CloudAI for User and Entity Based Analytics (UEBA)

Earlier this month, LogRhythm proudly released LogRhythm CloudAI—the most recent chapter in our User and Entity Behavior Analytics (UEBA) story.

LogRhythm CloudAI uses machine learning to apply behavioral analytics to user behavior. By modeling user behavior to uncover security relevant anomalous activity, it can detect previously unknown attacks across your security environment.

In conjunction with LogRhythm’s AI Engine, CloudAI provides analytics in depth, enabling broad coverage across the entire spectrum of attacks.

Analytics in depth requires employing the right algorithms and approaches to surface the appropriate level of visibility at the right time. 

From known threats using known methods (e.g., DDoS and drive-by attacks) to more evasive attacks using unfamiliar methods (e.g., insider threats and zero-day malware), CloudAI and AI Engine employ behavioral and scenario-based analytics to broaden your UEBA capabilities. CloudAI can uncover previously unknown user-based threats your team didn’t even know it should be looking for.

The Importance of UEBA

I’d like to start with an analogy that illustrates why employing behavioral, as well as scenario-based analytics, is important.

Consider an image of a forest taken with a six-megapixel camera. Among the trees, one appears to have a nest in its branches. You may wonder if there are birds in the nest. With the six-megapixel image, what you can see is limited. You might be able to make out birds in the nest, you might not. Now, think of seeing the same image but taken with a 50-megapixel camera. In this image, it’s extremely clear there are birds in the nest.

There are a growing number of ever-evolving threats that are becoming more and more difficult to see clearly. As a result, higher-fidelity analytics are required. With a rapidly expanding attack surface, organizations across industry segments are placing an increasing importance on their ability to discover and remediate advanced attacks and user-based threats, quickly and effectively.

Presently, 25 percent of data breaches involve an insider threat*, yet an alarming number of companies aren’t poised to detect—let alone respond to—insider threats. Employing UEBA with analytics in depth can help your organization more effectively manage insider threats, compromised accounts, administrator abuse, and other user-based threats. UEBA makes it increasingly easier to identify potentially dangerous threats that would otherwise go unnoticed.

LogRhythm CloudAI for UEBA

In his recent blog, Journey to the AI-Enabled SOC: Genesis, our co-founder and CTO, Chris Petersen, shared LogRhythm’s belief that artificial intelligence “will transform threat detection and workflows within the SOC over the next decade.” Over that decade, LogRhythm CloudAI will contribute greatly to our pursuit of the AI-enabled SOC. But what can it do for you right now?

First, CloudAI for UEBA offers best-in-class analytics fueled by the quality and richness of the data we curate from the enterprise environment. Moreover, the solution lies within our Threat Lifecycle Management (TLM) framework, meaning any information from CloudAI can be quickly and seamlessly input into a case.

Second, LogRhythm TrueIdentity™ consolidates a user’s multiple account types and identifiers into a single identity, ensuring deeper visibility into a user’s activity and providing greater analytics accuracy.

/

Figure 1. LogRhythm TrueIdentity

Third, cloud delivery, tuneless analytics, and CloudAI’s self-evolving artificial intelligence and machine learning algorithms become smarter over time so your team can utilize insights with rapid time-to-value.

As part of our NextGen SIEM Platform, CloudAI reinforces LogRhythm’s Threat Lifecycle Management capabilities with automated, advanced user-based threat detection and accelerated qualification and incident investigation—all with powerful visualizations.

/

Figure 2. LogRhythm CloudAI UEBA Dashboard

Behavioral and Scenario-Based Analytics for UEBA

As a behavioral analytics engine, CloudAI uses both supervised and unsupervised machine learning and applies artificial intelligence against environmental data to detect previously hidden threats. By detecting anomalous user activity, it identifies unusual patterns that don’t conform to expected or previously learned user behavior. As its data set grows, CloudAI develops a profile baseline for each user and more readily detects outliers in live user data relative to that same user’s historical data.

LogRhythm’s scenario-based analytics for UEBA automatically analyzes broad sets of environmental data to uncover threatening user activity in real time. This aligns machine analytics and various analytical techniques to specific scenarios along the Cyber Attack Lifecycle (also known as the Cyber Kill Chain). Aligning analytics with the Cyber Attack Lifecycle better informs risk prioritization and minimizes false positives by adjusting for context, allowing your security teams to spend more time investigating more significant alerts.

/

Figure 3: Cyber Attack Lifecycle

When combined, LogRhythm’s behavioral analytics and scenario-based analytics for UEBA provide broader coverage across the attack spectrum. They efficiently deliver analytics in depth to best protect your organization from malicious, compromised, and accidental user-based threats.

By applying advanced artificial intelligence and machine learning against high-fidelity data, CloudAI can more effectively surface potential threats, quantifiable by the mean time to detect (MTTD) measurements built into the LogRhythm platform.

Interested in learning more? To see LogRhythm CloudAI in action, request a demo.

Verizon DBIR, 2017 http://www.verizonenterprise.com/verizon-insights-lab/dbir/