Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Published byShannon Doyle Modified over 9 years ago

Similar presentations

Presentation on theme: "Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com."— Presentation transcript:

1 Ken Paiboon 214.274.3436 ken@exabeam.com
User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon CONFIDENTIAL

2 “I personally apologize to each of you.”
The Anthem Data Breach “…Attackers gained unauthorized access…” “…Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, addresses, employment information, including income data…” “…Believe it happened over the course of several weeks beginning in early December 2014…” “…contacted the FBI / retained Mandiant…” “I personally apologize to each of you.”

3 What do these letters really tell us?
We’re not completely sure WHEN, HOW, or for HOW LONG we’ve been breached We weren’t able to detect the data breach until well after the fact DBA witnessed own credentials used to execute the queries An attacker obtained credentials that allowed for unauthorized access Due to either technology or personnel limitations we’re not able to figure out what happened so we asked Mandiant in to manually piece together the story of what happened

4 The Pervasive Data Breach Problem
224 100% Average number of days the attacker was resident …of Breaches involved stolen credentials 224 – Mandiant report 2014 100% -- Mandiant report 2013 59,746 – News accounts 100% 59,746 …of the time evidence of the attack was in log data 1% of all suspicious alerts generated over 8 month attack at Neiman Marcus

5 What do these numbers tell us?
1 2 3 We have to know what to look for We get too many alerts We don’t get the full picture

6 We are focused on the attack chain phases…
Where most of our detection effort and money goes Some detection effort and money goes here (DLP) Source: FireEye Mandiant APT1 report (Feb 2013)

7 …instead of what enables each phase POSSIBLE CREDENTIAL USE
Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Move Laterally Maintain Presence Complete Mission POSSIBLE CREDENTIAL USE Hours Weeks or Months Hours Source: FireEye Mandiant APT1 report (Feb 2013) CONFIDENTIAL

8 User Behavior Intelligence is the missing layer of detection after perimeter defenses
Employees use credentials to access IT systems to create business value. Attackers use credentials to access systems to steal the business value employees create. Attackers and employees have divergent goals resulting in different behaviors and access characteristics.

9 Defining a UBI Solution
User Behavior Intelligence Solutions Learns and remembers normal credential access behaviors and characteristics and score what’s anomalous Provide information about what’s normal user behavior as context Assemble the data into user sessions (log-on to log-off) Keep “state” on the user across identity and internet address switches Attributes security alerts to the credential (user) that was in use on the system when the alert occurred Creates efficiencies in security operations Fits into CDM capability Security Related Behavior Manage Accounts for People and Services (Phase2)

10 Undetected Attack: South Carolina IRS
13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

11 Undetected Attack: South Carolina IRS
13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access from new device VPN access from outside US Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

12 Undetected Attack: South Carolina IRS
13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

13 Undetected Attack: South Carolina IRS
13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL

14 Using behavior modeling to determine – Is it anomalous?
System automatically asks access context questions Peer Group User Org VPN Access Example ISP ISP ISP Custom Algorithms Applied IP GEO GEO GEO VPN Login Time To Realm To Realm From Device To Server To Server CONFIDENTIAL

15 Understanding Normal as Context is Critical
SIEMs are not engineered to surface abnormal from normal Important for a learning engine To learn or not to learn – that is the question Accounting for divergent behavior -- to a point Know when to say, “I can’t make a determination.” Data distribution and amounts

16 Example of a Proven UBI Approach
IT SECURITY MACHINE DATA LOG MANAGEMENT ERP CMDB Research + Community Insights HRMS ITMS ACTIVE DIRECTORY USER BEHAVIOR INTELLIGENCE Extract & Enrich Session Tracking Behavior Analysis Risk Engine + + + Risk Scoring Incident Ranking Attack Detection SCORE 75 CONFIDENTIAL

17 Solving the IRS Example Using UBI
QUESTION ANSWER RISK ACTIVITY TIMELINE 8:29AM Has Jerry connected during the weekend? Has Jerry used this device to connect to the VPN in the past? Has Jerry previously entered network from abroad? Has Jerry previously entered network from Romania? NO +10 NO +10 YES -5 NO +20 RISK TRACKING Risk score = 9:15AM Has Jerry connected to this server in the past? (x4) Has Jerry’s file share contained sensitive information? (x2) Has Jerry’s peer group accessed this server in the past? NO +40 YES +10 NO +5 Risk score = SCORE 95 10:30AM Has Jerry crawled file shares? NO +5 Risk score =

18 UBI Summary Focuses the security team on what attackers want and use—credentials Extracts additional value from existing SIEM and log management data repositories Learns and remembers ‘normal’ user behaviors for individuals and peer groups Prioritizes security risks based based on transparent scoring of user activity outliers and business role context Security events seen in context – reduces false positives Scales to hundreds of thousands of users Detects cyber attacks and insider threats in real time

19 Q&A Thank You!

Download ppt "Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
An Analysis of Recent Cyber Attacks WADE WILLIAMSON.

An Analysis of Recent Cyber Attacks WADE WILLIAMSON.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Network security policy: best practices

Network security policy: best practices
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT : 2011390663.

TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT :
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Similar presentations

Ads by Google