* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download How Organizations Are Using Fortscale`s User Behavior Analytics
Survey
Document related concepts
Information security wikipedia , lookup
Distributed firewall wikipedia , lookup
Authentication wikipedia , lookup
Information privacy law wikipedia , lookup
Cross-site scripting wikipedia , lookup
Trusted Computing wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Access control wikipedia , lookup
Computer security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Unix security wikipedia , lookup
Transcript
USE CASES How Organizations Are Using Fortscale’s User Behavior Analytics Solution to Mitigate Security Threats Fortscale Overview Use Cases Overview Fortscale provides organizations with a proven user behavior analytics (UBA) solution to mitigate security threats from malicious insiders or external attackers using compromised credentials by empowering security teams with unmatched user intelligence and easy-to-use investigation tools. Fortscale helps organizations Analyze access, Profile user activity, Discover threats, and Investigate the results in order to operationalize the insights based on the following core set of user cases: Fortscale has spent years developing and honing the Fortscale Machine Learning Algorithms to model user behavior in enterprise environments. By building distinct models for each observed user, Fortscale can quickly and easily identify anomalous activity. Fortscale needs very little customer tuning in order to quickly produce valuable insights and identify malicious activity that would have gone undetected using the current security stack in the customer environment. This is known as the Fortscale User Behavior Analytics (UBA) solution. FORTSCALE HELPS YOU... • Detect the malicious insider using their authorized credentials and access rights in an abnormal manner. • Detect the malicious outsider penetrating the network defenses and stealing company credentials to gain full access to the enterprise. • Empower your analyst during the incident response cycle. • Monitor accounts access. • Abnormal access activity of users in the network. • Abnormal remote connectivity of users. • Access to sensitive resources and identification of suspicious activity targeted at those resources. • High privileged accounts network activity, including administrators, executives and service accounts. • Abnormal amounts of data being leaked through users’ remote access sessions (“data exfiltration”). • Network multi-hop activity (“lateral movement”). • Rogue users’ activity based on deviation from a given set of privileges. • Stale accounts – Identification of inactive accounts that may pose a security risk to the organization. • Compare users with unique network credentials (high privileges, weak password policy and more). • Investigate highly critical applications in customer environments (“Crown Jewel” applications). Fortscale accomplishes these goals by ingesting, enriching and modeling access and authentication data received from multiple data sources, turning massive amounts of log data into pivotal intelligence and providing near-instantaneous value to security analysts. Core Data Sources Fortscale has developed proprietary packages of statistical analysis, behavioral models, and risk scoring algorithms for the most common enterprise network applications. While researching the most impactful breaches of the past few years, Fortscale learned these essential data sources provided the needed information to detect the compromised credentials and mitigate the breach. These core data sources include activity sources like Windows Security Event logs and Virtual Private Network (VPN) logs and contextual sources like Active Directory and Dynamic Host Configuration Protocol (DHCP) information. Customer-Specific Data Sources Fortscale engineered the Fortscale Analytics Engine to easily extend to other sources of access and authentication information. The Fortscale Analytics Engine can ingest, model and score customized or home-grown systems in the environment that run crucial functions and have previously proven difficult to monitor and secure. Whether the application is a customer service application providing deep access to account information or a development code repository storing the core intellectual property of a company, if the organization is collecting who (user identification), where (source and destination IP addresses), when (time), and what (actions), Fortscale can apply years of analytics expertise to find the insider threat. Finding the Outsider: Detecting the bad actor penetrating network defenses and gaining privileged access to the network Detecting Insider Reconnaissance Access Rate Anomaly Fortscale detected a compromised user account a threat actor was using to move about the company’s network with unfettered access. The machine learning algorithms first learned normal behavior for all users in the customer environment. One user, let’s call him Steve, had normal behavior defined by many different characteristics. One characteristic, rate of actions per hour, was assessed to be approximately 40 events (data retrieval requests from the dedicated application) per hour. Fortscale then detected someone else using Steve’s account by detecting a large spike in events per hour. Steve’s normal 40 events per hour escalated to over 650 events per hour; at one point peaking at 44 events in 3 seconds. This type of behavior indicates an automated process running on the system, not a user attempting to access resources. An investigation into the event led to the discovery that Steve’s account had been compromised and was being used by an attacker to access numerous records, hunting for data to steal. Because the attacker had a real user’s account he could come and go as he pleased, hunting for sensitive data to steal at his leisure. Fortscale found the insider threat and empowered the company to mitigate the breach. Detecting Lateral Movement Compromised Credentials Fortscale can use authentication information to detect anomalies resulting from users’ remote access. At one customer site, Fortscale identified a user accessing the network from three different countries across the globe in less than thirty seconds, otherwise known as “the impossible journey”. In addition to the impossible journey, the account was also accessing resources the user did not normally access. Investigation into the event led analysts to discover the credentials had been stolen and an attacker was leveraging numerous proxies in different countries to mask his true IP address. The company was able to disable the account and initiate the incident response cycle before any damage occurred. Detecting Enterprise Persistence Monitoring New Account Behavior Fortscale constantly identifies new users and new machines in an enterprise and generates reports analysts can review to ensure these accounts