July 5, 2023
You can make UEBA technology work right out of the box – but custom configuration is needed to unlock its real value.
User Entity and Behavioral Analytics (UEBA) technology is a game-changing addition to any security tech stack. UEBA-enhanced insights allow security teams to detect sophisticated attacks that other technologies often miss.
Compromised credentials and malicious insiders are excellent examples. Static rules-based SIEM platforms are not well-suited to detecting these kinds of attacks because their rules often rely on authorization credentials.
In most cases, these systems automatically extend trust to authorized users even if they do suspicious things – like encrypting mission-critical files and directories. UEBA technology addresses that risk by monitoring the activities of authorized, validated users for signs of compromise.
But how do UEBA solutions know how to triage alerts effectively? Why do they prioritize some activities over others?
The answers to these questions will help security leaders optimize UEBA implementation in ways that directly address the risks unique to their organizations.
How Default UEBA Configurations Work
UEBA platforms identify suspicious behavior by looking at user and asset activity and assigning a baseline risk score to each one. The more a user, server, or application deviates from their routine, the greater the severity of the alert triggered.
In a default plug-and-play configuration, this baseline risk score is arbitrary. It simply represents whatever activities were being carried out on the network at the time of implementation. It doesn’t “know” anything about the organization’s risk profile, security processes, or other activities.
Sophisticated UEBA solutions use self-evolving machine learning solutions to fine-tune their models over time. This essentially means triggering alerts and observing whether analysts categorize them as false positives or real attacks.
It also means that any security risks present prior to UEBA implementation may be perpetuated from that moment forward. If you happen to deploy UEBA in the middle of a sophisticated “low and slow” cyberattack, it might assume that things like privilege escalation and lateral movement are perfectly normal.
Security leaders who prioritize getting UEBA up and running as soon as possible may ultimately normalize threatening behavior in ways that undermine the technology’s most valuable features. If the platform in question doesn’t provide deep visibility into how its risk assessment algorithms actually work, problematic assumptions can embed themselves throughout the organization’s security posture.
Custom Configurations Enhance UEBA Performance from Day One
When an organization takes time to measure its exposure to real-world security risks, it earns the ability to address those risks more effectively using UEBA technology. Custom rules and playbooks are a vital part of this process.
UEBA platforms like Exabeam can leverage custom rules to analyze user and asset behavior. These custom rules allow the system to accurately process false positives, meaningfully prioritize high-severity alerts, and take the organization's unique security architecture into account.
For example, consider an organization with users who travel frequently and log on remotely. Custom UEBA configuration allows the security team to monitor high-risk activities without waiting for the system to learn how to categorize those activities as high-risk on its own. That might mean focusing on VPN usage, server locations, and other characteristics that violate the company’s specific remote work policies.
Those policies are unique to the organization itself. They aren’t going to be part of any default UEBA configuration. Custom rules enable the organization to align its UEBA-powered detection platform with its own assessed security risks.
Custom playbooks offer many of the same benefits. Although there are broad similarities in the ways individual organizations remediate active cyberattacks, no two organizations are perfectly alike. Custom configurations provide improved visibility and allow security professionals to detect, address, and mitigate risk more effectively than default deployments.
How Castra Uses Custom Rules to Improve Risk Management
Castra has spent years developing more than 1,800 unique custom rules for Exabeam. These rules are templates that take unique characteristics of the organization’s security posture into account, allowing analysts to quickly build a robust foundation for improving risk management using UEBA technology.
These are not plug-and-play rules. Custom rules like the ICMP Unequal rule must be configured by an expert who can determine the ideal threshold between normal and suspicious activity.
Security leaders who entrust Castra with the development and implementation of these rules gain visibility into processes that their security tech stack would otherwise overlook. Every organization can maximize the benefit of UEBA technology with Castra product experts leading the way.