Codenotary has announced that it will be extending its immudb technology to store Security Operations Center (SOC) and Security Information and Event Management (SIEM) data with cryptographic verification.
immudb is a decentralized database that uses cryptographic techniques to ensure the integrity and immutability of data. It allows users to store and retrieve data with confidence, knowing that it has not been tampered with. The extension of immudb to SOC and SIEM data will allow organizations to store this critical data in a secure and tamper-proof manner.
Moshe Bar, CEO of Codenotary, the primary contributor to the open source immudb project said, “It’s important to store logs and events data and know that it can be trusted in six months, one year, or even five years from now, which is essential in the event of a security issue discovery and then audit and forensic analysis to go back in time to understand what happened and when.
From our experience, it’s not uncommon to have enterprise SOC platforms tracking 100,000 events per second or more. “
SOC and SIEM data are crucial for organizations to detect and respond to security threats and incidents. These systems generate vast amounts of data that must be collected, analyzed, and stored in a secure manner. By using immudb to store this data, organizations can have confidence that the data has not been altered or manipulated in any way.
The cryptographic verification provided by immudb is an important security feature for SOC and SIEM data. It allows organizations to verify the authenticity of the data and ensure that it has not been tampered with. This is especially important in the case of incident response, where it is crucial to have accurate and reliable data in order to effectively respond to a security threat.
The use of immudb for SOC and SIEM data also has the added benefit of decentralization. Decentralization means that the data is not stored in a single location, but rather is distributed across a network of nodes. This makes it much more difficult for an attacker to compromise the data, as they would have to attack multiple nodes in order to have any chance of success.
Overall, the extension of immudb to SOC and SIEM data is a significant development for organizations looking to secure their critical data. By using immudb, organizations can store their data with confidence, knowing that it is secure and tamper-proof. This is an important step towards improving the security and reliability of SOC and SIEM systems and will help organizations to better protect themselves against cyber threats.
Delinea released the most recent version of its high-speed vault for DevOps and DevSecOps teams, DevOps Secrets Vault. In an effort to speed up development and increase visibility, the newest Mac computers are now supported for development and automation for improved secret management usability.
Jason Michell, SVP of Engineering at Delinea “The exponential growth of machine identities as applications are modernized and architected as micro-services continues to place organizations at increased risk. Delinea’s ongoing focus on making security seamless for developers is reflected in these recent enhancements, enabling them to use DevOps Secrets Vault to dynamically insert credentials in their code, in line with security best practices.”
For developers using Macs, it offers expanded support with the addition of support for the M1 chip, developers writing code on the most recent Macs can now take advantage of the command line interface (CLI) and DSV Engine (an agent supporting database dynamic secrets) of DevOps Secrets Vault. Delinea continues to remove the friction that frequently occurs when securing sensitive secrets and credentials, particularly in hectic DevOps environments, by building on its focus on seamless usability.
The friction between DevOps teams is constantly being reduced. Continuous usability and flexibility improvements are made to both the CLI and the graphical interface, enabling developers to work without interruption in their preferred interface with their preferred tools and assisting businesses in lowering the risk of credentials being compromised.
In both interfaces, new features have been added, for improved Security Information and Event Management (SIEM) functionality support along with an approved ansible plugin for use with ansible automation Hub and additional authentication techniques.
Cyber security measures are rapidly becoming obsolete, and more proficient hackers and cyber attackers are now able to circumvent the perimeter defenses utilized by the majority of organizations. As long as organizations had firewalls, gateways, and other intrusion prevention systems, they were considered safe back in the old days. Today’s threat landscape is more complicated than ever before. The need for a better-secured technology market is imminent with increasing cyberattacks and data theft. Traditional ways of keeping corporate systems safe are no longer enough. Organizations are no longer safe from intrusion with Web gateways, firewalls, intrusion prevention tools, and encrypted connection systems like VPNs. Sometimes, hackers will gain access to the systems; when they do, it is crucial to identify them immediately.
The primary focus of User Behavior Analytics (UBA) is data security and fraud detection technologies. However, UBA needed maturity to deal with prominent security threats. As a result, a distinct departure from fraud detection technologies broadened its scope. The rise of chaos engineering and the evolution of DevSecOps have highlighted the importance of tracking and monitoring all devices connected to a system, as well as monitoring their access controls. Understanding what each entity on an access control list (ACL) represents, including the implicit identities built into a Windows environment, and specifically the difference between the “Everyone” group and “Authenticated users,” is critical today.
