HP ArcSight User Behavior Analytics

Similar documents
Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

HIGH-RISK USER MONITORING

High-Risk User Monitoring

The Cloud App Visibility Blindspot

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Stay ahead of insiderthreats with predictive,intelligent security

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Cyber Security Metrics Dashboards & Analytics

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

INSIDER THREAT DETECTION RECOMMENDATIONS.

Leveraging Privileged Identity Governance to Improve Security Posture

MOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER?

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

SIEM is only as good as the data it consumes

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

CYBER SECURITY OPERATIONS CENTRE

THE EVOLUTION OF SIEM

Dealing with Big Data in Cyber Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

CyberArk Privileged Threat Analytics. Solution Brief

the challenge our mission our advisors

RSA Security Analytics

End-user Security Analytics Strengthens Protection with ArcSight

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Insider Threats in the Real World Eavesdropping and Unauthorized Access

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

AMPLIFYING SECURITY INTELLIGENCE

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

INSIDE A CYBER SECURITY OPERATIONS CENTRE

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

The Cloud App Visibility Blind Spot

The Key to Successful Monitoring for Detection of Insider Attacks

Cloud Access Security Broker. Ted Hendriks HP Atalla Pre-Sales Consultant, APJ Region HP Enterprise Security Products

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Cisco & Big Data Security

All about Threat Central

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Big Data and Security: At the Edge of Prediction

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Handling Modern Security Issues

With Great Power comes Great Responsibility: Managing Privileged Users

Privilege Gone Wild: The State of Privileged Account Management in 2015

Find the intruders using correlation and context Ofer Shezaf

A Case for Managed Security

AB 1149 Compliance: Data Security Best Practices

Into the cybersecurity breach

Changing the Enterprise Security Landscape

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Advanced Threats: The New World Order

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Security and Privacy

Protecting against cyber threats and security breaches

2015 VORMETRIC INSIDER THREAT REPORT

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SAFELY ENABLING MICROSOFT OFFICE 365: THREE MUST-DO BEST PRACTICES

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Under the Hood of the IBM Threat Protection System

DATA SHEET. What Darktrace Finds

User Behavior Analytics: A New Approach to Detection and Response

Getting Ahead of Advanced Threats

Comprehensive Advanced Threat Defense

ICTN Enterprise Database Security Issues and Solutions

Analytics: The Future of Security

How To Manage Security On A Networked Computer System

Security Analytics The Beginning of the End(Point)

Securing SharePoint 101. Rob Rachwald Imperva

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

White paper. Four Best Practices for Secure Web Access

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Privilege Gone Wild: The State of Privileged Account Management in 2015

IBM QRadar Security Intelligence April 2013

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Bridging the gap between COTS tool alerting and raw data analysis

Incident Response. Proactive Incident Management. Sean Curran Director

Marble & MobileIron Mobile App Risk Mitigation

How To Protect Your Online Banking From Fraud

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cybersecurity and internal audit. August 15, 2014

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

B database Security - A Case Study

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Report. Needle in a Datastack Report

IBM Security Strategy

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

Managing the Unpredictable Human Element of Cybersecurity

Teradata and Protegrity High-Value Protection for High-Value Data

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Transcription:

Insider Threat HP ArcSight User Behavior Analytics Application Misuse Sensitive Data Access Hakan Durgut ArcSight Specialist Nordics/Baltics 1

The insider threat challenge

IT Security focus in on the external cyber threats Advanced Persistent Threats Research Infiltration Denial of service attacks Web hacking Their ecosystem Discover Capture Our enterprise Exfiltration 3

However this might be just the tip of the iceberg

Your VP sales just resigned And took position at your biggest competitor Did you remember to examine his Saleseforce.com activity to see if he downloaded your entire customer database and history of purchase? And if you did, and found the obvious, how would it help? 5

And it is not just about sales All of these have happened Research scientist stealing design secreted Yonggang "Gary" Min stealing thousands of design documents from DuPont after singing up with a competitor and before giving notice. Soldier leaking millions of classified documents PFC Bradley Manning (U.S. Army) leaking to WikiLeaks Marketing exec taking with him blueprints Ross Klein stealing from Starwood the W lifestyle hotels brand blueprint information when defecting to Hilton. 6

The Challenge: Security landscape is evolving, organizations must react In recent breaches Sony, NSA, Target a user was always involved or exploited Threats are evolving and becoming more complex Attacks are carried out with legitimate access, organizations lack context to understand when an account is used legitimately or illegitimately Data and scope are expanding Challenge to find and maintain security analytics teams 7

