HPE ArcSightUser Behavior Analytics

Manuel GonzalezHPE SW Enterprise SecuritySales Engineer

HPE Protect Roadshow 2016May 19, 2016

Content

SIEM vs Analytics

User Behavior Analytics (UBA) Overview

How HPE ArcSight UBA Does It

Demo

Q&A

Threat landscape

SIEM and Analytics: Conflict or Complimentary?

3

Multiple types of solutions are emerging

Known patterns

Unknown threats

Automation

Real-time

Historical

Analytics

Hunt Tools

Visual

Discovery

SIEMSearch

Human investigation

Predict

Visualize

Search

Collect

Logging

Correlate

AnalyticsSIEM

Network

User

Application

Data

The Yin and Yang of SIEM and Analytics

Internal Users are Now the Weakest Link

– A determined attacker will get in

– 98% of all breaches investigated, evidence of the attacker activity was available and contained in security log files

(Verizon Data Breach Report)

– 83% of all data loss was via legitimate credentials

(Verizon Data Breach Report, 100% Mandiant)

– The need for User Analytics Gartner: “by 2018 over 25% of breaches will be detected by UBA technologies”

The Challenge: How to Detect and React Quickly

Security challenge

Expanding

data & scope

Many credentials

for each user

Attack vector

Rogue users Compromised

accounts

HPE User Behavior Analytics Explained

Risk scoring &

Prioritization

Abnormal Behavior

Detection

Active Monitoring of

Events

Contextual Visual

Investigation

UBA

Identity

Activity

(Events &

Applications)

Access

Learn normal

Identify Weird

Step 1: Calling out the abnormal behavior based on identity & behavior context

VisualizationDetecting the

abnormal

Risk scoring & prioritization

Behavior contextIdentity context

– Peer outlier

– Event rarity

– Amount spike

– Frequency spike

Encrypted User Information

Decrypted User Information

Learn what normal looks like

Watch for

Deviations

Step 2: Define “normal” for that user and those like him

Profile each user’s normal behavior in each application and log

source…I. Transaction Rates and Frequency

II. Transaction Types and Processes

III. Transaction Amounts (GB, $$)

IV. Sources of transactions (normal hosts, locations, IPs)

Over variable time increments…I. Totals hourly/daily/weekly/monthly

II. Day of the week

III. Detect quick and low & slow attacks

And for others like him…I. Peers: Job function, location, manager, etc

Step 3a: Detecting not “normal” for that user

Behavior profilesPeer group profiles

Behavioral analysis

Peer analysis

Frequency spike

Event rarity

Amount spikePeer group comparison

+1 +1

+1+1

Suspicious activities & transactions

Suspicious account usage

Suspicious system usage

Step 3b: detecting “not normal” by comparing to peers

12

– Statistical calculation of Peer cohesiveness

– Risk associated with outliers increases with peer

cohesiveness

Peer group analysis

– Logically group users based on roles

and responsibilities

– Detect anomalous behavior of a user

compared to peers

Low risk

High risk

Outlier classification

Jane Doe

Division

SECURITIES

OPS

JobKey

30003509

Dept.

INVESTMENT

MGMT

Manager

J.Smith

Title

SECOND VP

97% 92%

80%

60%

75%

Cohesiveness

Step 4: Identify highest risk users through risk scoring and prioritization

Static risk (Criticality)

• Based on risk assessments

• Critical assets, applications such as mainframes and resources

• High risk access permissions and user groups

Dynamic risk (Derived) Identity risk (Risk boosters)

Highest risk users

Preserving privacy through encryption

• Based on the degree of

outlierness such as:

• Policy violation

• Suspicious behavior

• Peer comparison

• Employee type such as

contractor and 3rd party vendor

• Flight Risk and exit users

• Bad performance reviews,

demotion – HR data

Step 5: Investigate highest risk users via Link Analysis

14

– Graphical interface to perform link analysis

– Ability to drill-down and investigate events and people of interest &

cross entity association

HPE UBA Integration with ArcSight

HP UBAESMIdentity &

Access

Logger

Connectors

1

2

CEF

Connector

CEF

Connector

Integration

Command

34

5

6

Demo – HPE UBA Frequency Spikes

What value does UBA bring to our customers?

5-1 ROI

impact

Prioritization of high risk users

Investigation efficiency &

visualization

Faster event resolution

Find the malicious user

Question ?

Thank You !