KHOI | Blog

What are SIEM and UEBA?

Wed, Oct 18, 2023 · 6 min read
Table of contents

Week 5 of my CodePath's Intermediate Cybersecurity course!

Security Information & Event Management (SIEM)

SIEM tools use rules and statistical correlations to turn log entries and events from security systems into actionable information.

  • Detect threats in real time
  • Manage incident response
  • Forensic investigation on past security incidents
  • Prepare audits for compliance purposes

SIEM combines 2 functions:

  • SIM — security information management.
  • SEM — security event management.

→ Makes SIEM more well-rounded and an ubiquitous tool for any Security Operation Center (SOC).

Some SIEM tools include: Splunk Enterprise Security, Datadog Security Monitoring, Fortinet FortiSIEM, etc.

In short, SIEM is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations. — Microsoft

Next-gen SIEM capabilitites

Next-gen SIEM utilizes User and entity behavior analytics (UEBA) to go beyond rules and correlations, leveraging AI and deep learning techniques to look at patterns of human behavior.

  • Security orchestration and automation response (SOAR): Next-gen SIEMs integrate with enterprise systems and automate incident response. Eg: SIEM detects an alert for ransomware → SIEM performs containment steps automatically on affected systems before attackers encrypt the data → simultaneously creating communications or other notifications.

  • Complex threat identification: Correlation rules can’t capture many complex attacks, because they lack context, or can’t respond to new types of incidents. With automatic behavioral profiling, SIEMs detect behavior that suggests a threat.

  • Detection without rules or signatures: Many threats can’t be captured with manually-defined rules or known attack signatures. SIEMs use machine learning to detect incidents without pre-existing definitions.

  • Lateral movement: SIEMs analyze data from across the network and multiple system resources to detect lateral movements — attackers move across network, IP addresses, etc.

  • Entity behavior analysis: Critical assets on the network — servers, medical equipments, etc. — have unique behavioral patterns. SIEMs learn these patterns and automatically discover anomalies suggesting a threat.

User and entity behavior analytics (UEBA)

UEBA provides information on the behavior of users and other entities in the corporate network — malicious insider, compromised user, etc.

3 pillars of UEBA

Analytics: detects anomalies using a variety of analytics approaches — machine learning, statistical modeling, etc.

Data sources: ingest data from a general data repository such as a data lake or data warehouse, or through a SIEM. Can be from:

  • Business context
  • HR and user context
  • External threat intelligence
  • Events and logs
  • Network flows and packets

Insider threats

Negligent insider: An employee with privileged access to IT systems unintentionally puts their org at risk because they don’t follow the procedures.

Malicious Insider: employee intends to perform a cyber attack against the org.

Compromised insider: infiltrate an org and compromise a privileged user account.

UEBA and SIEM comparison image

Source: Varonis