UBA transformed into UEBA
UBA is changed to UEBA, which stands for “User and Entity Behavior Analytics.” According to experts, the “E” in UEBA recognizes that profiles of things other than users are often used to find threats more accurately, in part by comparing the behavior of these other things to the behavior of users. In other words, UEBA software considers user activity as well as controlled and unmanaged endpoints, applications (including cloud-based, mobile, and on-premises apps), networks, and external threats. Using UEBA, you protect against external threats that penetrate the perimeter and existing insider threats, securing your data from the inside out. The value of UEBA is that it prevents hackers or insiders from accessing critical systems. It can spot when this has happened and alert you about the risk.
UBA vs. UEBA
UEBA systems do much more than keep track of what users do. It keeps track of what happens with devices, apps, servers, and data. This technology doesn’t just look at how users behave; it also looks at how entities behave.
UEBA goes a step further, makes more data, and gives more complex options for reporting than the original UBA systems.
Traditional UBA and UEBA technologies can do the same, but UEBA systems use more advanced analytics techniques. While UBA is made to track insider threats, UEBA uses machine learning to look for more strange activities linked to more kinds of threats, including advanced threats. Normal network activity may make it hard to see this, though. Enterprises often use UEBA with Security Information and Event Management (SIEM) technologies to better analyze the data they collect.
UEBA is the right choice!
UEBA can decrease your susceptibility to popular cyberattacks such as phishing, whaling, social engineering, Distributed Denial of Service (DDoS) attacks, malware, and ransomware. UEBA will notify you immediately if any of these assaults are successful.
UEBA tools and processes, instead of replacing earlier monitoring systems, are used to complement them and enhance your company’s overall security posture.
UEBA collects different kinds of data, such as user roles and titles, access, accounts and permissions, user activity, location, and security alerts. This information can be gathered from both the past and the present. The analysis looks at the resources used, the length of sessions, connectivity, and peers’ behavior to compare unusual behavior. It also updates itself when changes are made to the data, such as when permissions or promotions are added.
It isn’t always the case that the UEBA and UBA systems flag everything that’s out of the ordinary as dangerous. Instead, they consider the impact on others of their actions. A “minimal impact” rating is given to behavior if it consumes little resources. There’s a higher effect score for sensitive information, such as information that can be used to identify a specific person. While the UBA system automatically limits or makes it more difficult to authenticate the user whose behavior is out of the ordinary, security teams can determine what to focus on first.
The pros and cons of UEBA are:
Need for UEBA!
Behavior analysis systems help marketing teams analyze and predict customer buying patterns. Current user behavior analytics tools have more advanced profiling and monitoring capabilities than SIEM systems. They are used to find out what is normal for the organization and its users and when something isn’t normal. UBA uses big data and algorithms for machine learning to look at these changes in almost real-time.
Even though applying user behavior analytics to just one user might not help find malicious activity. But running it on a large scale can help an organization find malware, including other potential cybersecurity threats such as data exfiltration, insider threats, and compromised endpoints.
SIEM systems are the focal point of the IT environment that security analysts are defending. SIEM systems centralize the collecting of security data from all relevant data sources, storing a wealth of information that may be utilized to obtain insight into real-time events and processes.
SIEM (Security Information and Event Management) is a monitoring and analytical system for security and auditing. SIEM technology combines log data, security alerts, and events into a single platform for real-time security monitoring analysis. SIEM is becoming a mainstream security technique because of the recent increase in cyber-attacks, as well as the tighter security requirements that enterprises are forced to follow.
As said mostly, SIEM is a security solution that assists enterprises in identifying potential security threats and vulnerabilities prior to their disrupting company operations. It detects anomalous user behavior and uses artificial intelligence to automate many of the manual processes associated with threat detection and incident response, and it has become a standard in today’s Security Operation Centers (SOCs) for security and compliance management use cases.
SIEM has evolved over time to become more than the log management systems that came before it, according to InfosecurityOutlook. It’s all because of the power of AI and machine learning, SIEM now enables advanced user and entity behavior analytics (UEBA). It’s a powerful data orchestration solution for dealing with constantly changing risks, as well as regulatory compliance and reporting.
SIEM software gathers log and event data from applications, devices, networks, infrastructure, and systems to do analysis and provide a comprehensive perspective of an organization’s information technology (IT).
The following are some of the key components of the SIEM solution:
• Open and scalable architecture: Ability to consolidate data from multiple systems, including on-premises, cloud, and mobile, into a single entity.
• Real-time visualization tools: Tools that assist security teams in visualizing linked security events to appropriately depict threat incidents.
• Big Storage: Capability to collect and manage massive, complicated data sets for indexing and organized and unstructured search.
• User and entity behavior analytics (UEBA): A solution for tracking behavioral changes in user data and detecting anomalies when patterns deviate from “normal.”
• SOAR (security, orchestration, and automation response): Technology that automates regular, manual analyst operations throughout the incident response workflow to boost operational efficiency.
