Empow adds native UEBA functionality to its SIEM

Empow announced it has added native User/Entity Behavior Analytics (UEBA) functionality to its SIEM. With this capability, the empow SIEM now provides detection and response to threats across the entire cyber kill chain.

“User and account activity logs are important inputs for detecting attacks by malicious insiders or external intruders who have successfully compromised user account credentials,” said empow Founder and Chief Technology Officer Avi Chesla.

“So UEBA is mainly useful in the middle and late phases of the cyber kill chain, but not in the earlier stages of the attack. Unusual user behavior is one indicator of an attack, but not the only indicator, and by itself not necessarily sufficient for making a clear actionable decision. empow has developed a complete system that uses artificial intelligence, natural language processing and machine learning – as well as behavioral analytics – digesting security logs, network-flows logs, as well as user and account activity logs, to automatically detect and respond to malicious activity across all phases of the attack life cycle, accurately.”

To gain the benefits of UEBA, organizations have had a choice between integrating standalone UEBA products into their existing SIEM infrastructures, or adding attack detection capabilities (such as those typical of existing SIEMs) to their UEBA products.

Neither of these approaches is effective because rule-based detection systems cannot keep up with the ever-changing threat landscape and miss attacks. These solutions also do not provide automatic response (investigation or mitigation) capabilities.

Empow has developed a new kind of SIEM that uses artificial intelligence, along with machine learning and multiple types of analytics, including behavioral, to detect and respond to attacks.

In the empow solution, UEBA is built into the SIEM at a native level, and the system takes unusual user, entity and account behavior into consideration – along with a number of other factors and indicators – when identifying and validating attacks. This maximizes the effectiveness of the UEBA functionality and improves overall attack detection accuracy.

empow’s native UEBA capabilities deliver several benefits to security teams, including:

• Improved results with no additional investments or tools. UEBA is native to the empow SIEM and broadens the scope of detection and investigation. Customers benefit from optimized response to attacks – without the need to invest additional time, budget or resources.
• Works with existing data sources. empow does not duplicate data and does not force log infrastructure on customers. Instead, it works with existing open source or commercial log infrastructure, such as Elastic and other solutions.
• A wider security scope, still with no rules. empow requires no correlation rules across the entire security and network infrastructure. While some UEBA-based SIEM vendors will claim they do not require rules, that is only true for UEBA data sources. For empow, it is true for all data sources.

“Empow makes our entire security operation better,” said Dannie Combs, senior vice president and chief information security officer for Donnelly Financial Solutions.

“It integrates seamlessly with our existing infrastructure and data sources, detects and stops threats in real time without rules, and drives far greater ROI from our existing security tools. And now, we can add UEBA functionality with no additional product investment or integration work, because it is native to the system. If you drew up the ideal SIEM, this would be it.”

The inclusion of UEBA includes:

• Data ingestion from log and data sources, either directly from the security infrastructure or indirectly (via intermediate log storage and management systems), without requiring the development of parsers for new data sources.
• AI-driven classification of security events, which leverages natural language processing (NLP) on both machine- and human-readable threat intelligence from internal and external sources, to understand the intent behind each event.
• Auto-correlation using cause-and-effect analytics to validate and prioritize attacks, and reveal the complete “attack story” – without requiring static correlation rules.
• Adaptive orchestration using the capabilities of the existing security infrastructure to investigate and mitigate (block) attacks, without requiring scripts.

“My advice to security teams is that if you haven’t already looked at a SIEM-based orchestration tool using inference and NLP for contextual understanding to improve mitigation, then add this task to your list,” writes Edward Amoroso, CEO of TAG Cyber, an advanced cyber security advisory, training and consulting firm focused on enterprise and government CISOs. “And, you would be wise to give the empow team a call.”