●●●
The use of various technical means to detect security threats is an important part of the construction of security protection system, especially in the continuous development and maturity of new technologies such as big data and artificial intelligence, the security threats faced by various industries are complex and diverse, and the security situation is grim. How to efficiently detect anomalies and threats and issue early warnings to security personnel in real time is the trend and direction of security technology development.
At a time when information security technology is constantly innovating, behavior judgment/identification is one of the important development directions.
What is behavioral judgment/identification
Behavior judgment/identification refers to the data output combined with the product UBA model, slow leakage, correlation analysis, combined with traceability and evidence collection capabilities, comprehensive identification of abnormal behavior of users, and classification.
Characteristics and value of behavioral judgment/identification
User Entity Behavior Analysis (UEBA) associates user activities and user-related applications and terminals and other related entity information, and further defines the legal and normal behavior of individuals and groups by building a relationship between personas and groups.
In the process of detection, the use of character roles in the group and group, group and individual, individual and individual dimensions to analyze the groups and individuals far from legitimate and normal behavior, the abnormal users (missing accounts) and user anomalies (illegal behavior) are detected, so as to achieve the purpose of detecting business fraud, sensitive data leakage, internal malicious users, targeted attacks and other advanced threats, and at the same time combined with traceability and evidence collection capabilities, comprehensively identify the abnormal behavior of users, and classify them.
Behavior judgment/discrimination model application scenarios
A bank took away sensitive documents due to the departure of internal personnel, which caused great losses to the bank.
Behavioral judgment/discrimination successfully helps the bank detect the employee's unusual activity through analysis, log in to the environment, and move laterally to gain higher-level access. All activities have one focus: access to private data or high-value assets, and do a lot of copying behavior.
Application examples
Analytics solutions that provide support behavior judgment/discrimination help customers detect anomalous behavior and security threats. After the deployment is implemented, it is possible to determine whether there is a deviation by comparing the real-time behavior of employees with the baseline set by the system, and it is classified as abnormal behavior and security threat.
Behavioral judgment/identification coverage:
The number of non-company mailboxes and the number of emails sent by the employee exceed the scope of the user's historical outgoing emails many times, and the scope deviates from the baseline;
When an employee sends an email, he exceeds the user's historical email sensitivity level multiple times and deviates from the baseline;
When employees use peripherals such as USB sticks to copy files, they use unauthorized external operations many times, and the number of external operations deviates from the baseline;
The recipient of the employee's multiple emails is not a common contact account of the department, and the number of recipients deviates from the baseline;
Employee peripherals copy files more than their history multiple times, and the number of copies deviates from the baseline;
Employees print documents multiple times exceed their historical prints and ranges, and the number of prints deviates from the baseline;
▼▼▼
By anticipating trends in employee behavior, we can clearly understand the abnormal behavior of employees. By delving into the user's details, we can quickly see all the behavior actions about the user and the prejudgment curve of the user, and through the correlation analysis, we can also trace the behavior trajectory and learn more about what happened.
By modeling behavioral judgments and identification methods, companies can fully trigger "high-risk users and assets" alerts from a behavior-driven perspective, while clearly combining events to fully understand the antecedents and consequences of anomalies.