This solutions can be installed on-premises or in the cloud. SIEM leverages rules and statistical correlations to produce actionable information during forensic investigations by analyzing all data in real-time. This technology evaluates all data, categorizing threat behavior by risk level to assist security teams in promptly identifying malicious actors and mitigating cyber-attacks.
SIEM is being implemented by organisations to protect their environments and to comply with an increasing number of compliance types. The next logical step once a company has accepted the necessity for SIEM is to design the technological implementation.
UEBA technologies employ analytics to construct standard profiles and behaviours for users and entities (servers, routers) in an Enterprise firm over a period. This is referred to as “baselining”. Activity that differs from these standard baselines is flagged as suspicious by UEBA technology and analytics applied to these anomalies helps in the discovery of possible risks and security incidents.
While buying UEBA Solution following points must be considered –
Data Sources – The UEBA solution must support various data sources.
A SIEM is a data gathering point for a wide range of security data from users’ directories, logs, and other security solutions. Over other data sources, SIEM information has the advantage of being readily available to put into a security solution.
Endpoint data is collected by a smaller number of security vendors. Most collect data directly or from a SIEM via an existing endpoint. User behaviour related to application, network, and cloud activity can be found in endpoint data. It is an important data source.
For security analysis, two more data sources are critical. The log data from major enterprise software like SAP and Oracle. Gathering this information will provide more insight into cyberattacks on organizational operations and financial information.
Machine Learning and Behavioral Analysis
A security analytics solution’s purpose is to swiftly detect threats across the company, particularly those that are often undetected by conventional methods. Behavioural analytics establishes a distinct baseline for each company’s entity. These activities should be linked to the participants like users/accounts, machines, apps, data, and other digital assets are examples of entities. Probabilistic approaches can measure how irregular an occurrence is by computing an appropriate risk score as entities engage in anomalous activities. So, machine learning algorithms play a key role in identifying cyber threats. Machine learning also defines the baseline for behaviour and does behavioural analysis. Hence, companies should look for a UEBA vendors who have extremely efficient and accurate machine learning algorithms.
Incident Response and Investigations
When in incident response, the purpose of UEBA is to clearly identify and present a threat. UEBA will give a security team actionable information about the issue so that it can be prevented before data is compromised. To respond to an incident the UEBA solution should clearly identify and present a threat. It should include possible responses to the incident. So, firms should look for vendors who present incident information with good quality information and visual graphs. The companies should also assess what various investigation and incident response options are provided by the vendors.
Ease of Use
Complex user interfaces have hampered security products in the past. The majority fails to show where the biggest risk is in a comprehensive manner and what the nature of that risk is. Typically, tools’ dashboards will display the change over time, some events, such as a potentially dangerous IP address or malware fingerprint. These tools require rigorous training to master. Hence, companies should look for UEBA solution with user-friendly interface and customization options.
Performance and Scalability
The UEBA solution should be scalable. Security analysis will be done on the firm’s all endpoints across different sources like customers and vendors. This results in billions of processes per month utilizing heavy storage. The UEBA solution you must be designed to cope up this scale. In addition, the UEBA solution must be able to scale up down quickly and handle data in real-time as per business requirements.
Use Cases
The major use case for UEBA solutions is the identification of multiple types of threats, which is accomplished through analysis of frequently correlated user and other entity behaviour. Monitoring for unauthorized data access, suspect privileged user behaviours, and generally improving detection processes are examples of use cases. However, non-IT and non-security data sources are frequently required like analytics models detecting fraud. So, these analytical models learn from uses case-based data. Hence, better the use case increases threat detection accuracy. So, companies should look for UEBA solutions with rich and quality uses cases and analytical models.
Cost and Support
It’s important to look into the type of assistance that a particular vendor offers. In any case, comprehensive technical support is an optional extra that could dramatically increase implementation expenses. Due to the fact that UEBA products have an expiration policy, which means the vendor will no longer support them, the cost and number of software upgrades must be considered. The cost of UEBA varies based on the features, power of analytics, size and capabilities of the network. What is the maximum amount of money that a company is willing to spend? Is the business concerned about ROI? The second step after selecting a UEBA product is to implement and support it. To be effective, UEBA must be administered by dedicated trained workers or added to the responsibilities of professional staff. There are disparities in terms of costs and levels of service assistance.
LogPoint, a worldwide cybersecurity innovator, has announced the acquisition of SecBI, a disruptor in automated cyber threat detection and response based in Tel Aviv. LogPoint’s capabilities will be enhanced by the addition of playbook-based automation that improves cyber threat detection and response. SecBI’s universal SOAR and XDR platform will integrate seamlessly with LogPoint, supporting the company’s objective to transform client’s cyber resiliency through innovation by simplifying the complex work of security operations.