and machines are valid in the network. On one occasion, Fortscale detected a new user account in the enterprise and began analyzing activity to build a baseline. The account then sat idle, with no activity, for over three weeks. Then, the system began behaving in anomalous ways, both against the individual baseline as well as in comparison to the peer group the account belonged. At a user level the account was accessing strange hours, accessing different resources etc, and at the organizational level the new account was accessing from a segment of the network that other machines in the peer group typically accessed. An investigation by the security team revealed this account was created by the attacker to establish persistence in the network. The dwell time of activity likely occurred to circumvent detection. Many security tools will attempt to correlate network events to determine compromise, like an exploit attempt on a system followed by some command and control activity. This attacker waited three weeks before launching an attack, which far surpassed the correlation span of most security tools. Without Fortscale’s User Behavior Analytics this attacker would have maintained complete access to the company’s network and moved to the final stage of attack. Detecting Lateral Movement Compromised Service Account A unique aspect of Fortscale is the ability to provide rich context for the analyst by automatically labeling users and machines based on many observed behaviors, helping analysts to quickly prioritize events for investigation. One account label applied is “service” which indicates an account whose behavior indicates it is running an automated process, like a patch server or vulnerability scanner network account. At one deployment, Fortscale detected a service account operating in a very anomalous manner. First, the machine had a very cyclic nature to its activity - Every twelve hours it would access multiple systems in the environment. However, on one occasion is was operating at a time that greatly differed from the normal cycle. In addition, during this anomalous time the account was also attempting to access a system it did not regularly access and was using password authentication instead of the typically used public key authentication. Additional analysis determined the system it accessed was the domain controller and the service account was actually compromised and being leveraged by an attacker to get deeper into the environment. The identification of an attacker making his way to the company’s domain controller was only possible because of user behavior analytics. All other security controls missed the lateral attack. Discovering The Insider: Detecting A Malicious Employee Or Contractor Detecting Insider Reconnaissance Spikes in Accounts Accessed By monitoring a key access control system in a customer environment, Fortscale detected an employee using their account to access a large number of customer records. Fortscale not only identified that the access amount was anomalous for the user based on their past history, but also identified the number of records accessed far exceeded the normal amount accessed by his peers. An investigation into the event found the employee was searching for data of interest in customer accounts to steal. Fortscale prevented this malicious insider from getting gathering and stealing any more information from the company’s customers. Detecting Employee Misuse Correlating Data Sources Fortscale can identify disabled accounts via Active Directory information and hunt for other accounts in use by that user in different data sources. At one customer site, Fortscale detected a user accessing the network remotely via VPN. This event by itself was not anomalous, but when analyzed using the broader organizational context Fortscale discovered the user had a disabled active directory account. Unfortunately, the company had disabled his active directory account when the employee was terminated but neglected to disable his VPN account. Luckily, the company was employing Fortscale UBA and detected the anomalous event before any damage occurred. Detecting Insider Theft Data Transfer Behavior Fortscale learns normal behavior for many characteristics, including the typical data transferred during a remote session. Using this information, Fortscale can easily identify when a user has greatly exceeded his normal threshold. Using this detection method, it was identified that one user in the environment had a multi-gigabyte data transfer during an active remote session, which greatly surpassed his normal activity. In addition, Fortscale can add contextual data from numerous sources, and in this deployment Human Resource database information was streaming to the Fortscale UBA platform to track users on leave, those about to terminate, and more. The user account flagged for data exfiltration was one that had submitted a resignation letter the week prior, and this information was in the HR database stream thus it was in the Fortscale UBA system. This added context enabled the analyst to prioritize the event properly and initiate the incident response cycle. Detecting Insider Theft Resource Access Monitoring At another customer site, Fortscale identified a malicious insider attempting to take sensitive data by identifying access from a non-standard resource. Fortscale UBA learns which machines users’ access in the enterprise and hunts for events that break that normal routine. In this case, Fortscale UBA found a user attempting to access a system that was never before accessed by that user, and the system was in a sensitive production environment. Analysts were alerted to the fact that the resource was a sensitive system because Fortscale automatically enriched the machine information by tagging the resource as “sensitive”. An investigation was begun and the theft was mitigated. Conclusion The Fortscale User Behavior Analytics solution is highly effective in mitigating insider security threats since it can rapidly detect bad actors, prioritize security alerts, reduce the volume of alerts and streamline alert investigations. Quick identification of an attack without disrupting business is accomplished by superior analytics that are fed by data that is integrated from multiple existing sources. Security teams can be inundated with alerts, so the Fortscale UBA solution prioritizes alerts and reduces alert volume. To streamline alert investigations, data is clearly presented and easily visualized. Fewer steps are needed to go from incident to resolution, saving time and helping prevent serious damage. See How Fortscale Can Help You Mitigate Security Threats From Bad Actors Operating Inside Your Network Learn more at www.fortscale.com or contact us at [email protected] to schedule a demo. Copyright © 2015 Fortscale Security Ltd. All rights reserved. Fortscale is protected by international copyright and intellectual property laws.