Large Government Agency

Introducing UEBA baselines with ArcSight Intelligence

This organization reviewed their security requirements and looked for a platform to incorporate running advanced and customized correlations on their security events. The security team already leveraged ESM and Logger to analyze over 15,000 events per second (EPS). They added additional features to this solid program foundation as custom use cases were uncovered. The Security Analyst explains: “We have a wide variety of data sources: active directory, VPNs, firewalls, web proxies, IPS, Windows data, etc. Visibility into our user and entity behaviors is key for us. We also wanted to connect this directly with our incident response processes so that clear action can be taken as soon as an issue is identified.”

Building baselines in User and Entity Behavior Analytics (UEBA) establishes current user behavior and assigns a risk score to any deviations to determine if they are within an acceptable range. Having enjoyed the benefits of ArcSight, the team was excited to be introduced to Intelligence, designed to differentiate between unusual behavior and real threats by using mathematical probability and unsupervised machine learning to more accurately identify the most suspicious entities.

Increased visibility and MITRE ATT&CK alignment

Introducing the ArcSight suite solution gives the organization the granularity required. It also enables them to ingest Incidences of Concern (IoC) data from all relevant data sources and has aligned them to the MITRE ATT&CK framework. This knowledge base is used as a foundation for the development of specific threat models and methodologies.

We plan to further expand and build our SecOps program with ArcSight to mature our threat hunting abilities.