ADVANCED ANALYSIS OF USER BEHAVIOR
After providing Customers with the tools to define “who-can-do-what”, let us now see “who-actually-does-what”.
Data theft and illegal activities are never executed by a machine alone, but are initiated from humans, which, for various reasons, intentionally commit crimes.
It is clear that behind every action – benevolent or malevolent – there is always a human being, an “Identity”.
After years of fine-graining profiles and helping organizations build systems in which Identities can only access data relevant to their business role, Net Studio now wants to see if Identities are really doing what they are supposed to do.
To do so, we use UEBA (User and Entity Behavior Analytics) which relies on logs, as in a traditional Log Management system, but is also capable of analyzing behaviors by correlating a Identities with actions.
UEBA learns to recognize the everyday habits of users and, only when there is a suspicious behavior (an abnormal activity relative to the usual), the system will report it to the Security Analyst, which can take appropriate actions in accordance with predefined policies.
A UEBA system addresses the following items:
Correlation Rules – Traditional SIEM systems allow you to define correlation rules, but it is very difficult to define rules based on predicted user behaviors when you have no idea what these should be.
Alert overload – Logs gather all sorts of information on threats, but their size makes it very difficult, if not impossible, to identify threats without the support of other tools, which can detect real threats amongst false positives.
Credential based attacks – Most of today’s attacks originate from illegal access to credentials.
Correlation-based technology fails to identify if the user who is doing the action is really the owner or if it is a case of stolen identity, since they do not know the habits of the user.
Investigations – he selection of events aimed at understanding whether we are under attack can only be done at a high level by an SoC and normally requires a large amount of time.
Visibility – You have to be able to collect ALL the pieces of the puzzle otherwise you cannot ask to Security Analysts to perform a thorough and accurate investigation.
Cloud – Analysis should also extend to cloud-based applications, otherwise you cannot understand threats in applications such as Office 365, Salesforce, Google etc.
Net-designed and market-leading technology based on UEBA systems can extend and complement an IGA (Identity Governance and Administration) system by integrating it with the monitoring of actual IT activities, thereby enhancing Security and Compliance.