Title slide with picture · 2017-09-07 · Internal Users are Now the Weakest Link –A determined...
Transcript of Title slide with picture · 2017-09-07 · Internal Users are Now the Weakest Link –A determined...
HPE ArcSightUser Behavior Analytics
Manuel GonzalezHPE SW Enterprise SecuritySales Engineer
HPE Protect Roadshow 2016May 19, 2016
Content
SIEM vs Analytics
User Behavior Analytics (UBA) Overview
How HPE ArcSight UBA Does It
Demo
Q&A
Threat landscape
SIEM and Analytics: Conflict or Complimentary?
3
Multiple types of solutions are emerging
Known patterns
Unknown threats
Automation
Real-time
Historical
Analytics
Hunt Tools
Visual
Discovery
SIEMSearch
Human investigation
Predict
Visualize
Search
Collect
Logging
Correlate
AnalyticsSIEM
Network
User
Application
Data
The Yin and Yang of SIEM and Analytics
Internal Users are Now the Weakest Link
– A determined attacker will get in
– 98% of all breaches investigated, evidence of the attacker activity was available and contained in security log files
(Verizon Data Breach Report)
– 83% of all data loss was via legitimate credentials
(Verizon Data Breach Report, 100% Mandiant)
– The need for User Analytics Gartner: “by 2018 over 25% of breaches will be detected by UBA technologies”
The Challenge: How to Detect and React Quickly
Security challenge
Expanding
data & scope
Many credentials
for each user
Attack vector
Rogue users Compromised
accounts
HPE User Behavior Analytics Explained
Risk scoring &
Prioritization
Abnormal Behavior
Detection
Active Monitoring of
Events
Contextual Visual
Investigation
UBA
Identity
Activity
(Events &
Applications)
Access
Learn normal
Identify Weird
Step 1: Calling out the abnormal behavior based on identity & behavior context
VisualizationDetecting the
abnormal
Risk scoring & prioritization
Behavior contextIdentity context
– Peer outlier
– Event rarity
– Amount spike
– Frequency spike
Encrypted User Information
Decrypted User Information
Learn what normal looks like
Watch for
Deviations
Step 2: Define “normal” for that user and those like him
Profile each user’s normal behavior in each application and log
source…I. Transaction Rates and Frequency
II. Transaction Types and Processes
III. Transaction Amounts (GB, $$)
IV. Sources of transactions (normal hosts, locations, IPs)
Over variable time increments…I. Totals hourly/daily/weekly/monthly
II. Day of the week
III. Detect quick and low & slow attacks
And for others like him…I. Peers: Job function, location, manager, etc
Step 3a: Detecting not “normal” for that user
Behavior profilesPeer group profiles
Behavioral analysis
Peer analysis
Frequency spike
Event rarity
Amount spikePeer group comparison
+1 +1
+1+1
Suspicious activities & transactions
Suspicious account usage
Suspicious system usage
Step 3b: detecting “not normal” by comparing to peers
12
– Statistical calculation of Peer cohesiveness
– Risk associated with outliers increases with peer
cohesiveness
Peer group analysis
– Logically group users based on roles
and responsibilities
– Detect anomalous behavior of a user
compared to peers
Low risk
High risk
Outlier classification
Jane Doe
Division
SECURITIES
OPS
JobKey
30003509
Dept.
INVESTMENT
MGMT
Manager
J.Smith
Title
SECOND VP
97% 92%
80%
60%
75%
Cohesiveness
Step 4: Identify highest risk users through risk scoring and prioritization
Static risk (Criticality)
• Based on risk assessments
• Critical assets, applications such as mainframes and resources
• High risk access permissions and user groups
Dynamic risk (Derived) Identity risk (Risk boosters)
Highest risk users
Preserving privacy through encryption
• Based on the degree of
outlierness such as:
• Policy violation
• Suspicious behavior
• Peer comparison
• Employee type such as
contractor and 3rd party vendor
• Flight Risk and exit users
• Bad performance reviews,
demotion – HR data
Step 5: Investigate highest risk users via Link Analysis
14
– Graphical interface to perform link analysis
– Ability to drill-down and investigate events and people of interest &
cross entity association
HPE UBA Integration with ArcSight
HP UBAESMIdentity &
Access
Logger
Connectors
1
2
CEF
Connector
CEF
Connector
Integration
Command
34
5
6
Demo – HPE UBA Frequency Spikes
What value does UBA bring to our customers?
5-1 ROI
impact
Prioritization of high risk users
Investigation efficiency &
visualization
Faster event resolution
Find the malicious user
Question ?
Thank You !