Security Vision UEBA automatically builds typical models of infrastructure behaviour (users, accounts, devices, processes, etc.), analyses raw data streams (network traffic, proxy server logs, mail servers, windows/linux servers and workstations, etc.), identifies deviations and provides flexible tools for their analysis, investigation and response. Most significant updates:
Anomaly Detection
Anomaly Detection extends the ability to detect anomalies in corporate infrastructure by applying a large number of different Machine Learning models and techniques, stacking the results of individual models, and aggregating the resulting events into incidents for further investigation.
ML models
The new version of Security Vision UEBA significantly expands the set of ML models used. The following models are used:
- ‘with teacher’ models to identify similar patterns of real attacks (pre-trained on various attacks and malicious activities (DDOS, botnet, C&C, etc.)),
- teacherless models for finding anomalies among network traffic and events from hosts, neural networks (including RNN),
- models for detecting mimicking processes
- etc.
It is important to note that processing of all models is performed on the Customer's infrastructure without the need to send any data ‘to the cloud’. Due to optimisations of the architecture and the models themselves, infrastructure requirements are minimised and do not require specialised equipment.
The product allows flexible configuration of all parameters of ML models via UI, as well as adding your own models.
Minimisation of false-positive failures
Special emphasis is placed on orchestration of ML models and minimisation of false-positive (FP) alarms. Mechanisms are developed to automatically monitor and disable models in case of a large number of FP alarms. Also Security Vision UEBA automatically and regularly retrains models on customer data for better adaptation to infrastructure, data flows and their changes. The models are also retrained ‘with a teacher’, where the used datasets of typical attacks and malicious activities are automatically merged and ‘stretched’ to the Customer's infrastructure data obtained from the processed events. Automatic selection of model parameters is implemented: Security Vision UEBA selects hyper-parameters during the training process to achieve the best results and minimise the number of FPs.
Statistical methods make it possible to automatically accumulate statistics on new parameters, volumetric, frequency and quantitative indicators for used hosts, processes, command lines, named pipelines and many other characteristics separately for each surveillance object, which also significantly reduces the level of FP triggers and allows the user through the UI to flexibly adjust weights, add or adjust existing rules.
Correlation rules
The basic set of correlation rules included in the box solution has been expanded. Security Vision experts have developed unique correlation rules that allow finding suspicious activities in network traffic streams/proxy server streams, as well as detecting suspicious events on hosts. These alerts are combined together with the events of the statistics and ML engines, which in the end allows to collect a more complete analysis of the actions of a suspicious object, to take into account each occurrence of the correlation rule with its unique weight (depending on the criticality), which will be summed up with the weight of events from other sources of observation and in case of exceeding the threshold value can lead to the creation of an incident.
Also, Security Vision UEBA has a full-fledged correlation rule editor built in, using which you can customise rules of any depth and complexity through the UI of the product.
Display of objects and alarms
The display of all objects and alarms has been redesigned to provide a more complete and convenient functionality for analysing and investigating incidents: graphs of object links, automatic enrichment with data from external and internal services, drill-down to each linked object, initial events by object with the source and all attributes, the dynamics of the events, etc. The display of all objects and alarms has been redesigned. Security Vision UEBA has built-in actions for basic response to received incidents (e.g. with NGFW, active lists, etc.) or for sending incidents to SOAR and SIEM systems.
Using the API of the product, it is possible to flexibly configure the receipt of alarms by objects, receive suspicious events and alerts for each object (for example, to enrich incidents in SOAR with this information).
Extension of capabilities
The Security Vision UEBA product is implemented on the Security Vision 5 platform, which allows Customers to expand its capabilities by creating new surveillance objects (including their cards, common views, processing processes and response scenarios), adjusting or expanding the processing of detected alarms, creating new integrations, adjusting and creating dashboards and reports - all completely through graphical constructors embedded in the product UI.
