USER BEHAVIOR ANALYTICS RULES

Monitor User Behavior to Discover Compromised Identities

THE CHALLENGE

User identitites are the key to resources throughout the company, they are a primary target for attackers. Determined attackers may be able to avoid detection and obtain user account credentials, which they can then utilize for lateral movement and data access.

THE APPROACH

CYB3R-X User Behavior Analytics continuously observes and profiles user activity in order to establish a valid behavioral baseline and spot unusual activity that could signal account compromise.

USER BEHAVIORAL BASELINE

To establish a baseline, CYB3R-X uses real-time user activity monitoring, which includes the number of hosts they connect into, their location, frequency, internal and external network traffic, accessed data files, and processes run.

REAL-TIME ACTIVITY CONTEXT

Continuous correlation of user behaviors with the events of other entities, such as endpoints, files, and external network locations, provides rich context for determining associated risk in real time.

ENHANCE ACCURACY WITH USER VERIFICATION

Move to Proactive Login Monitoring

Use internal knowledge of users’ responsibilities, groups, geolocations, and working hours to identify patterns of access to SaaS and on-premise resources that may suggest user account compromise.

First-time logins to resources, logins outside of working hours, logins to several workstations in a short period of time, and so on are examples.

USER BEHAVIOR ANALYTICS: COMMON SCENARIOS

All of the activities that users initiate are tracked in real-time, including the hosts that they log into, the number of hosts, their location, frequency, internal and external network connectivity, data files opened, processes completed, and much more.

ANOMALOUS LOGIN

User is logged in to his laptop and logs in to a sensitive database.

MULTIPLE CONCURRENT CONNECTIONS

User is logged in to multiple resources within a short timeframe.

NEW VPN CONNECTION

User remotely logs in to a file server via VPN for the first time.

OFF HOURS SAAS LOGIN

User that typically works on an on-prem desktop logs in remotely to the organization’s Dropbox.