“Combining SecBI with LogPoint SIEM and UEBA will immediately drive tremendous value to our current and future customers. As organizations large and small face the most critical cyber threats, security teams need solutions that will help them be more effective and efficient in protecting their organization. This integration will allow customers to quickly launch automated notifications and security remediations using our full-native SOAR capabilities. This is a major step forward in delivering our XDR-enabled operations platform giving our partners and customers one of the most innovative, intuitive, and proven solutions available,” said Jesper Zerlang, LogPoint CEO.
LogPoint will continue to move toward overcoming the complex cybersecurity concerns that SOCs confront today with the quick integration of SecBI SOAR and XDR technology. Clients will be able to remove false positives and automate incident response as a result of the acquisition. These comprehensive, complementary platforms will work together to automate repetitive tasks, coordinate threat remediation workflows, and autonomously analyze, prioritize, and execute playbooks, allowing analysts to focus on genuine threats and better secure enterprises.
“We are excited to join LogPoint and integrate seamlessly to further extend the company’s foundational cybersecurity solution. With the inclusion of the SecBI technology, LogPoint takes automation to the next level to address the challenges organizations and cybersecurity analysts are facing in responding rapidly to an exponentially rising number of incidents,” said Gilad Peleg, SecBI CEO.
“The combination of LogPoint technology with SecBI XDR and SOAR, creates an end-to-end cybersecurity powerhouse that has exactly the right combination of technology, human capital, and growth potential. Merging Israeli cybersecurity expertise into the international LogPoint organization entails a huge potential for customers across the globe. We look forward to working with Jesper and his team to build a category leader,” said Yoav Tzruya, General Partner at Jerusalem Venture Partners.
UEBA technologies employ analytics to construct standard profiles and behaviours for users and entities (servers, routers) in an Enterprise firm over a period. This is referred to as “baselining”. Activity that differs from these standard baselines is flagged as suspicious by UEBA technology and analytics applied to these anomalies helps in the discovery of possible risks and security incidents.
The term UEBA was introduced by one of the leading research firm Gartner. UEBA Solutions includes following three factors – Use Cases – UEBA solutions gives information on how employees, clients and other entities in the organization’s network behave. They conduct activities like anomaly identification, alerting and tracking. And, contrasting to traditional single use-case based specialized tools, UEBA tools are applicable to multiple use cases. Data – UEBA collects real time event data in structured and unstructured format from user’s and entity’s activities directly or through an existing IT repository. This Enriched data must be machine-readable. Analytics – UEBA Solutions uses analytics for user focused data exploration and visualization with machine learning (ML) and statistical models by comparing baseline rules with users and entities’ activities with their profiles to detect anomalies.
UEBA Solution Benefits – UEBA Solutions consider both internal and external threats of an organization when creating new policies and rules. When the attack pattern is unknown (zero-day attack), or if the attack enters laterally by changing credentials, IP addresses in an enterprise, traditional security tools struggle to identify a compromised insider. UEBA solutions can detect these attacks because attackers force compromised users or entities to behave differently than defined rules or baseline.
In most cases, UEBA solutions are provided as a cloud-based service or on-premises, sometimes both to an organization. UEBA vendors often require companies to install appliances for network traffic monitoring. The vendor’s approach and design are flexible in terms of the organization’s current and future needs. It’s takes time of 1 month or more to create baselines, profiles and classes of users and entities.
By determining which users reflect anomalous behaviour as compared to known baselines, UEBA solutions prioritize alerts. A security alarm would not be triggered by a single slightly unusual incident. To generate an alarm, the device needs several indicators of suspicious behaviour. This saves investigating team’s time by reducing number of alerts and allows security analysts to find actual security issues more quickly.
UEBA’s Application in IoT – UEBA can play vital role in security risk of Internet of Things (IoT). Huge number of internet-connected devices are deployed by businesses mostly with less security measures in place. Attackers can hack IoT devices and use them to steal information or to launch attack on other companies like DDoS attack. This can cause significant financial losses. UEBA can monitor large number of connected devices for an enterprise firm, create baselines for similar devices and detect when a device deviates from its normal behavior.
Advanced Analytics in UEBA Solutions – Data Integration helps UEBA solutions to compare data from various sources. UEBA solutions apply statistical models on data gathered from various sources with help of machine learning to do deep behavioural profiling in order to identify sensitive changes in user’s activity. The use of unstructured data for unsupervised learning gives big advantage. Data Presentation is used to present findings in a comprehensible way to security analysts.
Use Cases – Uniqueness of use cases separates UEBA solutions from other tools. UEBA solutions build use cases for various domains like malicious insider, incident prioritization, compromised insider, Identity and privileged access management, data exfiltration, etc. These pre-defined uses cases are available at one click on cloud storage which enables quick deployment.