Interest in user and entity behavioral analytics, or UEBA as recently coined by Gartner, has risen dramatically over the past 12 months. And it’s for valid reasons.
Attackers are using more and more sophisticated approaches to bypass traditional defense mechanisms. Companies are constantly looking for enhanced solutions to protect their users and valuable assets, but many solutions are unable to keep up with the pace of a rapidly evolving threat landscape. UEBA represents a shift in focus toward detecting abnormalities in the user activity by understanding what is “normal” within the environment.
At Proficio, we are working closely with our customers to create models of normal behavior specific to their environments. This approach provides the necessary foundation for UEBA within an organization enabling us to develop use cases to detect anomalous behavior and alert customers to suspicious events.
Here we outline five use cases that explain how we implement behavioral analytics for our customers:
1. Predicting Insider Threats based on when an employee is considering leaving an organization
Our forensics investigations show an employee is five times more likely to commit theft of data during their last 30 days of employment with a company than at any other time. If you can predict when an employee is considering leaving the organization and correlate their activity with other behavioral anomalies, you can often detect events leading to a data breach.
When a user exhibits a pattern of behavior that includes visiting popular job sites such as LinkedIn, Indeed, Dice, or Monster they are flagged as a person that may potentially leave the company. The user is then placed on a watch list for 30 days, and continuous tracking of browsing habits will reinforce this placement if the user continues to visit job sites. The watch list correlates with other activity like suspicious data access, emails, or data transfers. Based on a priority formula, correlated events are escalated to a security or HR analyst for further investigation. In this scenario, we utilize information from the customer’s web filter product that ties web requests to a user session and provides web categorization logging in addition to other security log data sources.
2. Sending confidential information to personal storage
Building on the first use case, if a user is already on the aforementioned watch list for potentially leaving an organization, and begins connecting to popular sites associated with personal storage, an alert can immediately be provided to customers. Examples of these personal storage sites include Google Drive, DropBox, Box, and iCloud. In this approach, we utilize information from the web filter of the customer, that ties web requests to a user and web categorization logging.
3. Predicting Insider Threat based on employee behavior communicating with a competitor
Employees communicating with, and possibly leaking information to, a competitor is a real concern for all organizations. If an employee communicates by email one or more competitors outside of a standardized moving average baseline, we flag the user for suspicious behavior. We can also analyze the subjects of the emails sent and their attachments. In this approach we work closely with our customers to identify their key competitors. We use email logs that tie subject lines, attachments, sender and recipient data into security events to send accurate alerts to our customers.
4. Suspicious logins identified by activity from unusual geolocations
We have multiple methods of detecting logins from suspicious locations. For example, we create a watch list that tracks geolocations where the client does not do business. If an authentication (user login) event is received with an IP matching that geolocation, we immediately alert our customer.
Another method we employ for detecting logins from suspicions locations begins with tracking users by the geolocation of each authentication event. If the user logs in from the same geolocation four times, this geolocation becomes the user’s “home” geolocation. If the user then authenticates from a different geolocation, we send an alert to the customer. If the user is a sales individual or consultant, and frequently travels, exceptions can be made.
We are also able to determine an Indicator of Credential Abuse if we correlate a person authenticating from two geographic locations within a timeframe that would not allow for the physical travel. An example of this geolocation correlation is a user authenticating to a local workstation in the office in New York in the morning and authenticating to the VPN or a badge reader from a location in China in the afternoon.
5. Unusual DNS queries
For this use case, we analyze DNS logs and identify queries for second level domains with highly unusual letter combinations. This enables us to categorize domain requests as suspicious. DNS requests with a high amount of entropy could potentially be crafted from a domain generation algorithm (DGA), a component of various malware families that enable communication with command and control servers.
A potentially compromised system can be identified through DNS request tracking. For example, if four suspicious DNS requests are made by the same machine, each with unusual letter combinations, an alert can be sent to the customer indicating that the machine is suspected of being compromised and engaging in command and control activity. Here, we analyze the DNS logs including the record type requested, the domain, and the system performing the request to detect anomalies.
The story doesn’t end here. Our highly specialized security analysts and engineers work closely with our customers to offer them additional behavioral analytics use cases. It is also worth pointing out that normal behavior varies among both users and environments – which is why at Proficio we build custom behavioral analytics use cases specific to each customer environment.
To learn about how we can help you better secure your network, contact Proficio today.