Download How Organizations Are Using Fortscale`s User Behavior Analytics

USE CASES
How Organizations Are Using
Fortscale’s User Behavior Analytics
Solution to Mitigate Security Threats
Fortscale Overview
Use Cases Overview
Fortscale provides organizations with a proven user behavior
analytics (UBA) solution to mitigate security threats from
malicious insiders or external attackers using compromised
credentials by empowering security teams with unmatched
user intelligence and easy-to-use investigation tools.
Fortscale helps organizations Analyze access, Profile user
activity, Discover threats, and Investigate the results in order
to operationalize the insights based on the following core set
of user cases:
Fortscale has spent years developing and honing the Fortscale
Machine Learning Algorithms to model user behavior in
enterprise environments. By building distinct models for
each observed user, Fortscale can quickly and easily identify
anomalous activity. Fortscale needs very little customer tuning
in order to quickly produce valuable insights and identify
malicious activity that would have gone undetected using the
current security stack in the customer environment. This is
known as the Fortscale User Behavior Analytics (UBA) solution.
FORTSCALE HELPS YOU...
• Detect the malicious insider using their authorized
credentials and access rights in an abnormal manner.
• Detect the malicious outsider penetrating the
network defenses and stealing company
credentials to gain full access to the enterprise.
• Empower your analyst during the incident
response cycle.
•
Monitor accounts access.
•
Abnormal access activity of users in the network.
•
Abnormal remote connectivity of users.
•
Access to sensitive resources and identification
of suspicious activity targeted at those resources.
•
High privileged accounts network activity,
including administrators, executives and
service accounts.
•
Abnormal amounts of data being leaked through users’ remote access sessions (“data exfiltration”).
•
Network multi-hop activity (“lateral movement”).
•
Rogue users’ activity based on deviation from a given set of privileges.
•
Stale accounts – Identification of inactive accounts that may pose a security risk to the organization.
•
Compare users with unique network credentials (high privileges, weak password policy and more).
•
Investigate highly critical applications in customer environments (“Crown Jewel” applications).
Fortscale accomplishes these goals by ingesting, enriching
and modeling access and authentication data received from
multiple data sources, turning massive amounts of log data
into pivotal intelligence and providing near-instantaneous
value to security analysts.
Core Data Sources
Fortscale has developed proprietary packages of statistical
analysis, behavioral models, and risk scoring algorithms for
the most common enterprise network applications. While
researching the most impactful breaches of the past few
years, Fortscale learned these essential data sources provided
the needed information to detect the compromised credentials and mitigate the breach. These core data sources
include activity sources like Windows Security Event logs and
Virtual Private Network (VPN) logs and contextual sources
like Active Directory and Dynamic Host Configuration Protocol (DHCP) information.
Customer-Specific Data Sources
Fortscale engineered the Fortscale Analytics Engine to easily
extend to other sources of access and authentication information. The Fortscale Analytics Engine can ingest, model
and score customized or home-grown systems in the environment that run crucial functions and have previously proven
difficult to monitor and secure. Whether the application is
a customer service application providing deep access to
account information or a development code repository
storing the core intellectual property of a company, if
the organization is collecting who (user identification),
where (source and destination IP addresses), when (time),
and what (actions), Fortscale can apply years of analytics
expertise to find the insider threat.
Finding the Outsider:
Detecting the bad actor penetrating network
defenses and gaining privileged access to the
network
Detecting Insider Reconnaissance Access Rate Anomaly
Fortscale detected a compromised user account a threat
actor was using to move about the company’s network
with unfettered access. The machine learning algorithms
first learned normal behavior for all users in the customer
environment. One user, let’s call him Steve, had normal
behavior defined by many different characteristics. One
characteristic, rate of actions per hour, was assessed to be
approximately 40 events (data retrieval requests from the
dedicated application) per hour. Fortscale then detected
someone else using Steve’s account by detecting a large
spike in events per hour. Steve’s normal 40 events per hour
escalated to over 650 events per hour; at one point peaking
at 44 events in 3 seconds. This type of behavior indicates an
automated process running on the system, not a user attempting
to access resources.
An investigation into the event led to the discovery that
Steve’s account had been compromised and was being used
by an attacker to access numerous records, hunting for data
to steal. Because the attacker had a real user’s account he
could come and go as he pleased, hunting for sensitive data
to steal at his leisure. Fortscale found the insider threat and
empowered the company to mitigate the breach.
Detecting Lateral Movement Compromised Credentials
Fortscale can use authentication information to detect anomalies resulting from users’ remote access. At one customer
site, Fortscale identified a user accessing the network from
three different countries across the globe in less than thirty
seconds, otherwise known as “the impossible journey”.
In addition to the impossible journey, the account was also
accessing resources the user did not normally access. Investigation into the event led analysts to discover the credentials
had been stolen and an attacker was leveraging numerous
proxies in different countries to mask his true IP address.
The company was able to disable the account and initiate the
incident response cycle before any damage occurred.
