Why Security Monitoring & UEBA?

Rushil Choksi
5 min readJul 24, 2022

--

Source: IBM

Monitoring of data has become a crucial component of an organization’s overall security demands, as it helps analyze the inflow traffic and identify threat vectors as possessed to the company’s assets and intellectual property. Security monitoring tools help in ongoing system security for the processed data and tracking 24*7 global intelligence feeds for new threats that could be possessed to an organization. Threats possessed by an external entity to an organization could be highly critical and may result in the loss of millions of dollars of assets. Through the help of this article, I primarily aim to highlight the current technology trends in the concerned domain and discuss the advantages and downsides of implementing a robust Security Operations Center (SOC).

Background

Contemplating the current security information and event management (SIEM) has evolved a long way since its foundation. It has allowed organizations to effectively deal with cyber threats and data breaches that otherwise would have resulted in millions to the company. Concerning the current approach to security monitoring, various components have been integrated into the same in recent years for access to more granular event logs, some of which are listed below.

  • Aggregating data collected from various input sources.
  • Building insightful analytics to the collected data post-processing of the same.
  • Defining event rules and triggers as to when an action is to be performed.
  • Integration of incident detection and response software allows immediate dealing with the events.
  • Real-time alert notifications for detection of suspicious activities via SMS or email.
  • Threat resolution tools allow immediate remediation or mitigation from various open-source platforms to identify and resolve attacks in real-time.
  • Deployment of user and entity behaviour analysis tools encompasses the ability to use machine learning algorithms to develop a model for all users and classify events as an anomaly.

Above stated integrations have proven to be highly resilient against active cyber-attacks and even early warnings, which are likely to become a prevalent threat shortly, such as the Spring4Shell vulnerability.

Log Management

A SIEM solution’s primary motive is collecting and storing data and providing logs for all events executed upon the target system, allowing a healthy security posture for the organization. Several methods have evolved in recent times on the types of logs that are available to the security team, some of which can be described as follows:

  • Perimeter-based logs: these types of logs allow one to control what traffic can be sent and received across the network; some of the devices that provide such perimeter-based logs are IPS/IDS, firewalls, and VPNs.
  • System event logs: the operating system maintains these types of logs and varies accordingly.
  • Network endpoint logs: these types of logs allows monitoring of the inbound and outbound traffic on a network generated from the endpoints such as laptops, smartphones, workstations, etc.
  • Application-level logs: these types of logs allow one to monitor the usage of applications and how often the resources are being requested from a specific user.
  • Proxy server logs: these types are similar to networking logs, however, provide additional details regarding the proxies being used to send the request further, which isn’t available for the network endpoint logs.

Incident Management

This part of a SIEM solution deals with responding to threats as a part of active scanning implemented in real-time to protect sensitive and PII from attackers with malicious intent. Primarily, there are two major threat vectors; external and insider threats. Furthermore, the tasks as followed by an incident management tool/software are to detect, analyze, and respond to an anomaly or the incident using various techniques that aid in reducing the detection and the resolution time required for the same; continuously improving on the performance segment of the same — deliver best results.

Threat Intelligence

Threat intelligence primarily deals with analyzing vectors that could lead to potential damage and gaining contextual knowledge regarding the said domain to keep the security systems up-to-date with the trends. Threat feeds are usually managed and maintained by open-source platforms and even third-party vendors that allow security admins to quickly track down the source of the attack and swiftly respond to the same to mitigate a sophisticated level of attack.

User Entity & Behavior Analytics

UEBA software uses specialized machine learning algorithms to compute a user’s behaviour based on current and previous records, formulate a model relevant to the same, and detect anomalies in the future that do not match with the captured data. In addition, these technologies have highly evolved in determining the risk metrics if a specific type of behaviour is flagged as abnormal by the algorithm, which, based on the risk score, is evaluated for further inspection.

Various features of a UEBA application can be deployed; depending on the requirements of the organization in responding to threats, some of which include fine-tuning the model to scan and detect insider attacks, privilege exploitation, policy violations, accounts compromised, and attacks such as a dictionary or brute force over a sign in field. Triggering an alert requires confirmation from multiple sources for the behaviour to be classified as an anomaly; furthermore, it uses a reinforcement-based learning model, which allows it to grow more efficiently as more and more data is being processed for anomaly detection.

However, there are various downsides to implementing a user behaviour analysis software on-premise, some of which are as described:

  • Reliability: a perfect machine learning model with an accuracy of 100% never exists that correctly identifies anomalies unless in case of over-fitting. The model trained to detect such behaviour may not always be true to its prediction, which is still one of the factors organizations refuse to deploy.
  • Algorithm transparency: organizations that deploy UEBA solutions may not have a clear vision of how a specific type of behaviour is classified as abnormal, which could be why the same is not favoured.
  • Accessibility: organizations that deploy UEBA solutions may not have a clear vision of how a specific type of behaviour is classified as abnormal, which could be why the same is not favoured.

Concluding remarks

The security monitoring solutions give organizations an edge over detecting, analyzing, and responding to cyber threats on a large scale; with the additional implementation of UEBA software, the process becomes seamless and does not disrupt the business and let it run in its continuity. Several approaches have been evolved and perfected over the years to implement a secure and robust monitoring system that prevents attacks from being executed. However, with the evolution of these modern-day technologies, there are limitations and dependencies to implementing such a monitoring and incident response tool; cost is a significant factor.

On the other hand, vendors are developing cost-efficient versions of their solutions offering limited features but still being able to detect, analyze and respond to threats. Thus, a future prospective organization looking forward to diving into the subject can note the gaps faced in the industry and propose solutions that could decrease the same allowing more organizations to protect their assets and intellectual property.

--

--

Rushil Choksi

Security Architect Intern @ Sony • Researcher @ ISI • DevSecOps • Cyber Security Enthusiast