Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

How to Get Quick Time to Value with UEBA / Behavioral Firewalls [Part 4 – Blog Series]

This is part 4 of an ongoing series of posts that answer “A Closer Look Inside UEBA: Top 5 FAQs.”  In our last post in the series, we talked about the benefits of UEBA solutions. This week let’s take a look at the question that is on the mind of every budget-minded and busy security professional:UEBA/Behavior Firewall Quick Time Value

How quickly can I be up and running with advanced UEBA and how quickly will it provide value or ROI?

In today’s security environment, these are perhaps the most important questions. Even though many organizations have dedicated more budget to find ways to better secure their organization, the reality is that regardless of how much more budget they have, the large majority of security teams are overwhelmed. Taking on a new project may not be feasible if the time involved in implementation is too lengthy or complicated. With security now a board-level discussion, showing quick value is an important part of the equation.

The great news about advanced UEBA is that it doesn’t need to be a science project. It can be very straight forward and easy to implement and an organization can get a very quick time to value. Preempt customers see measurable value in less than a week.

Getting Started

UEBA has been around for a while and different solutions have different deployment methods. There are different integrations and data preparation tasks required to realize the best results from a machine learning perspective while monitoring user behavior. In some cases preparing data and creating rules in advance of a traditional UEBA deployment can be a time consuming and arduous task which can greatly impact time to value before the product has even been deployed.

Today’s advanced UEBA solutions that are doing both detection and prevention can be installed rather quickly and don’t have the data preparation requirements of traditional UEBA. And by quickly, we’re talking about a few hours for the vast majority of enterprises.

How is a Behavioral Firewall Installed?

Behavioral Firewalls are deployed on the network. They are typically deployed as a proxy in front of the domain controllers throughout the network with single centralized management. This allows for easy deployment in remote locations as well for further scalability and coverage.

For those hesitant to deploy in-line when getting started, a Behavioral Firewall can also deploy in passive sniffer mode and reconfigured for proxy mode at a later date. There is an advantage of the prevention-side in that it can also leverage response mechanisms such as Multi-Factor Authentication (like Duo, RSA, etc.), real-time blocking, and isolation capabilities based on enterprise policies. For those enterprises without the security personnel to respond to every threat, this is a great way to get very far, very quickly without disrupting the business process.

The Behavioral Firewall can also integrate with other data sources, like SIEM, threat intelligence, etc to further enrich behavioral analysis but they are not requirements. For smaller enterprises without a SIEM, this is a key advantage.

Once deployed, it takes about 2-3 weeks to learn the behavior of all of the users, entities, and servers throughout your network and establish a baseline. As we discussed in the third part of this blog series on “the Benefits of UEBA,” Behavioral Firewalls have the ability to automatically respond to threats based on a variety of risk factors. The specific responses are based on customized policies. Out-of-the-box policies based on security best practices will deliver value on day one.

Each organization may want to add or adjust policies based upon its organization and environment in order to further enable the business. Customizing policies is very straight-forward and the advantage of a Behavioral Firewall is that over time, the policy automatically adapts on a per user-basis to automatically integrate their changing behavior (like change in role, projects, location, etc.).

Quick Time to Value

Once the Behavioral Firewall has done a behavioral baseline of all of the users and entities, organizations will see a very quick time to value. Here are a few areas that deliver a big bang for the buck.

Immediate Identification of Risks

Once the Behavioral Firewall has completed its learning of users and entities it provides visibility into many areas that an organization can quickly and proactively improve in order to reduce their attack surface and overall risk. It can identify stale accounts, users with weak passwords, detailed insights into privileged user accounts, and more. Information that took weeks to gather is now available in real-time.

Reduced False Positives

The automated responses of a Behavioral Firewall can significantly reduce the number of false positives that a security team wastes time following upon. By verifying identity and allowing legitimate transactions to occur, enterprises keep the business process moving and that data can then be fed back into the behavioral analysis so that it can continue to adjust baselines and keep the security team aware of only the most important incidents for investigation.

Speed up Investigations

Easy to use dashboards help security analysts make quick sense of the data and have deep visibility into what users are doing which can help speed up larger investigations. One enterprise deploying Behavioral Firewalls found they were able to gather all relevant breach information in a matter of minutes as opposed to hours.

These are just a few of the ways enterprises are gaining quick value with advanced UEBA / Behavioral Firewall solutions. Another significant area not to be missed is around the operational efficiency benefits that security teams gain by having a Behavioral Firewall. For overloaded security teams, this can make a big difference on a daily basis.  In the final blog of this series we dive into this area in more detail as well as answer the question:

What does it take to manage advanced UEBA and how can it make my security team more efficient and not more overwhelmed?”



Topics: Behavioral Firewall, CISO, ueba,

Posted by Preempt on November 4, 2016 8:10 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More