Detecting Enterprise Persistence Monitoring New Account Behavior
Fortscale constantly identifies new users and new machines
in an enterprise and generates reports analysts can review
to ensure these accounts and machines are valid in the
network. On one occasion, Fortscale detected a new user
account in the enterprise and began analyzing activity to
build a baseline. The account then sat idle, with no activity,
for over three weeks. Then, the system began behaving in
anomalous ways, both against the individual baseline as well
as in comparison to the peer group the account belonged. At a
user level the account was accessing strange hours, accessing
different resources etc, and at the organizational level the new
account was accessing from a segment of the network that
other machines in the peer group typically accessed.
An investigation by the security team revealed this account
was created by the attacker to establish persistence in the
network. The dwell time of activity likely occurred to circumvent detection. Many security tools will attempt to correlate
network events to determine compromise, like an exploit
attempt on a system followed by some command and control
activity. This attacker waited three weeks before launching
an attack, which far surpassed the correlation span of most
security tools. Without Fortscale’s User Behavior Analytics
this attacker would have maintained complete access to the
company’s network and moved to the final stage of attack.
Detecting Lateral Movement Compromised Service Account
A unique aspect of Fortscale is the ability to provide rich
context for the analyst by automatically labeling users and
machines based on many observed behaviors, helping analysts
to quickly prioritize events for investigation. One account label
applied is “service” which indicates an account whose behavior indicates it is running an automated process, like a patch
server or vulnerability scanner network account.
At one deployment, Fortscale detected a service account
operating in a very anomalous manner. First, the machine
had a very cyclic nature to its activity - Every twelve hours
it would access multiple systems in the environment.
However, on one occasion is was operating at a time that
greatly differed from the normal cycle. In addition, during
this anomalous time the account was also attempting to
access a system it did not regularly access and was using
password authentication instead of the typically used public
key authentication. Additional analysis determined the
system it accessed was the domain controller and the service
account was actually compromised and being leveraged by an
attacker to get deeper into the environment. The identification of an attacker making his way to the company’s domain
controller was only possible because of user behavior analytics. All other security controls missed the lateral attack.
Discovering The Insider:
Detecting A Malicious Employee Or
Contractor
Detecting Insider Reconnaissance Spikes in Accounts Accessed
By monitoring a key access control system in a customer
environment, Fortscale detected an employee using their
account to access a large number of customer records.
Fortscale not only identified that the access amount was
anomalous for the user based on their past history, but also
identified the number of records accessed far exceeded the
normal amount accessed by his peers.
An investigation into the event found the employee was
searching for data of interest in customer accounts to steal.
Fortscale prevented this malicious insider from getting gathering
and stealing any more information from the company’s customers.
Detecting Employee Misuse Correlating Data Sources
Fortscale can identify disabled accounts via Active Directory
information and hunt for other accounts in use by that user in
different data sources. At one customer site, Fortscale detected a user accessing the network remotely via VPN. This event
by itself was not anomalous, but when analyzed using the
broader organizational context Fortscale discovered the user
had a disabled active directory account. Unfortunately, the
company had disabled his active directory account when the
employee was terminated but neglected to disable his VPN
account. Luckily, the company was employing Fortscale UBA
and detected the anomalous event before any damage occurred.
Detecting Insider Theft Data Transfer Behavior
Fortscale learns normal behavior for many characteristics,
including the typical data transferred during a remote
session. Using this information, Fortscale can easily identify
when a user has greatly exceeded his normal threshold.
Using this detection method, it was identified that one user
in the environment had a multi-gigabyte data transfer during
an active remote session, which greatly surpassed his normal
activity. In addition, Fortscale can add contextual data from
numerous sources, and in this deployment Human Resource
database information was streaming to the Fortscale UBA
platform to track users on leave, those about to terminate,
and more. The user account flagged for data exfiltration was
one that had submitted a resignation letter the week prior,
and this information was in the HR database stream thus
it was in the Fortscale UBA system. This added context
enabled the analyst to prioritize the event properly and
initiate the incident response cycle.
Detecting Insider Theft Resource Access Monitoring
At another customer site, Fortscale identified a malicious
insider attempting to take sensitive data by identifying
access from a non-standard resource. Fortscale UBA learns
which machines users’ access in the enterprise and hunts
for events that break that normal routine. In this case,
Fortscale UBA found a user attempting to access a system
that was never before accessed by that user, and the system
was in a sensitive production environment. Analysts were
alerted to the fact that the resource was a sensitive system
because Fortscale automatically enriched the machine
information by tagging the resource as “sensitive”.
An investigation was begun and the theft was mitigated.
Conclusion
The Fortscale User Behavior Analytics solution is highly
effective in mitigating insider security threats since it can
rapidly detect bad actors, prioritize security alerts, reduce the
volume of alerts and streamline alert investigations. Quick
identification of an attack without disrupting business is
accomplished by superior analytics that are fed by data that
is integrated from multiple existing sources. Security teams
can be inundated with alerts, so the Fortscale UBA solution
prioritizes alerts and reduces alert volume. To streamline
alert investigations, data is clearly presented and easily
visualized. Fewer steps are needed to go from incident to
resolution, saving time and helping prevent serious damage.
See How Fortscale Can Help You
Mitigate Security Threats From Bad
Actors Operating Inside Your Network
Learn more at www.fortscale.com
or contact us at [email protected]
to schedule a demo.
Copyright © 2015 Fortscale Security Ltd. All rights reserved. Fortscale is protected by international copyright and intellectual property laws.