USER BEHAVIOR ANALYTICS RULES
Monitor User Behavior to Discover Compromised Identities
THE CHALLENGE
User identitites are the key to resources throughout the company, they are a primary target for attackers. Determined attackers may be able to avoid detection and obtain user account credentials, which they can then utilize for lateral movement and data access.
THE APPROACH
CYB3R-X User Behavior Analytics continuously observes and profiles user activity in order to establish a valid behavioral baseline and spot unusual activity that could signal account compromise.
USER BEHAVIORAL BASELINE
To establish a baseline, CYB3R-X uses real-time user activity monitoring, which includes the number of hosts they connect into, their location, frequency, internal and external network traffic, accessed data files, and processes run.
REAL-TIME ACTIVITY CONTEXT
Continuous correlation of user behaviors with the events of other entities, such as endpoints, files, and external network locations, provides rich context for determining associated risk in real time.
ENHANCE ACCURACY WITH USER VERIFICATION
Move to Proactive Login Monitoring
Use internal knowledge of users’ responsibilities, groups, geolocations, and working hours to identify patterns of access to SaaS and on-premise resources that may suggest user account compromise.
First-time logins to resources, logins outside of working hours, logins to several workstations in a short period of time, and so on are examples.
USER BEHAVIOR ANALYTICS: COMMON SCENARIOS
All of the activities that users initiate are tracked in real-time, including the hosts that they log into, the number of hosts, their location, frequency, internal and external network connectivity, data files opened, processes completed, and much more.
ANOMALOUS LOGIN
User is logged in to his laptop and logs in to a sensitive database.
MULTIPLE CONCURRENT CONNECTIONS
User is logged in to multiple resources within a short timeframe.
NEW VPN CONNECTION
User remotely logs in to a file server via VPN for the first time.
OFF HOURS SAAS LOGIN
User that typically works on an on-prem desktop logs in remotely to the organization’s Dropbox.