Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Copyright © 2017 Forcepoint. | 1
Kaan Kayan
Sales Engineer
Forcepoint UEBAUser & Entity Behavior Analytics
Copyright © 2017 Forcepoint. | 2
TODAY’S REALITY: THE ZERO-PERIMETER WORLD
Remote Users
Remote Users
1. Significantly increased attack surface
2. Lack of VisibilityYou cannot secure what you cannot see
3. Disjointed Security PolicyFrom one perimeter to defend to many
4. Silo’d Intelligence & limited visibility
to riskUnable to make informed decisions for the entire
business
5. Ineffective EnforcementUnable to make informed decisions for the entire
business
6. ComplianceThings just got a lot more complicated
Copyright © 2017 Forcepoint. | 3
the rhythm of your people the flow of your dataAND
THE HUMAN POINT IS ABOUT UNDERSTANDING
Copyright © 2017 Forcepoint. | 4
rhythm of
your people
rhythm of your
people
flow of your data
BENEFIT FROM THE HUMAN POINT
VisibilityIdentify your data and users everywhere
your people work
ControlOne policy to manage data movement &
access across ALL distributed systems
RiskConsolidated view of risk that considers user
actions & value of the data in addition to
machine logs
EnforcementRisk adaptive protection to act on change in
human risk to critical data in real time
Compliance Effectively enforce compliance no matter
where your data resides
Copyright © 2017 Forcepoint. | 5
THE FORCEPOINT SOLUTION FOR DATA AND USERS
Forcepoint DLP
Identify and control flow of data
Cloud
Endpoint
Network
Discovery
Secure regulated data
Protect intellectual property
Forcepoint Insider Threat
Endpoint-based deep visibility
and analysis of user behavior
User risk scoring
Baseline & deviations
Machine logs + user actions
Correlate user across systems
Detailed monitoring that respects
user privacy
Forcepoint UEBA
Risk analytics platform for
broad view of user activity and
risk scoring
Context of behavior –
not just anomalies
Communications + logs +
Machine data + HR info
Out of box analytics + flexibility to
adapt to new threats
the rhythm of your people the flow of your dataAND
Copyright © 2017 Forcepoint. | 6
Customer challenge:
Centralized, correlated
visibility to user activity
Cloud apps
Devices
User communications
HR data
Customer challenge:
Cyber threats target
the people &
authorized users who
access data & critical
systems
Mean time to detection:
~150 days
UEBA: TRUSTED INSIDERS VS. COMPROMISED USERS & ASSETS
Source: Gartner, Dec. 2016
Pinpoint threats Reduce signal to noise ratio
Trusted
Insider
Compromised
Insider or Asset
Risk Management Security Operations
UEBA Buyers and Users
Copyright © 2017 Forcepoint. | 7
USER & ENTITY BEHAVIOR ANALYTICS
1st
Generation UEBA:
Analyze SIEM data & find anomalies from the
billions of logs & machine event
SIEM Analytics Module:
Imbedded analytics in the SIEM
Results
From 1000s of events to 100s of anomalies
Anomalies are not actionable
Anomalies serve as “clues” of interest but lack
context of what to do next
No context of data at risk
Analyst must jump to other products to see if the
user action puts the enterprise at risk
No context of user vs. machine action
Anomalies provide little value without context to data at risk & specific threats
“A UEBA product that only ingests
logs may miss important activity,
especially if it does not have full
visibility into the endpoint device
used by the user … Unstructured
contextual information (such as
performance appraisals, travel logs
and social media activity) can be
extremely useful in helping discover
and score risky user behavior.”
– Gartner, Dec. 2016
Copyright © 2017 Forcepoint. | 8
FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS
Integrate data
sources for
visibility into
human risk
Identify &
prioritize high risk
users & critical
data
Investigate &
Act to reduce risk
& protect data
Copyright © 2017 Forcepoint. | 9
FORCEPOINT UEBA: HOLISTIC VIEW OF THE USER
CommunicationWhat are they feeling?
With whom are they interacting?
Data: Email, chat, voice
SystemHow are they behaving digitally?
What sites and systems are they
accessing?
Data: SIEM, endpoint, web browsing,
logins, file sharing
HRWhat is their motivation?
Why might they have malicious intent?
Data: Performance reviews, Active
Directory
PhysicalHow are they behaving physically?
Where are they going and when?
Data: Badge data, traveling
Copyright © 2017 Forcepoint. | 10
EXAMPLE DATA INTEGRATIONS
Endpoint
Entity Information
Proxy
Print Logs, Removable Device
Logs (Windows, Endpoint)
Physical Data Movement
SIEM
Communications
User Access
System Administration
DLP
Copyright © 2017 Forcepoint. | 11
PLATFORMANALYTIC APPROACH
Copyright © 2017 Forcepoint. | 12
USER BEHAVIOR ANALYTIC APPROACH
INSIDER INSIGHTS BASED ON
Enrich events with observed features of interest,
scored for rarity and normalized by individual or peer groupScore non-activity based indicators
about an entity to influence scoring
SCENARIOS“Connect the dots” across event/entity models
for a composite measure of risk
ENTITY ATTRIBUTE AND FEATURE COLLECTION
(gathered from HR, Active Directory, CMDB)
Entity AttributeEntity Features
EVENT INGEST AND ENRICHMENT
(Streaming or Batch Ingest via API)
Who They AreWhat They Do
EVENT ANALYTICS - “What They Do” ENTITY ANALYTICS - “Who They Are”
PEOPLE OF
INTEREST
EVENTS OF
INTEREST
Copyright © 2017 Forcepoint. | 13
Only vendor that covers structured & unstructured business data PLUS
communications to leave no detection gaps.
