To catch malicious insiders and compromised account actors as early as possible you can't wait around for a single unambiguous smoking gun to pop up on your SIEM.
You have to actively engage in threat hunting and user behavior analytics. This is where your analytics technology looks at all available activity feeds from your SIEM and elsewhere and builds a baseline of what's “normal” for each endpoint and user. Here's a table of some of the data to consider and the individual risk indicators that should be scored individually.
|
Indicator
|
Source
|
|
1. Logons to new or unusual systems
2. New or unusual logon session type
3. Unusual time of day
4. Unusual geolocation
5. Unlikely velocity
6. Shared account usage
7. Privileged account usage
|
Workstations
Servers
Databases
Applications
Cloud apps
VPNs
Wireless access points
CASB solutions
|
|
8. Unusual program execution
9. New program execution
|
Workstations
|
|
10. High volume file access
11. Unusual file access patterns
12. Cloud-based file sharing uploads
|
File servers, SharePoint, cloud-based file sharing apps
|
|
13. New IP addresses
14. Bad reputation addresses
15. Unusual DNS queries
16. Bandwidth usage
17. Unusual or suspicious application usage
18. Dark outbound network connections
19. Possible command and control connections
|
Gateway, NIDS, Next gen firewalls
|
|
20. Building entry and exits
|
Badge readers
|
|
21. High volume printing activity
22. Unusual time period printing
|
Printers and OS print queues
|
|
23. Endpoint indicators of compromise
|
Endpoint security technology like Bit9+CarbonBlack
|
|
24. Sensitive table access
|
Database audit logs or solutions like Imperva
|
|
25. Compare sensitive data movement combined with other risk indicators
|
Data Loss Prevention
|
Obviously, none of these indicators are new or unique. You might already have a number of them popping up on your SIEM dashboard right now. But your analysts never have time to chase down each anomaly individually.
You need to be able to look across all these data and correlate by user and serialize the events into sessions. Then create an additive, aggregate risk score for each user. Finally, surface those users to an analyst and provide him or her with all the context, organizational, identity and tactical data you have about that user visually. Information like a user's job title, department and manager so that the analyst can instantly consider the user's behavior in context with their role in the organization. Allow the analyst to compare that user's behavior against the “normal” baseline for all users in his or her peer group.
If you can see all of the user's activity from disparate systems represented as a coherent session, it's much easier and faster to make an accurate judgement about whether the cluster of anomalies is nefarious or innocent.
In this real training for free ™ event we will dive into user behavior analytics and show you how those 25 indicators and others can be combined to accomplish this. We'll talk about what you can do on your own and with most SIEMs. I'll look at how to enrich event data with identity information from AD and HR. Exabeam is my sponsor and I'll also briefly show you Exabeam's behavior based security intelligence solution that consumes data from your SIEM and other security products and combines it with information extracted from your directory and HR systems.
Threat hunting is the applied, proactive methodology that I think we've been missing in SOC operations. And user behavior analytics is the technology that focuses on the actor and combines
- dynamic event streams
- static identity information
- baselines for the individual and peer groups
Don't miss this real training for free ™ event. Please register now.