LogRhythm - User behavior analytics
-
Upload
executive-leaders-network -
Category
Technology
-
view
143 -
download
3
Transcript of LogRhythm - User behavior analytics
‹#› | Company Confidential
Discover hidden threats with User Behaviour Analytics (UBA)
Andrew HollisterTechnical Director, EMEA
‹#› | Company Confidential
User Behavior Analytics (UBA)
Detect and Respond to:1. Insider Threats: before data is stolen or
fraud is perpetrated
2. Compromised Accounts: before more systems are compromised and data is stolen
3. Privileged Account Abuse: before sensitive data is accessed or operations are impacted
Entities
Users
‹#› | Company Confidential
1. Insider Threats
Challenges:1. Trusted Users
2. Access to data
3. Users may be persuaded, coerced or bribed
Entities
Users
‹#› | Company Confidential
Suspicious Movement Detect abnormal behavior & access requests
Access to Sensitive Materials Monitor sensitive directories & files
Data Exfiltration Detect information movement
Insider Threats
Problem Solution
InitialCompromise
Command& Control
LateralMovement
Reconnaissance& Planning
TargetAttainment
• Exfiltration• Corruption• Disruption
‹#› | Company Confidential
2. Compromised Accounts
Challenges:1. Who is the user
2. What is normal
3. What did the real user do
Entities
Users
‹#› | Company Confidential
Spear-Phishing Emails Detect emails with suspicious addresses or attachmentsAbnormal Behavior Detect abnormal account behaviorCompromised Hosts Identify malware process startupLateral Movement & Brute Force Detect account sweeps and repeated authentication attemptsAccess to Sensitive Materials Monitor sensitive files, directories and applicationsData Exfiltration Detect information movement
Compromised Accounts
InitialCompromise
Command& Control
Reconnaissance& Planning
TargetAttainment
• Exfiltration• Corruption• Disruption
LateralMovement
Problem Solution
‹#› | Company Confidential
3. Privileged Account Abuse
Challenges:1. Highly Trusted User
2. Highly Privileged User
3. Knowledge and means
Entities
Users
‹#› | Company Confidential
Privileged Account Abuse
InitialCompromise
Command& Control
Reconnaissance& Planning
TargetAttainment
• Exfiltration• Corruption• Disruption
LateralMovement
• Detect inappropriate use of admin credentials
Credential Misuse Detect inappropriate use of admin credentials
Suspicious Administrator Behavior Identify anomalous behavior like excessive file activity
Temporary Account Creation Monitor and detect account creation, access, and deletion
Privilege Escalation Monitor when admins add privileges to their account
Access to Sensitive Materials Monitor sensitive files, directories and applications
Problem Solution
‹#› | Company Confidential
UserIdentityAccess
Privilege
NetworkConnection
DirectionContentVolume
EndpointProcessAccess
File Activity
External Context
Threat Intelli-gence
IP ReputationGeolocation
Internal ContextBusiness
ValueAsset Clas-sification
Risk RatingVulnerability
Applica-tion
AccessTransactions
ErrorsBehavior
Holistic Threat
Detection
Holistic Behavior Analysis
Behavior is recognized at the intersection ofmultiple attributes,not on a single attribute, UBA is one of those attributes
‹#› | Company Confidential‹#› | Company Confidential
Thank You
10