FCSS_ADA_AR-6.7 FortiSIEM Baseline and UEBA

FortiSIEM Baseline and UEBA Detailed Explanation

This section covers two powerful features in FortiSIEM: Baselines and UEBA (User and Entity Behavior Analytics). These tools help detect security incidents by analyzing normal behavior patterns and flagging deviations.

Baseline

Definition:

• A baseline is like a "normal behavior template" for your system.
• It represents how your network, users, and devices usually behave under normal circumstances, such as:
  • Typical traffic levels.
  • Standard resource usage (CPU, memory, etc.).
  • Usual user activity, such as login times and file access patterns.

Purpose of a Baseline:

1. Identify Deviations:

   • Once you have a baseline, any activity that looks significantly different (e.g., a sudden traffic spike) can be flagged as a potential issue.
   • Example: If your network usually sees 100 MB of data transfer per hour but suddenly handles 1 GB, it could indicate a data breach.

2. Detect Advanced Persistent Threats (APTs):

   • APTs are stealthy attacks that unfold over time and avoid triggering simple rules.
   • By tracking small deviations from the baseline, you can spot APTs early.

Steps to Build a Baseline:

1. Collect Data:

   • Monitor your system during normal operations.
   • Gather data from logs, network traffic, resource usage, and user activity.

2. Establish the Baseline:

   • Use the collected data to create a statistical model of typical system behavior.
   • This might involve tracking:
     • Average login attempts per user per day.
     • Normal bandwidth usage for specific devices.

3. Continuously Update:

   • Systems change over time (e.g., new employees, updated software).
   • Continuously adjust the baseline to reflect these changes, ensuring it stays accurate.

4. Define Thresholds:

   • Set limits for acceptable deviations.
   • Example: If a user typically downloads 50 files a day, flag them if they suddenly download 500 files.

UEBA (User and Entity Behavior Analytics)

Functionality:

• UEBA analyzes the behavior of users (humans) and entities (devices, applications) to detect suspicious activity.
• It uses machine learning to understand what "normal behavior" looks like and automatically flags unusual patterns.

Key Capabilities of UEBA:

1. Behavioral Pattern Learning:

   • Tracks and learns the regular behavior of users and devices based on historical data.
   • Example: UEBA might notice that an employee usually logs in between 9 AM and 5 PM. If they log in at 2 AM, it could raise an alert.

2. Anomaly Detection:

   • Identifies unusual activities that deviate from learned patterns.
   • Example: If a server suddenly sends data to an unknown IP address, UEBA can flag this as abnormal.

3. Risk Scoring:

   • Assigns a risk score to anomalous behavior based on its severity.
   • Example:
     • Logging in from an unusual location might score low risk.
     • Transferring sensitive files after the unusual login might escalate the score to high risk.

UEBA Configuration Steps:

1. Enable UEBA Features:

   • Make sure UEBA is turned on in FortiSIEM.
   • Connect proper data sources, such as user activity logs and device traffic logs.

2. Define Thresholds:

   • Decide what level of deviation should trigger an alert.
   • Example: A user accessing 10 times their usual number of files could trigger an anomaly.

3. Adjust Models Dynamically:

   • Baseline and behavior models should be updated regularly to reflect changes in the environment, such as:
     • A new team member joining.
     • A system upgrade that changes normal traffic patterns.

Analogy for Simpler Understanding

Think of baselines and UEBA like tracking someone’s daily routine:

• Baseline:
  You notice your friend always leaves for work at 8 AM, stops for coffee at 8:15, and arrives at the office by 9 AM. If one day they’re at the coffee shop at 3 AM, you’d think, “That’s unusual.”

• UEBA:
  If your friend also starts visiting an unknown place after the coffee shop and their phone sends messages to unknown numbers, UEBA assigns a risk score and flags this behavior as suspicious.

How They Work Together

1. Baseline sets the foundation by defining "normal behavior."
2. UEBA builds on this by analyzing ongoing activities and detecting abnormalities.
3. Together, they provide a proactive way to detect security incidents, even those that traditional rules might miss.

Summary

1. Baseline:

   • Tracks normal system behavior to detect deviations.
   • Helps spot sudden changes and subtle threats like APTs.

2. UEBA:

   • Analyzes user and device activities using machine learning.
   • Identifies anomalies, assigns risk scores, and prioritizes responses.

3. Steps to Success:

   • Collect accurate data.
   • Continuously update baselines and UEBA models.
   • Define clear thresholds for identifying risky behavior.

FortiSIEM Baseline and UEBA (Additional Content)

1. False Positives vs. False Negatives in FortiSIEM Baseline and UEBA

False Positives (Incorrectly Flagged Anomalies)

• Definition: A false positive occurs when FortiSIEM’s UEBA or baseline detection incorrectly identifies normal behavior as suspicious.
• Common Causes:
  • New Employee Behavior: A newly hired employee may have different login times and access patterns, which UEBA may misclassify as suspicious.
  • System Updates and Maintenance Activities: Large data transfers during backups or patch updates may trigger anomaly detection.
  • Overly Sensitive Thresholds: If a baseline is too strict (e.g., "raise an alert if a user accesses more than 10 files per day"), normal workload variations can trigger false positives.

