Friday, September 29, 2017
User behavior related work
User behavior related work
Many enterprises already recognized the importance of protecting against various threats that anti viruses cant predict but also the high probability of inside-out threats that pass undetected. Event if a threat is detected, most organizations arent equipped to respond effectively. Because of that, different user behavior based security software has been built and usually named under a general term User and entity behavior analytics (UEBA) software. It can be defined as: "Analysis of the behaviors of organizations employees, outsiders connected to their networks (such as third party contractors) and flagging security vulnerabilities across organizations assets that hold sensitive data.".
The difference between UEBA and the rest of the similar security software is that it usually can quickly identify a threat or an exploitable asset and then take action to remediate security risks across the entire infrastructure. Here Ill list a few examples of some software for different purposes that offer such features.
SentinelOne
Software that can be deployed across Windows, OS X and Linux endpoints along with Linux Ubuntu management server. They offer:
- monitoring kernel and user space (files, processes, system calls, memory, registry, network etc.). More details can be found in their technical brief.
- rapidly eliminating threat by killing malicious processes, rolling back manipulated files, disconnecting compromised devices,
- real-time attack forensic analysis.
Platform that seems to be supporting Windows OS only. They offer:
- monitoring following data sources: VPN, FW, IPS/IDS, web proxy, email logs,� packets, DNS logs, Active Directory logs, �DHCP logs,
- detecting privilege escalation, credential violations, internal reconnaissance, lateral movement, abnormal access to high value resources, command and control, exfiltration,
- alerts classified by severity and attack stage.
Platform that supports Windows & NAS, Exchange, Active Directory, SharePoint, UNIX/Linux, Office 365. Mostly offers detecting security gaps and insider threats by tracking changes to important configuration files, access to sensitive files, malware, privilege escalations, access denied events and more. Also includes:
- monitoring files and emails,
- full visibility on permissions (folder, mailbox, sharepoint),
- real-time alerts and comprehensive auditing.
Platform contains their own implementation of syslog-ng log management solution but doesnt offer much information about the data sources. Their technical documentation can be found here, and the features they offer include:
- analyzing biometric information (typing style or typical mouse movements),
- automatic notifications based on top suspicious activities.
This solution helps in protecting online banking sites against account takeover, fraudulent transactions, and can detect end user devices infected with high risk malware. It includes:
- analyzing biometric information (subtle mouse movements and clicks),
- possible integration with mobile devices for analysis of malware infections, root and jailbroken information, accurate geolocation and Wi-Fi security status.
- protection of web browser sessions to prevent tampering of customer transactions,
- prevention of phishing attacks, malware infections and removal of existing malware,
- protection against phishing of login credentials and payment card data.
This threat analytics platform offers insight into endpoints, applications, devices and users. Its benefits are:
- identifying and predicting malicious insiders and comprised accounts
- detecting and blocking fraud by proactively alerting on anomalous behaviors,
- real-time contextual view of attacks and detailed reports
download file now
