User Threat Detection—There’s a Module for That

End-user behavior can be difficult to baseline and monitor. Users often click on suspect links, open unknown attachments, and unknowingly expose the organization to risk.

Where traditional analytics and perimeter defenses fall short, LogRhythm’s User and Entity Behavior Analytics (UEBA) capabilities add an additional layer of security enabling the rapid detection of dangerous user activity.

Continuous Improvements

While customers have had access to the User Threat Detection Module for years, LogRhythm Labs has recently released an updated version of the module. This module serves as a cornerstone of our holistic threat analytics suite—focusing on user-borne threats.

We relied on our own experience in offensive security, incident response, and our product, as well as knowledge from various internal business units to revamp the module. We focused on improving ease of use and enabling rapid deployment by keeping things clear and straightforward. Ultimately, the updates will empower our customers to detect and respond to real-world incidents even more quickly.

User Threat Detection Module Enhancements at a Glance

Consolidated Rules and Cyber Attack Classification

We’ve combined many of the advanced correlation rules to effectively reduce the amount of tuning and configuration required by security teams deploying the module.

In addition, we mapped rules to the Cyber Attack Lifecycle to aid in quick event classification and to help customers reduce the time to detect and respond to high-priority events. Customers can now enable Progression rules, using AIE Feedback, to automatically recognize movement through the Cyber Attack Lifecycle. Once motion is detected, LogRhythm instantly initiates a high priority alarm, effectively highlighting concerning events or series of events.

Improved Documentation

Both the Deployment Guide and User Guide documentation has been updated to reflect the module changes. We’ve also worked to enhance the value customers get from the technical documentation by streamlining and simplifying.

The Deployment Guide is a user-friendly, one-time setup guide to get customers up and running quickly. While the User Guide is a great starting point for a SecOps playbook that also includes tuning and response guidance. Both updated guides can be found on the support portal.

Refined Settings and Other Changes

To help customers sort through alarm noise, all the risk based prioritization (RBP) and false positive probability (FPP) values of the pre-built AI Engine rules have been refined. Furthermore, as customers tune their AI Engine rules, they now can manually lower a rule’s FPP value resulting in an automatic increase of the final RBP value. This means that as confidence in an alarm increases, the RBP value rises proportionally to more easily identify potential incidents.

LogRhythm Labs is committed to continuously working to improve the efficacy of our modules and adapt to the latest attacker tactics, techniques, and procedures. Our goal is to empower our customers to evolve their security operations as the threat landscape does.

In addition to this module update, also keep an eye out for further updates to our Network Threat Detection, Endpoint Threat Detection, and Core Threat Detection modules in the near future.

More from Matt Willems

Rapid-Fire Reactions from the RSA USA 2016 Conference

Harnessing Your SIEM for Cyberthreat Intelligence

A Practical Approach to Effective Security Analytics

Friend or Foe? A Use Case on How to Detect an Insider Threat

Detecting New Network Services with Behavioral Analytics