred to as the Cyber Kill Chain). Phases of the Cyberattack Lifecycle include Reconnaissance, Initial Compromise, Command and Control, Lateral Movement, Target Attainment, and Exfiltration/Corruption.

Full-Spectrum Analytics: These analytics detect threats along the known-unknown spectrum using a complement of scenario-based (i.e., deterministic) and behavior-based (i.e., non-deterministic) techniques.

Insider Threat: This type of threat comes from people within an organization, whether intentionally malicious or not, who have access to data, privileged systems, or information.

Machine Data Intelligence (MDI) Fabric: This LogRhythm technology processes and enriches all inbound data to deliver a consistent, clean, and predictable dataset for accurate analytics.

Machine Learning (ML): Machine learning is the science of enabling computers to act without being explicitly programmed to do so. It applies statistics and algorithms at scale on large amounts of data. One of the goals for ML is to achieve artificial intelligence.

Mean Time to Detect (MTTD): This is the average time it takes to recognize a security or operationally relevant event.

Mean Time to Respond (MTTR): This is the average time it takes to respond and ultimately resolve an identified incident.

Pass-the-Hash (aka Pass-the-Token) Attacks: In this attack, the attacker forwards an intercepted password hash to obtain account access.

Principle of least privilege (PoLP): This is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.

Scenario-Based Analytics: This type of analytics recognizes established TTPs with diverse techniques, including advanced statistical analysis (rate and trend analysis), to identify known scenarios.

Security Operations Center (SOC): This team handles security issues on an organizational and technical level, particularly the detection and response to threats and incidents.

Security Orchestration, Automation, and Response (SOAR): SOAR functionality provides security operations workflows and automation capabilities to standardize and streamline threat qualification, investigation, and remediation processes.

Structured Data: Structured data is highly organized information, that when included in a relational database is seamless and readily searchable by simple search engine algorithms or other search functions.

Supervised Learning: This process occurs when the machine learning algorithm requires more details and organizational context — in the training data or provided separately — for the machine to learn.

Unstructured Data: This type of data lacks a predefined data model or is not organized in a predefined manner.

Unsupervised Learning: In unsupervised learning, the machine learning algorithm is tuneless. It has all the information and context it needs to fully understand the training data to learn on its own.

User and Entity Behavior Analytics (UEBA): UEBA is a collection of technical capabilities that enable profiling and advanced anomaly detection on user activity through diverse and complementary analytical methods. By applying multiple analytical methods against user data, UEBA detects and prioritizes potential threats across the full spectrum of known and unknown threats.

PAGE 15WWW.LOGRHYTHM.COM

Glossary

To learn more about LogRhythm’s UEBA solutions, check out our UEBA demo:

https://logrhythm.com/defend-against-insider-threats-with-ueba-demo/

©2018 LogRhythm Inc. | WP1062_2018

Contact us:TOLL FREE 1-866-384-0713

FAX (303) 413-8791

EMAIL info@logrhythm.com

Worldwide HQ, 4780 Pearl East Circle, Boulder CO, 80301