False Negatives (Missed Threats)

• Definition: A false negative occurs when FortiSIEM fails to detect an actual security threat because it does not deviate enough from the established baseline.
• Common Causes:
  • Slow and Low Attacks: Attackers may exfiltrate data in small increments over time, staying within normal behavioral thresholds.
  • Account Takeover with Legitimate Credentials: If an attacker gains access to valid credentials and behaves similarly to the legitimate user, UEBA may not flag the activity.
  • Lack of Contextual Awareness: If UEBA operates in isolation without correlating different security signals (e.g., combining endpoint activity with login anomalies), it may fail to detect multi-stage attacks.

Optimization Strategies

1. Correlation Analysis in FortiSIEM

• Instead of relying solely on baselines, FortiSIEM can correlate multiple factors before raising an alert.
• Example:
  • A failed login attempt from an unusual location alone may not trigger an alert.
  • However, multiple failed logins, followed by successful access and large file transfers, could indicate an account takeover attempt.
• By correlating events across different security layers, FortiSIEM can reduce false positives while improving detection accuracy.

2. Dynamic Risk Score Thresholds

• Static risk scores may fail to adapt to organizational changes or new attack techniques.
• Solution: Implement dynamic risk scoring:
  • If a user's behavior slowly shifts over time (e.g., changing working hours), FortiSIEM should adjust baselines automatically instead of flagging it as an anomaly.
  • UEBA can analyze multiple user behaviors together to avoid false positives caused by single-event anomalies.

2. Role of Baseline and UEBA in a Security Operations Center (SOC)

How SOC Teams Utilize Baseline and UEBA

• Prioritization of Threats

  • UEBA helps SOC teams focus on high-risk security incidents by assigning risk scores to user activities.
  • Instead of investigating every login attempt manually, analysts can prioritize the most critical alerts, such as:
    • Anomalous login patterns combined with unusual data access.
    • A privileged user suddenly executing commands they have never used before.

• Reducing Alert Fatigue with Baselines

  • Challenge: SOC analysts receive a high volume of security alerts, many of which are low-priority.
  • Solution: Use baseline deviations to filter out low-risk events.
    • Example:
      • A user logging in from a new IP is a low-risk anomaly.
      • A user logging in from a new IP and immediately downloading hundreds of files is a high-risk anomaly that SOC should prioritize.

• Fine-Tuning Incident Response Strategies

  • Baseline deviations can be used to create adaptive alert policies:
    • If a user’s access pattern changes gradually over time, FortiSIEM can increase the alert threshold, avoiding unnecessary alarms.
    • If a system suddenly deviates significantly from its baseline behavior, it can trigger immediate response actions.

• Automated Threat Hunting

  • Instead of waiting for alerts, SOC teams can proactively investigate trends in behavioral analytics.
  • Example:
    • If multiple employees suddenly start accessing financial data they don’t normally interact with, this could indicate internal reconnaissance.

3. How FortiSIEM Integrates with Other Fortinet Products

FortiGate + FortiSIEM: Network Security Integration

• Why It’s Important:
  • FortiGate is Fortinet’s Next-Generation Firewall (NGFW), capable of detecting and blocking malicious traffic.
  • FortiSIEM can correlate firewall logs with UEBA insights to detect more sophisticated threats.
• Integration Benefits:
  • FortiSIEM can detect policy violations in firewall logs (e.g., unauthorized access attempts to restricted servers).
  • If FortiSIEM detects an anomaly via UEBA, it can trigger FortiGate to block a suspicious IP or segment network traffic.

FortiAnalyzer + FortiSIEM: Advanced Log Analysis

• Why It’s Important:
  • FortiAnalyzer is designed for centralized log storage, compliance reporting, and forensic investigation.
  • FortiSIEM can leverage FortiAnalyzer’s long-term log storage to improve historical behavioral analysis.
• Integration Benefits:
  • Retrospective Threat Analysis: FortiSIEM can analyze historical logs from FortiAnalyzer to detect long-term attack campaigns.
  • Compliance Reporting: Security teams can automate regulatory reports by integrating FortiSIEM’s behavior analytics with FortiAnalyzer’s audit logs.

FortiEDR + FortiSIEM: Endpoint Security & UEBA

• Why It’s Important:
  • FortiEDR provides real-time endpoint protection against fileless malware, ransomware, and advanced persistent threats (APTs).
  • FortiSIEM’s UEBA module can analyze endpoint behavior patterns to detect anomalies in user activity.
• Integration Benefits:
  • Endpoint-Centric Behavior Analytics:
    • If FortiEDR detects an endpoint executing suspicious PowerShell commands, FortiSIEM’s UEBA can correlate this with abnormal user logins.
    • This combination improves the detection of compromised accounts.
  • Automated Response via FortiSOAR:
    • If an endpoint exhibits high-risk behavior, FortiSIEM can trigger FortiSOAR to isolate the compromised device automatically.

Conclusion

1. False Positives & False Negatives

• False positives can be reduced using correlation analysis and risk score adjustments.
• False negatives can be minimized by integrating UEBA with network and endpoint data.

2. Baseline & UEBA in SOC Operations

• SOC teams rely on UEBA-generated high-risk alerts to prioritize investigations.
• Baselines help filter out non-critical events, reducing alert fatigue.

3. FortiSIEM’s Integration with Fortinet Products

• FortiGate enhances network security visibility.
• FortiAnalyzer provides long-term forensic insights.
• FortiEDR strengthens endpoint behavior analysis.