Customer stories

Large Government Agency logoLarge Government Agency

ArcSight suite provides full visibility for faster threat response through User and Entity Behavior Analytics

Large Government Agency logo

Outcomes

  • Faster threat response with fully incorporated incident response processes and procedures
  • Alignment with MITRE ATT&CK framework matures threat hunting ability
  • Ingest IoC data from all relevant data sources

Challenge

Add UEBA capabilities to bolster an already solid security program to gain more visibility into individual user behaviors.

Details

Introducing UEBA baselines with ArcSight Intelligence

This organization reviewed their security requirements and looked for a platform to incorporate running advanced and customized correlations on their security events. The security team already leveraged ESM and Logger to analyze over 15,000 events per second (EPS). They added additional features to this solid program foundation as custom use cases were uncovered. The Security Analyst explains: “We have a wide variety of data sources: active directory, VPNs, firewalls, web proxies, IPS, Windows data, etc. Visibility into our user and entity behaviors is key for us. We also wanted to connect this directly with our incident response processes so that clear action can be taken as soon as an issue is identified.”

Building baselines in User and Entity Behavior Analytics (UEBA) establishes current user behavior and assigns a risk score to any deviations to determine if they are within an acceptable range. Having enjoyed the benefits of ArcSight, the team was excited to be introduced to Intelligence, designed to differentiate between unusual behavior and real threats by using mathematical probability and unsupervised machine learning to more accurately identify the most suspicious entities.

Increased visibility and MITRE ATT&CK alignment

Introducing the ArcSight suite solution gives the organization the granularity required. It also enables them to ingest Incidences of Concern (IoC) data from all relevant data sources and has aligned them to the MITRE ATT&CK framework. This knowledge base is used as a foundation for the development of specific threat models and methodologies.

We plan to further expand and build our SecOps program with ArcSight to mature our threat hunting abilities.

Security Analyst
Large Government Agency

About Large Government Agency

Large Government Agency logo

This organization reviewed their security requirements and looked for a platform to incorporate running advanced and customized correlations on their security events.