Malicious Insider Threat detection
When it comes to the protection of sensitive assets, many only focus on defense against outside attacks such as malware, or data breaches. In reality, malicious insiders are posing the same amount of threat to your infrastructure as outsiders do.
Did you know that 53% of organizations confirmed they had fallen victim to an insider attack in the previous 12 months and 27% of organizations say insider attacks have become more frequent? (Source: Cybersecurity Insiders: 2019 Insider Threat Report)
The wide range of use cases included in LogPoint UEBA supports both the detection of attacks carried out but outside attackers and insiders residing within an organization, boosting analysts’ overall efficiency.
Mitigate user-based threats to privileged files with File Integrity Monitoring
LogPoint’s FIM application monitors any kind of access attempts to privileged file share systems and provides information on the type of access and the actions performed in the file. Additionally, the original and the altered checksums can also be compared to better understand access behavior.
Log sources: FIM
Detecting Lateral Movement
LogPoint UEBA uses a mix of endpoint, Active Directory, and repository data to scan for suspicious behaviors deviating from the baseline.
- Login failed attempts on disabled accounts
- Unusual activity by day of week or time of day
- Unusual access to servers, file shares, applications or other resources
- An unusually high amount of access to certain resources
- Anomalous application usage and anomalous access patterns to storage
As LogPoint UEBA incorporates netflow analytics, new models scanning for an unusually high amount of connections by an endpoint or anomalous connections between endpoints, and unusual port scans will be added.
Login failed attempts on disabled accounts
Log sources: Windows Server, UEBA
label=Login label=Fail sub_status_code=0xC0000072 | chart count() by user order by count()
Detecting Data staging and exfiltration
Compromised accounts or machines are usually trying to move data into staging areas where they can be easily withdrawn from the organization’s network. While preparing the data for removal, attackers will utilize tools such as PSExec or remote desktop tools. In this case, UEBA will detect and highlight anomalous staging and lateral movement including (the highly unusual) intra-workstation high volume data transfers, unusual protocol/port combinations and unusually high amounts of data access.
High outbound data transfer
Log sources: Firewall, Proxy
sent_datasize=* source_address IN HOMENET -destination_address IN HOMENET | timechart sum(datasize/1000/1000) as OutboundData | search OutboundData>10
Outbound data transfer by sources
Log sources: Firewall, Proxy
source_address IN HOMENET -destination_address IN HOMENET sent_datasize=* | chart sum(sent_datasize/1000/1000) as OutboundData by source_address order by OutboundData desc
Compromise of privileged accounts
LogPoint UEBA is designed to identify privileged accounts and uses machine learning to do the rest. LogPoint’s UEBA continuously monitors privileged accounts to track and score activity time, authentication, access, application usage, and data movement. LogPoint UEBA then assigns a risk score to any account that deviates from the baseline, and if it continues to act anomalously, the risk score increases. In the meantime, LogPoint UEBA analytics visualize the account’s activity and alert the security analyst to validate the incident and quickly take action.
Trend of failed authentication attempts
Log sources: Windows Server
label=Authentication label=Fail | timechart count()
Systems involved in any abnormal behavior can be easily enriched with Threat Intelligence feeds to check for the associated indicators of compromise. Furthermore, LogPoint provides you with the exact geographical location of the source of the attack.
Indicators of compromise by geolocation
Log sources: Firewall, Proxy, Threat Intelligence
risk_score=* -source_address in HOMENET | process ti(source_address)|search et_ip_address=* OR cs_ip_address=*|rename et_ip_address as SourceAddress,cs_ip_address as SourceAddress | process geoip(SourceAddress) as country | chart count() by country, source_address order by count() desc limit 10