SIEM
Today’s cyberattackers are masters of disguise — working hard to make their malicious activities look like normal processes. They use legitimate tools, communicate with command-and-control servers through public services, and mask the launch of malicious code as regular user actions. This kind of activity is almost invisible to traditional security solutions; however, certain anomalies can be uncovered by analyzing the behavior of specific users, service accounts, or other entities. This is the core concept behind a threat detection method called UEBA, short for “user and entity behavior analytics”. And this is exactly what we’ve implemented in the latest version of our SIEM system — Kaspersky Unified Monitoring and Analysis Platform.
How UEBA works within an SIEM system
By definition, UEBA is a cybersecurity technology that identifies threats by analyzing the behavior of users, devices, applications, and other objects in an information system. While in principle this technology can be used with any security solution, we believe it’s most effective when integrated in an SIEM platform. By using machine learning to establish a normal baseline for a user or object’s behavior (whether it’s a computer, service, or another entity), an SIEM system equipped with UEBA detection rules can analyze deviations from typical behavior. This allows for the timely detection of APTs, targeted attacks, and insider threats.
This is why we’ve equipped our SIEM system with an UEBA rule package — designed specifically to detect anomalies in authentication processes, network activity, and the execution of processes on Windows-based workstations and servers. This makes our system smarter at finding novel attacks that are difficult to spot with regular correlation rules, signatures, or indicators of compromise. Every rule in the UEBA package is based on profiling the behavior of users and objects. The rules fall into two main categories:
- Statistical rules, which use the interquartile range to identify anomalies based on current behavior data.
- Rules that detect deviations from normal behavior, which is determined by analyzing an account or object’s past activity.
When a deviation from a historical norm or statistical expectation is found, the system generates an alert and increases the risk score of the relevant object (user or host). (Read this article to learn more about how our SIEM solution uses AI for risk scoring.)
Structure of the UEBA rule package
For this rule package, we focused on the areas where UEBA technology works best — such as account protection, network activity monitoring, and secure authentication. Our UEBA rule package currently features the following sections:
Authentication and permission control
These rules detect unusual login methods, sudden spikes in authentication errors, accounts being added to local groups on different computers, and authentication attempts outside normal business hours. Each of these deviations is flagged, and increases the user’s risk score.
DNS profiling
Dedicated to analysis of DNS queries made by computers on the corporate network. The rules in this section collect historical data to identify anomalies like queries for unknown record types, excessively long domain names, unusual zones, or atypical query frequencies. It also monitors the volume of data returned via DNS. Any such deviations are considered potential threats, and thus increase the host’s risk score.
Network activity profiling
Tracking connections between computers both within the network and to external resources. These rules flag first-time connections to new ports, contacts with previously unknown hosts, unusual volumes of outgoing traffic, and access to management services. All actions that deviate from normal behavior generate alerts and raise the risk score.
Process profiling
This section monitors programs launched from Windows system folders. If a new executable runs for the first time from the System32 or SysWOW64 directories on a specific computer, it’s flagged as an anomaly. This raises the risk score for the user who initiated the process.
PowerShell profiling
This section tracks the source of PowerShell script executions. If a script runs for the first time from a non-standard directory — one that isn’t Program Files, Windows, or another common location — the action is marked as suspicious and increases the user’s risk score.
VPN monitoring
This flags a variety of events as risky — including logins from countries not previously associated with the user’s profile, geographically impossible travel, unusual traffic volumes over a VPN, VPN client changes, and multiple failed login attempts. Each of these events results in a higher risk score for the user’s account.
Using these UEBA rules helps us detect sophisticated attacks and reduce false positives by analyzing behavioral context. This significantly improves the accuracy of our analysis and lowers the workload of security analysts. Using UEBA and AI to assign a risk score to an object speeds up and improves each analyst’s response time by allowing them to prioritize incidents more accurately. Combined with the automatic creation of typical behavioral baselines, this significantly boosts the overall efficiency of security teams. It frees them from routine tasks, and provides richer, more accurate behavioral context for threat detection and response.
We’re constantly improving the usability of our SIEM system. Stay tuned for updates to the Kaspersky Unified Monitoring and Analysis Platform on its official product page.
Tips