Insider threat is a complex challenge Inherent trust in employees Abuse of granted privileges No hack to detect 8

Introducing HP ArcSight User Behavior Analytics

HP ArcSight vision: multi-vector cyber defense Network Data User 10 Application

Use Cases Risk & impact based Sources Internal & External Security Intelligence Automation Productivity multiplier Analytics = discovery SIEM = active monitoring Network Analytics User Behavior Analytics Application Analytics Data Analytics World s premier correlation engine Powerful / flexible Use case library / Marketplace 11

Introducing HP User Behavior Analytics User Intelligence, Delivered Database Queries Users & roles USB Files Saved Events Directories Accounts VPN Logins Files Accessed Emails Sent Identify misuse of credentials Applications Screen Prints Detect anomalous behavior versus peers Web Surfing Recognize risky users and resources Hosted Apps Perform user focused investigation 12

What threats is HP User Behavior Analytics targeting? Misuse of legitimate credentials Are trusted entities: employees, contractors, partners Having (high risk) access to internal data Who misuse access and credentials, know the value of the data, and are aware of internal security controls UBA identifies emerging threats via anomalous behavior versus peers Insider Threat Are sophisticated attackers operating inside the network, are fast morphing, resident & resilient Having compromised valid accounts Who target high privileged access and confidential info UBA identifies complex threats via anomalous behavior versus historical record & syndication of network, user & perimeter data Advanced Persistent Threat 1 13

Insider threats and threats masquerading as insiders are posing new challenges and driving the need for new capabilities Identity Context Behavior Context Ability to detect the abnormal Risk Scoring & Prioritization Visualization & Investigation 14

Insider Threat Detection Techniques Peer Analysis Frequency Spike +1 +1 Event Rarity Peer Group Profiles Behavior Profiles Amount Spike +1 Peer Group Comparison +1 Behavior Analysis Suspicious Activities & Transactions Suspicious Account Usage Suspicious System Usage 15

Key Techniques and Approach #1- Entity Correlation & Enrichment>> Context #2- Behavior & Peer Group Profiling>> The Normal #3- Anomaly Detection>> The Abnormal #4- Classify, Score & Visualize, Investigate>> Actionable 16

A couple examples of behavior & peer based detection Unusual Activity Inappropriate Activity Unusual Transaction Suspicious Database Access Anomalous peer based HPA activity Never before seen IP address 1) Entity Correlation & Enrichment Poor HR Review, Upcoming Termination Database username to identity correlation Multiple user names to identity correlation High privileged account to identity correlation User name to identity correlation IP address to user mapping User IP to threat intelligence feeds 2) Behavior & Peer Profiling 3) Anamoly Detection User profile of frequency and time of DB access User/peer profile of common database commands User/peer profile of normal volume of database files accessed and removed User profile of normal privileged account activities Peer profile of normal privileged account activities User profile of normal IP addresses accessed User profile of normal VNP geo-locations and times Behavior: Monthly increase in DB access Peer: Anomalous DB command-clear logs, wire transfer, select *, Anomalous DB access activity Peer: Anomalous high privileged account entitlement & commands Behavior: Never before seen IP address, VPN geo-location 4) Clasify, Score & Visualize, Investigate Toxic combination, amplify risk score Trace user activity on separate systems and accounts Prioritize privileged account violations, Three Strike rules, Multiple Indicators Visualize user association with privileged accounts Investigate compromised account, IP associate with other users Identify activities associated with account after compromise 1 17

Behavior Anomaly Detection, frequency spike example 1. Establish behavior baseline using historical data 2. Detect anomalous behavior compared to baseline profile Suspicious Activities IP Address Date & Time John. Doe 10/10/2014, 12:03:20, 10.12.132.1, john.doe Reset password User Amount transactions User Behavior Profile Time Slices Threats Activity frequency Network Sources 18 Daily, Weekly, Monthly, Day of the Week, Time of Day, Holidays, Weekend

Event Rarity - Never Seen Before Detects suspicious accounts, transactions and IP Addresses/host names observed on system Assigns confidence factor in the form of a risk score based on aging factor of system, activities and accounts JAN FEB MAR APR MAY JUN JUL AUG Begin 10 System th Monitoring 10 th 10 th New 10 th NW Address Used 10 th 10 th 10 th 10 th 0 20% 40% 60% 80% 100% 100% RISK SCORE New Account New Activity New NW Address New Account New Activity New NW Address New Account New Activity New NW Address New Account New Activity New NW Address 1 9 19 2015 HP UBA

Thank you! For more information: http://www.hp.com/enterprisesecurity

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information