Reduce Security Blind Spots with Interset UEBA and ArcSight Correlation

Join Interset and Micro Focus at Black Hat 2019 to learn how to strengthen threat detection.


In three weeks, the Interset team will join security professionals from around the world at Black Hat 2019 in Las Vegas, Nevada. This year’s conference should be an exciting one, and we are particularly eager to showcase the power of Interset’s user and entity behavioral analytics (UEBA) in creating and executing a unified, meaningful security operations (SecOps) strategy. Particularly exciting for us is the opportunity to address a topic of conversation that has come up frequently since Interset joined the Micro Focus family: the potential of Interset paired with Micro Focus ArcSight.

ArcSight Enterprise Security Manager (ESM) is a powerful next-gen security information and event management (SIEM) solution with an 18-year-strong foundation of market leadership. With ArcSight, security operations center (SOC) teams have the most powerful real-time correlation engine available today, which means that instead of sifting through thousands of events, security administrators can identify threats following known attack patterns quickly and efficiently.

Cyber threats are continuously evolving and many threats can’t be easily established by the occurrence of a single event, which makes complex rules a cornerstone of threat detection. And to complicate matters further, events can span hours, days, weeks, and a wide range of distinct data sources. Also important to a well-designed and deployed SIEM are “foundational” rules that, when triggered, may not necessarily warrant an investigation, but augmentation with additional variables would produce something worth triaging.

Interset UEBA has the proven ability to leverage unsupervised machine learning by ingesting large amounts of data and establishing “unique normal” for each entity in your enterprise, such as users and hosts. This means defining what’s normal for one employee versus another, as they may have different working habits and privileges. These established baselines unlock the ability to detect unknown and often difficult-to-find threats, such as malicious software and insider threats (whether malicious or simply negligent).  

Consider a scenario that we’ve seen one too many times in recent news headlines. Sandra has been unhappy at her job at Company ABC and has decided to offer her resignation. She plans to start a new position at a competitor firm soon. Over the final three weeks of her employment, Sandra decides to steal intellectual property from Company ABC for the benefit of her new employer. During this time, Sandra might:

  • Send emails to her personal email account
  • Access databases and shares that contain high-value information
  • Transfer sensitive data to a USB drive
  • Access Google Drive or Box drives
  • Use desktop archiving tools.

ArcSight’s correlation engine has the power to ingest and correlate the event data for each for the behaviors described above, to generate alerts worthy of triage based on defined policy rules, including those that identify employees who are leaving the company or should be on a watch list as a potential security risk. In this particular scenario, Interset UEBA would have established a baseline of what is considered “normal” behavior for Sandra. For example, how often does she download files from a specific shared drive, and how many files does she usually download from it? Interset would then be able to discern behavior that did not match the typical patterns of Sandra’s “normal” behavior and subsequently flag her as a risky user. Specifically, Interset would be able to detect:

  • Rare email destination or size
  • Unusual amount of data taken from a shared drive
  • Unusual amount of data written to a USB
  • Unusual amount of data uploaded to Google Drive
  • Rare use of ‘zip.exe.’

In this way, UEBA complements and enhances ArcSight’s correlation capabilities with important analytical functionality that is challenging to reproduce with rules alone. In Sandra’s case, the long-term nature of the anomalous behavior (three weeks) and span of multiple data sources may be difficult to maintain with rules alone, since it requires that state be maintained. However, with UEBA powered by unsupervised machine learning, an additional variable is available for the correlation engine that will ultimately assist a SOC analyst in zeroing in on Sandra before looking at employees that perhaps triggered the rules but did not stray outside of what is normal for them individually. Conversely, policy and business rules are not something that can be baselined by UEBA, but are important factors in determining overall risk. In this example case, the watch list of employees is a critical data point that enhances the accuracy of UEBA.

Of course, this is just one use case where the combination of UEBA with unsupervised machine learning and policy, business, and operational rules of a powerful correlation engine creates a unique solution for threat detection. A powerful SecOps strategy—and subsequently a proactive security posture—requires a holistic approach that covers many bases. At Black Hat, we’ll be chatting with attendees to give them more insight into how UEBA and ArcSight can help you energize your threat detection. Make sure to stop by booth #974 to speak with me (or any of our amazing security and data science experts) to learn more. 

If you’re unable to make it to the show, feel free to reach out to us to schedule a call to discuss your organization’s security needs.