Understanding Forcepoint UEBA’s new Entity Timeline

Forcepoint UEBA's new Entity Timeline is already starting to provide tremendous value for identifying anomalous and risky user activity. The Entity Timeline was created by our designers, data scientists, and engineers in close collaboration with customers and prospects who have struggled with other timeline visualizations on large data sets and were looking for a better approach to easily and effectively understanding analytic results on user activity over time.  From a technical perspective, the purpose of the Entity Timeline is to show results for a single entity in a 24-hour period and to highlight what that entity was doing that caused him or her to score in a particular way for a given use case or analytic scenario. From a user value perspective, we are fundamentally changing the way security analysts can consume and interact with a UEBA platform to efficiently understand risk, investigate the risk presented, and then take action based on the findings.

I want to highlight some of the unique capabilities of the Entity Timeline in the Forcepoint UEBA product and why this approach is fundamentally different:

• Ability to Rapidly Pivot Timeline Between Risk Scenarios. Forcepoint UEBA analyzes user activity across a variety of risk scenarios – Data Exfiltration, Misconduct Behavior, Compromised User, to name a few. The new Entity Timeline allows systems user to easily pivot between risk scenarios for a given entity and see the corresponding user activity contributing to their scenarios and overall risk calculations. We know that a single risk score for an entity does not accurately reflect the complexity of human behavior. Enabling an analyst to pivot between risk scenarios aligns more closely with actual entity activity that could present risk. The Entity Timeline is truly at the forefront of Forcepoint's Human Point approach to security.
• Intuitive Drilldown from Scenario Risk Scores to Contributing Activity. Our design and data science teams worked in close collaboration with end users to ensure that we are providing the optimal views into all levels of analytic results and underlying data to enable system users to quickly make decisions. Enabling an analyst to efficiently triage and investigate anomalous activity at multiple levels of analysis – from aggregation of user activity over time to individual events identify as risky or anomalous – is also fundamental to Forcepoint UEBA's overall approach to workflow.
• Ability to Handle and Visualize Diverse Datasets. Many timeline visualizations look great in a demo environment but quickly breakdown in real-world, production deployments where the volume, variety and velocity of data can be messy. A core tenant in the design and development of the Forcepoint UEBA Entity Timeline is the ability to provide actionable results in any deployment – without binding customers to strict rules around data volume, variety and velocity. Since its inception, our platform has been differentiated by the ability to handle a variety of data types – structured and unstructured – and we continue to build this core differentiator into every new feature.
• Transparency and Understandability of Analytic Results. When it comes to analyzing human-generated data and producing risk calculations, we firmly believe analytic results must be explainable. A black box approach to identifying anomalous and risky user behavior makes remediation challenging. The Forcepoint UEBA Entity Timeline introduces numerous concepts to help system users understand the analytic results they are viewing – from our new approach to concisely summarizing event information to explaining analytic results for each period of the timeline. We want to ensure analysts not only have a holistic picture of entity activity but also an understandable set of results.

These are a few of the unique capabilities that we are introducing on the Forcepoint UEBA's new Entity Timeline. For more on how these capabilities can help you, visit our Forcepoint UEBA to schedule a demo.