Security Vision UEBA

The main articles are:

• UBA (User Behavior Analytics)
• DLP - Data Loss/Leak Prevention
• Fraud Detection System
• Security Information and Event Management (SIEM)

2024

Security Vision UEBA Overview

Security Vision UEBA automatically creates normal behavior profiles for users, devices, and systems by analyzing a variety of data, including network traffic, application logs, and system events. The system detects deviations from established norms using advanced machine learning algorithms, and combines the results of several models, increasing the accuracy of detection and reducing the number of false positives. Read more here.

Security Vision UEBA with Anomaly Detection

On April 4, 2024, Security Vision announced the release of an updated version of the Security Vision UEBA product.

𝓲

Security Vision

According to the company, the Security Vision UEBA product automatically builds typical models of behavior of infrastructure objects (users, accounts, devices, processes, etc.), analyzing raw flows data (network traffic, logs ,/and proxy servers mail servers windowslinux servers workstations, etc.), detects deviations and provides flexible tools for their analysis, investigation and response. The most significant updates include the following:

Anomaly Detection

Anomaly Detection expands the ability to detect anomalies in the corporate infrastructure by applying a large number of different models and methods of Machine Learning, stacking the results of individual models and combining the resulting events into incidents for further investigation.

ML models

The updated version of Security Vision UEBA has expanded the set of ML models used. The following models apply:

• "with a teacher" to identify similar patterns of real attacks (trained on various attacks and malicious activities (DDOS, botnet, C&C, etc.),
• "no teacher" models for finding anomalies among network traffic and events from hosts, neural network (including RNN),
• models for the detection of mimicking processes, etc.

All models are processed on the Customer's infrastructure without the need to send any data "to the cloud." By optimizing the architecture and models themselves, infrastructure requirements are minimized and do not require specialized equipment. The product allows you to flexibly configure all the parameters of ML models through UI, as well as add your own models.

Minimizing false-positive workings

Particular emphasis is placed on orchestrating the work of ML models and minimizing false-positive (FP) workings. Mechanisms have been developed for automatic control of the operation and disconnection of models in the event of a large number of FP workings. Security Vision UEBA also automatically and regularly retrains models based on Customer's data to optimize adaptation to infrastructure, data flows and data changes. Models "with a teacher" are also retrained, where the used datacets of typical attacks and malicious activities are automatically combined and "stretched" into data on the Customer's infrastructure obtained from processed events. Automatic selection of model parameters is implemented: Security Vision UEBA itself selects hyperparameters during training to achieve the optimal result of workings and minimize the number of FPs.

Statistical methods make it possible to automatically accumulate statistics on parameters, volumetric, frequency and quantitative indicators for the hosts, processes, command lines, named pipes and many other characteristics used separately for each observation object, which also significantly reduces the level of FP workings and allows the user to flexibly adjust weights through UI, add or adjust existing rules.

Correlation rules

The basic set of correlation rules included in the boxed solution has been expanded. Security Vision experts have developed special correlation rules that allow you to find suspicious actions in network traffic flows/proxy server flows, as well as identify suspicious events on hosts. These alerts are combined together with the triggers of the statistics and ML engines, which ultimately allows you to collect a more complete analysis of the actions of a suspicious object, take into account each trigger of the correlation rule with its own unique weight (depending on criticality), which will be summed up with the weight of events from other sources of observation and in case of exceeding the threshold value can lead to the creation of an incident.

Also, Security Vision UEBA has a full-fledged correlation rule editor, using which you can configure rules of any depth and complexity through the product UI.

Displaying Objects and Workpieces

The display of all objects and workovers has been redesigned to provide a more complete and convenient functionality for analyzing and investigating the received incidents: object link graphs, automatic enrichment with data from external and internal services, drill-down to each connected object, initial events by object indicating the source and all attributes, dynamics of event arrival, etc. Security Vision UEBA has built-in actions for basic response to received incidents (for example, with NGFW, active lists, etc.) or for sending incidents to SOAR and SIEM systems.

Using the product API, you can configure the receipt of samples by object, receive suspicious events and alerts for each object (for example, to enrich incidents in SOAR with this information).

Empowering

The Security Vision UEBA product is implemented on the Security Vision 5 platform, which allows users to expand its capabilities by creating as new observation objects (including their cards, general views, processing processes and response scenarios), adjust or expand the process of processing identified workpieces, create new integrations, adjust and create dashboards and reports - all completely through graphical designers built into the product UI.

Compatibility with NGFW "Continent 4"

Multifunctional firewall (NGFW) "" Continent 4 from the company "" and Security Code products, Security Vision Threat Intelligence Platform (TIP) User and Entity Behavior Analysis (UEBA), Security Orchestra, Automation and Response (SOAR) Next Generation SOAR (NG SOAR) and passed comprehensive testing, as a result of which their compatibility was confirmed. The company Security Vision announced this on March 21, 2024. More. here

2023: Security Vision UEBA on Security Vision 5 platform

On April 28, 2023, Security Vision announced the release of updated versions of UEBA and Anomaly Detection products on the Security Vision 5 platform.

