User behavior analytics (UBA). If it’s not the hottest buzz word in the InfoSec world today, it’s definitely challenging for the top spot. Identifying a security threat, either external or internal, based on activities that vary from a normal pattern is all the rage, and without question, can be a valuable tool in the battle against security threats. Why is John accessing that file share repeatedly this week and copying so many documents? He rarely visits that server, and never copies 30 files at a time. Why is Sally attempting to access the finance share? She works in Marketing. That seems strange.
Although it smacks of Big Brother, it’s critical to monitor employee behavior, and highlight anomalous conduct if rouge insiders are to be stopped. And, since 95% of external attacks harvest stolen credentials (2015 Verizon Data Breach Investigations Report), identifying abnormal authentication events using those stolen credentials is key to detecting an attack in progress.
And a key piece of information when assessing activity is the location of the authentication. It might not surprise anyone that Mike is logging on from his home on Saturday afternoon, as he’s a bit of a workaholic and works frequently on weekends. But Kim is a nine-to-fiver, and it’s highly unusual for her to be copying files to her home computer at 10pm Saturday night. Even more alarming is Tim’s Tuesday night login from Belarus. Tim lives in Hoboken and doesn’t travel.
The problem is that determining the IP Address from which an authentication originated is very difficult to accomplish using native Windows logs. One STEALTHbits customer put it this way: “Trying to find the IP address of a change is very challenging, because you need to search mountains of event 4624 logs. This event is so noisy, that it is hopeless.” It’s not impossible, but it’s pretty close. Collecting and analyzing native Windows logs from all endpoint laptops and other devices is a gargantuan task, and doing so in anything approaching real-time is borderline fantasy. And let’s face it, timing matters here. That Hank in Accounting – who lives in New Jersey – is logging in from the Ukraine is something you need to know now, not 6 months from now when the company’s sensitive data is long gone and the forensic analysis is completed.
Our customer offered this insight in the context of an endorsement of our StealthINTERCEPT product, which provides real-time threat detection and alerting completely independent of native logs. Rather than gathering logs like virtually every product available today, StealthINTERCEPT monitors all authentication traffic in and out of Active Directory, correlates that information using built-in attack analytics and generates alerts when suspicious behavior is identified. One element of the data it collects is the IP Address of any Active Directory change or authentication, so StealthINTERCEPT not only avoids the colossal task of collecting and peeling through oceans of log data, it efficiently gathers information only obtainable from an impractical comprehensive native log aggregation (collecting logs from all workstations and other endpoints, a virtual impossibility in larger enterprises).
But don’t take my word for it. The second part of the customer quote referenced previously: “So I highly recommend flaunting StealthINTERCEPT’s ability to record IP address, especially for cyber security discussions.”