How does User and Entity Behavior Analysis (UEBA) help monitor endpoint security? How does it represent a critical bridge between the SIEM and the endpoint protection platform?
UEBA is an essential component of modern SIEM solutions and enterprise-level cybersecurity. Samir Jain, Senior Product Manager of Security Analytics at SIEM provider Log Rhythm, shared a relevant definition of UEBA in an interview with Solutions Review: “[It] provides visibility into user behavior to prevent company information from being stolen or corrupted by insiders and trusted entities and by malicious third parties posing as insiders.
Behaviors indicating suspicious activity can vary and often include:
- Abnormal connect/disconnect time
- Files accessed by unauthorized employees
- Unusual use of emails
- Poor work performance
- Expressions of dissatisfaction
As a result, UEBA can monitor internal threats as well as external actors controlling user accounts. Thus, the link between UEBA and identity management is obvious; both provide an ongoing monitoring component beyond the login portal.
However, this does not address the connection between UEBA and endpoint security monitoring. The answer lies in one of the letters that make up UEBA: entity.
UEBA, endpoint security monitoring and device identity
UEBA not only monitors users, but the device they operate and use to browse and interact with the network. This matters in several ways:
- Hackers can, and often do, plant malware and other cyberattacks without users noticing. These can include cryptojacking software and ransomware payloads waiting for access to more central databases.
- Devices can be turned into bots without users’ knowledge, allowing hackers to communicate with devices at any time and take control of them.
- Hackers can steal or corrupt devices and use them to log in. Since many authentication protocols take into account the device used, this could prove to be a key way to avoid detection.
Checking for signs of these kinds of subversive attacks involves looking for suspicious behavior on every device as it connects and interacts with the network. With UEBA combined with endpoint security monitoring, you can find these behaviors faster and mitigate more attacks.
To learn more, see the SIEM Buyer’s Guide and the Endpoint Security Buyer’s Guide.