Security Vision UEBA on Security Vision 5

According to the company, Security Vision UEBA automatically builds typical behavior models (users, accounts, devices, processes, etc.) and finds deviations by analyzing raw flows data through network traffic, proxy servers ,/and mail servers WindowsLinux servers workstations.

Security Vision Anomaly Detection expands the ability to detect anomalies in the corporate infrastructure by applying a large number of different models and methods of Machine Learning, stacking the results of individual models and combining the resulting events into incidents for further investigation.

The most significant Security Vision UEBA capabilities:

Integration with DataSources

Security Vision UEBA provides customized connectors for obtaining, normalizing, and analyzing raw data from all popular SIEM systems MaxPatrol SIEM RuSIEM NEURODAT SIEM ArcSight Splunk (KUMA SIEM, , Pangeo RADAR, , , SIEM, QRadar, и др.), the ability to receive events in universal formats (CEF, LEEF, etc.), connectors to NGFW and network devices (, Cisco CheckPoint,,, etc PaloAlto Juniper.), proxy (,), to servers " Squid Blue Coat data lakes" (,), Kafka as well as Elasticsearch obtaining logs directly from Windows/Linux devices and workstations.

Integrations designers built into the platform allow you to quickly implement additional integrations in no-code mode with any other data sources over a large number of protocols, including a graphical designer for normalizing the received data.

Customizable Rules and Analytics Engine

Several dozen built-in rules are available to users for statistical analysis of various parameters of user activities, accounts, hosts, processes, as well as traffic volume indicators, the number of connections, etc. The functionality of the product allows you to flexibly expand and customize the rules of analysis, configure their activity, assessment and threshold of influence on the creation of the final incident.

Also, a full-fledged correlation rule engine is built into the platform, using which you can customize rules of any depth and complexity. For example, sigma rules and typical correlation rules are included in the product delivery.

Incidents and response

All detected deviations are automatically combined with respect to the trigger object. When the set thresholds are exceeded, the system generates an incident, which reflects all detailed information about the incident object, related objects and all detected abnormal events.

Automated actions are configured to handle incidents in the product: sending to IRP/SOAR systems, sending to SIEM, adding SIEM to the Active List, adding to blocking sheets on NGFV, blocking in the directory service, etc. The user can adjust the actions to be performed: turn them on automatically or manually, control their visibility on the incident card. Similarly, you can manage incident alerts.

The system automatically creates separate objects for all associated incident attributes (devices, accounts, etc.). For each object, the collection and enrichment of additional data from the customer's infrastructure or from external analytical services is automatically launched. The data collection and enrichment process is controlled by the system settings.

To work with identified incidents and related objects, the product implements built-in workflows that manage the incident lifecycle, enrichment, and allow you to perform actions. The workflow designer built into the platform allows users to customize the required response process and configure interaction with external systems.

The platform has the flexibility to create and configure additional actions to respond, collect and enrich both the incident received and all associated customer infrastructure or external systems.

Visualization and Reporting

In the incident card, all identified events on the object are displayed in the form of Timeline in compliance with the chronology of their occurrence. A large number of links to related objects (devices, accounts, processes, etc.) allows you to switch to their cards for additional data and analysis.

Additionally, all related objects and attributes are displayed as a graph that allows you to build links between incident objects and quickly switch to detailed information on them. The user can add additional actions to the graph to respond, enrich with data, or build additional links.

General views and dashboards allow you to view summary information on all identified objects, in accordance with the calculated rating. Drill-down allows you to view the details of each analysis group.

For each object, the system implements the ability to upload reports containing all detailed information about the identified trips and objects of violations. Summary reports for the period can be uploaded manually or received on a schedule through various channels: by e-mail, Telegram, etc.

The reporting and dashboard designer built into the platform allows users to independently customize the required reporting and visualization of data in no-code mode without using any external products and tools.

The most significant features of Security Vision Anomaly Detection:

• In addition to all the above capabilities, the user receives a large number of pre-configured and trained Machine Learning models that expand the detection capabilities of abnormal and suspicious actions in the corporate infrastructure that are not detected by correlation rules and the functionality of standard MPS.
• The product uses various ML techniques, trained models on various datacets related to botnet activity, VET, DDOS attacks, etc., models "without a teacher," automatically approximating activities and detecting deviations in various combinations of parameters, neural networks, taking into account the sequence of events and their relationships, etc. The resulting trips are automatically processed, grouped into event sets, and data deduplication is applied.
• The models used in the product are automatically regularly retrained on customer data, adapting to infrastructure settings, network, technical and user activity. Both manual and automatic selection of model parameters is used to improve the quality of identified workings.
• The product has built-in options for applying whitelists to configure exceptions. Also, models automatically take into account false-positive trips during subsequent retraining of models.