XDR, EDR, XSOAR, SIEM, UEBA Flashcards
What does UEBA stand for?
User and Entity Behavior Analysis
What is UEBA?
security analytics approach that focuses on detecting and analyzing abnormal or suspicious behavior exhibited by users and entities within an organization’s network or system
What does UEBA combine to establish baseline behavior patterns of users and entities (devices, applications, servers, …) within an organization’s environment?
- machine learning
- statistical analysis
- behavioral modeling
What is the benefit of combining UEBA with SIEM?
organizations can correlate behavioral anomalies with other security events and log data, providing a more comprehensive view of potential threats
What are the three parts of UEBA?
-
use cases
- establishes what’s the normal behavior
-
data sources
- defines what to capture and what to watch for
-
analytics
- machine learning and AI compare the normal behavior to the current behavior of the entities in order to catch anything suspicious
What does SOAR stand for?
Security Orchestration, Automation, and Response
What is SOAR?
framework that combines security orchestration, security automation, and incident response into a unified approach
What is the goal of SOAR?
improve the efficiency and effectiveness of security operations by automating repetitive tasks, orchestrating security processes, and enabling faster incident response and remediation
What tasks are included in security automation in terms of SOAR? (8)
Stop and think
-
Threat Intelligence Gathering and Enrichment
- automatically collecting and aggregating threat intelligence from various sources
-
Alert Triage and Prioritization
- analyzing and filtering security alerts to identify false positives and prioritize real threats
-
Incident Response and Remediation
- executing predefined response procedures for common types of incidents
-
Workflow and Process Automation
- automating routine tasks and workflows to streamline security operations
-
Vulnerability Management
- automatically applying security policies across the network
-
Phishing Response
- automating the analysis and response to reported phishing emails
-
Threat Hunting
- automating the search for indicators of compromise or suspicious activities within the network
-
Case Management
- automatically generating incident reports and maintaining case logs
In terms of purpose and focus, what are the differences between SIEM and SOAR?
-
SIEM systems
- primarily designed to collect, correlate, and analyze security event logs and data from various sources
- real-time monitoring, threat detection, and incident response capabilities
-
SOAR platforms
- focus on automating and orchestrating security processes, including incident response, vulnerability management, and security operations
What does EDR stand for?
Endpoint Detection and Response (EDR)
What’s the goal of EDR?
detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors
What’s Managed Detection and Response (MDR)?
cybersecurity service model in which an external company or Managed Security Service Provider (MSSP) is responsible for monitoring an organization’s IT environment, detecting security threats and incidents, and responding to them on behalf of the organization
What’s EDR?
- evolution of traditional antimalware products
- seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users
- natural extension of continuous, monitoring focusing on both the endpoint device itself and network communications reaching the local interface
- some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution
What are common features of EDR solutions?
- auditing a device for common vulnerabilities
- proactively monitoring a device for suspicious activity such as unauthorized logins, brute-force attacks, or privilege escalations
- visualizing complex data and events into neat and trendy graphs
- recording a device’s normal operating behaviour to help with detecting anomalies
What are the two basic log source types that SIEM handles?
- Host-Centric Log Sources
- Network-Centric Log Sources
What are the key features provided by SIEM?
- correlation between events from different log sources
- provide visibility on both Host-centric and Network-centric activities
- search through the logs
- real-time log Ingestion
- alerting against abnormal activities
- protection against the latest threats through early detection
- hunt for threats that are not detected by the rules in place
What are the different ways that SIEMs handle log ingestions from clients?
-
Agent / Forwarder
- lightweight tool called an agent that gets installed in the Endpoint
- configured to capture all the important logs and send them to the SIEM server
-
Direct Event Log Collection
- using Windows native event forwarding
-
Syslog
- collect data from various systems like web servers, databases, etc., are sent real-time data to the centralized destination
-
Manual Upload
- users can ingest offline data for quick analysis
-
Port-Forwarding
- listen on a certain port, and then the endpoints forward the data to the SIEM instance on the listening port
What are the responsibilities of SOC analysts?
- monitoring and Investigating
- identifying False positives
- tuning Rules which are causing the noise or False positives
- reporting and Compliance
- identifying blind spots in the network visibility and covering them
How does SIEM look for unwanted behavior or suspicious pattern within the logs?
with the help of the conditions set in the rules by the analysts
What are correlation rules in SIEM?
logical expressions set to be triggered under certain conditions
- if a User gets 5 failed Login Attempts in 10 seconds - Raise an alert for Multiple Failed Login Attempts
- if login is successful after multiple failed login attempts - Raise an alert for Successful Login After multiple Login Attempts
What are some of the actions that are performed after an analysis in SIEM?
-
Alert is False Alarm
- may require tuning the rule to avoid similar False positives from occurring again
-
Alert is True Positive
- perform further investigation
- contact the asset owner to inquire about the activity.
-
Suspicious Activity Is Confirmed
- isolate the infected host
- block the suspicious IP
What are some of the most common and popular SOAR solutions?
- Splunk Phantom
- IBM Security Resilient
- Palo Alto Networks Cortex XSOAR
- Rapid7 InsightConnect
- Siemplify (now part of Google Cloud)
What is a playbook in SOAR?
a set of predefined procedures and workflows designed to automate and orchestrate the response to cybersecurity incidents
