Anas Jwaied, managing director, Middle East & Africa and Tamer El Refaey, chief cybersecurity strategist, Emerging Markets, Micro Focus, discuss how ArcSight Interset UEBA accelerates threat detection and bolster security strategies.
Cybersecurity threats can come in many forms and are ever-evolving. Oftentimes, businesses tend to focus on preventing and mitigating external threats, that they overlook the vulnerabilities that are closer to home – insider threats. However, contrary to popular belief, not all insider threats are those rogue employees who seek financial gain, sometimes it is the unsuspecting and non-malicious ones that put your systems at risk.
Employees, contractors, partners, and privileged users can all become insider threats. And since not all of them may put the organisations at risk maliciously, they are tough to spot.
User and entity behaviour analytics (UEBA) empowers security teams to identify and detect those tough-to-spot threats. It provides organisations with a comprehensive way to implement top-notch IT security, while also helping detect users and entities that might lead to entire system compromise.
“Businesses today have countless critical assets to protect such as customer information, intellectual property and critical infrastructure among others,” says Anas Jwaied, managing director, Middle East and Africa, Micro Focus. “Unfortunately, traditional approaches are no longer sufficient in protecting assets. This leaves security teams struggling with fragmented security ecosystems, unreliable analytics and a never-ending barrage of false alarms. Meanwhile, business leaders expect security teams to flawlessly protect against critical threats while also delivering new innovations to enhance the organisation’s security posture.”
ArcSight Interset UEBA gives security leaders a new lens through which they can detect, hunt, investigate, and respond to threats that may be hiding in the enterprise—before data is stolen.
“ArcSight Interset is uniquely positioned to find the threats that matter for enterprises with valuable data to protect, limited security or financial resources and significant attack surface to monitor,” says Jwaied. “By effectively identifying and prioritising cyber threats, ArcSight Interset allows security teams to use their resources more strategically.”
Using unsupervised machine learning, ArcSight Interset UEBA filters huge volumes of threat data and events. It prioritises them into a list of high-quality security leads to streamline and accelerate the efforts of your security operations centre (SOC). ArcSight Interset’s unsupervised machine learning models, is equipped with an intuitive user interface (UI), which allows security leaders to simplify and fast-track threat detection and investigation.
“ArcSight Interset UEBA bypasses conventional rules and thresholds and instead assesses the potential risk of a user or entity in your enterprise using scientific mathematical algorithms and autonomous machine learning models,” says Tamer El Refaey, chief cybersecurity strategist, Emerging Markets, Micro Focus. “This approach, combined with ArcSight Interset’s native Big Data architecture, allows your security team to detect threats with speed and at scale.”
Through unsupervised machine learning, ArcSight Interset’s algorithms extract available entities including users, machines, IP addresses, servers, printers and more from log files. It then observes events and evaluates these entities’ movements to determine expected behaviour—a measurement called ‘unique normal.’
“The UEBA then creates a baseline of these behaviours as new information comes through the analytics process,” explains El Refaey. “Once anomalous or high-risk activities are spotted, the events are evaluated against previously observed behaviour to assess deviations and potential risks.”
“Using an intuitive dashboard, security teams can measure a user’s recorded risk scores over time and view an incident’s context in a clear, actionable, interactive interface, thereby, minimising false-positive alerts. This is how ArcSight Interset detects insider threats while enabling security teams to work more quickly and efficiently to mitigate them.”
ArcSight Interset’s output risk assessments can be leveraged to implement actions via automation, orchestration, and alerting solutions to provide faster responses once risks are found.
ArcSight Interset and MITRE ATT&CK
MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a comprehensive matrix of threat tactics and techniques observed in real-world attacks on enterprise networks. The framework is leveraged by threat hunters, red teamers, and defenders to better classify attacks and assess an organisation’s risk. MITRE ATT&CK plays a pivotal role in ArcSight Interset’s UEBA in providing detailed information for effectively protecting organisations against real unknown attacks.
“Today, ArcSight Interset’s UEBA covers 75 percent of the tactics and techniques in the ATT&CK framework,” says Jwaied. “Our machine learning models are carefully mapped to ATT&CK’s 219 techniques. It helps us gain a better view of which attack techniques are our customers most vulnerable to, where ArcSight Interset can effectively provide coverage and how we can leverage our anomaly models to protect businesses against real threats.”
Together, ATT&CK and UEBA can identify the links between unusual activity inside your enterprise and real, actionable security threats.
“ArcSight Interset provides security teams with a holistic view of the risks and vulnerabilities they face. For enterprises with valuable data to protect and critical systems to monitor, ArcSight Interset is well-positioned to find the threats that matter — before it’s too late,” says Jwaied.