Securing the Digital World

UEBA and Evolved SIEM – Foundations of the Intelligent SOC

Jun 28, 2018 | by Karl Klaessig |

What is an Evolved SIEM?
An evolved SIEM is much more than logs, packets and threat intelligence collection and correlation. It is a platform delivering insights into what threats reside in your network, where they have been, who was impacted, what resources are at risk and, ultimately, helps guide analysts to confidently make the right decisions in threat management and resolution -just like our driverless car must be accurate with its route, speed, stops and maneuvering with other vehicles.  An evolved SIEM accelerates threat detection and response by providing visibility across endpoints, network, cloud and virtual environments; combining business context with automation and machine learning capabilities to detect, investigate and respond to today’s complex threats.

Today’s SIEMs are expected to natively include or closely integrate User and Entity Behavioral Analytics (UEBA) to compliment a SIEM platform.  With our autonomous vehicle analogy in mind, our users on the network are the cars on the highway – you need to know where they are currently as well as what their normal driving behaviors are in order to respond safely on your cars journey.

While user directories and identity management offer insights into user and role usage, UEBA provides analytics highlighting patterns of unusual behavior, ideally before theft, disruption, or compromise occurs. UEBA delivers analytics that complement the baselining and rule-based analytics capabilities within SIEM solutions, noting that SIEM solution vendors offer varying levels of native and integrated support for UEBA solutions.

It all starts with visibility, but what does that mean? Would you ride in an autonomous vehicle if you knew it did not know where other cars were located while in motion?  Not likely! UEBA provides that deep visibility to SIEM solutions – knowing what users are doing on your network, just like you expect the autonomous car to know what other drivers are doing and where they are going. Leveraging UEBA’s specialized analytics in a SIEM achieves advanced detection with deep insights into your threat hunting, risk escalation and investigation processes. As with an autonomous vehicle, knowing when and where there is a threat (what cars are on the road and which drivers are most dangerous) is 80% of the battle! This powerful combination arms analysts with the user and entity insights needed to stay ahead of threats and respond timely and confidently to each incident. 

What Does It Mean?
How critical is this visibility into user and entity behavior and status?  Let’s ask the question again - would you ride in an autonomous vehicle if you knew it did not know where other cars were located while in motion?  This is akin to asking your users to share data on the network with no idea who, what or when that data is being shared and how secure it is!  Dynamic visibility into other drivers on the road, speed limits, signs and stop lights and insights into the habits of the cars around you are what make an autonomous vehicle possible and secure.  Sounds like securing the networks we share data and communications over, doesn’t it?  Security analysts need that same visibility – to understand the risks and potential threats to the network and ultimately protect our critical information and overall business.  SIEM solutions are much like traffic cameras on the roadways – they give you a great picture of typical road traffic and insights, via reviewing driver habits on previously recorded videos, what has happened today and who was involved.  Great insights that you need to investigate an accident, but what if you could also add into that a correlation of data that shows all the destinations, routes and times that each car on the road has driven for the past 60 days as well as their current vision and health condition, insights into their auto maintenance and so on? Now you have a complete picture of which cars and drivers around you are a risk, as well as when and where they become a potential threat to your safety.  That is a strong framework for providing a secure driverless experience.  Your network is no different, SIEM and UEBA deliver this depth of user and entity network behavior for your analysts to respond quickly and precisely to potential threats and always know where the dangerous drivers/users are located and what they are up to.

# # #

For more information on the value of SIEM and UEBA, visit and check out our latest ebook – 5 Tools to Boost Your Security Team’s Impact.