Comprehensive
Visibility
Focus on behaviors, not just anomalies, with precise narratives that
indicate unwanted behavior. Utilizing sentiment analysis and Natural
Language Processing.Deep Context
Easily build or customize risk models to fit your unique enterprise and support
any risk use case.Flexible
In-depth analytics within a single platform allows investigators to pivot from
alert to investigation.Efficient
FORCEPOINT UEBA TECHNOLOGY DIFFERENTIATORS
Copyright © 2017 Forcepoint. | 14
FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS
VisibilityUsers &
Critical DataInvestigate
& Act
Copyright © 2017 Forcepoint. | 15
THE HUMAN POINT
Humans are increasingly the number one source of risk to organizations
Disgruntled Employee Unknowing Accountant
“Huge fight with boss. Quit
and deployed time-bomb
corrupting our HR system,
inserted false transactions
in a client back-end
system.”
Entitled Insider Blackmailed Developer Internal Activist Careless Manager
“Downloaded a
spreadsheet with
malware, unknowingly
exposing our company. It
took us weeks to figure
out who was patient zero.”
Saboteur Compromised IP Thief PII Thief Media Leaker Negligent
“Recruited by a
competitor. Took client
lists, product ideas,
internal working
documents - everything
he’d ever been a
part of.”
“Social media posts about
financial troubles led a
‘recruiter’ to contact her.
Simple requests quickly
escalated into blackmail.”
“Became disillusioned
after reading executive
emails, chats, and
compensation logs. Went
to the media with a story.”
“Taped passwords to his
monitor, refused to lock
his screen. Regularly
emailed himself sensitive
information he needed to
remember.”
Copyright © 2017 Forcepoint. | 16
OUT-OF-BOX USE CASES | BASELINE ANALYTICS MODEL
Data
Exfiltration
Compromised
User Account
Malicious
User
Negative
Behavior
Illicit
Behavior
Models
• Internal Data Movement
Risk
• External Data
Movement Risk
• File Operations Risk
• Data Reconnaissance
Risk
• Evasive Action Risk
• Human Resources Risk
• Malware Risk
• Compromised
Authentication Risk
• Phishing Risk
• Baseline Configuration
Deviation Risk
• Malware Resources
Risk
• Network Reconnaissance
Risk
• Systems Administration Risk
• Malicious Authentication Risk
• Malicious Actions Research
Risk
• Baseline Configuration
Deviation Risk
• Physical Access Risk
• Permissions Elevation
Request Risk
• Human Resources Risk
• Sexual Harassment Risk
• Workplace Violence Risk
• Obscene Content Risk
• Leaver Risk
• Decreased Productivity
Risk
• Corporate Disengagement
Risk
• Financial Distress Risk
• Negative Sentiment Risk
• Human Resources Risk
• Organizational Conflict of
Interests (OCI) Risk
• Information Leakage Risk
• Corporate Espionage Risk
• Whistleblowing Risk
• Clearance Investigation
Evasion Risk
• Human Resources Risk
Data
Sources
• Web Proxy
• Windows
• Linux
• User Activity Monitoring
• Chat
• Network Flow Logs
• SharePoint
• Web Server Logs
• HR
• Web Proxy
• Windows
• Linux
• User Activity
Monitoring
• Chat
• Network Flow Logs
• VPN
• Firewall
• Anti-Virus
• HR
• Voice
• Web Proxy
• Windows
• Linux
• User Activity Monitoring
• Chat
• Network Flow Logs
• VPN
• Badge Data
• Voice
• HR
• Web Proxy
• Chat
• Network Flow Logs
• HR
• Voice
• Web Proxy
• Chat
• Firewall
• HR
• Voice
• DLP
Copyright © 2017 Forcepoint. | 17
BASELINE ANALYTICS MODELS | REGULATORY SURVEILLANCE
“Out-of-the-box”
models for scenarios
across regulatory
surveillance and
information security
Known as BAM,
these models are use
case "best practices"
developed via the
sharing and
compounding of
knowledge within our
customer base
Market Manipulation
(MM)Insider Trading (IT) Conduct Risk (CR)
Models
MM-1 Trades FX Rate Fixing
MM-2 Comms FX Rate Fixing
MM-3 Trades Libor Rate Fixing
MM-4 Comms Libor Rate Fixing
IT-1 Trades Outlier Activity
IT-2 Comms Insider Trading
IT-3 Comms Disclosure of MNPI
IT-4 Web Personal Trade Activity
IT-5 Trades Surveillance Alerts
CR-1 Disengagement from work
CR-2 Personal Duress
CR-3 Oversight Evasion
CR-4 Ethics Risk
Data
Sources
• Chat
• Trade
• Voice
• Trade Alerts
• Web Proxy
• User Activity Monitoring
• SharePoint
• HR
• Chat
• Trade
• Voice
• Trade Alerts
• Web Proxy
• User Activity Monitoring
• SharePoint
• HR
• Badge Data
• Chat
• Voice
• Web Proxy
• User Activity Monitoring
• HR
• Badge Data
Copyright © 2017 Forcepoint. | 18
DATA INTEGRATION ENGINE | APACHE NIFI
Enterprise-ready ETL framework based on Apache NiFi
Rapid time-to-value for onboarding new data feeds
Includes library of reusable data flow templates to target
most common data sources, such as ArcSight, Splunk,
Hadoop, etc.
Out-of-the-box based connectors (FTP, syslog, etc) and
GUI-driven template builder for fast setup and reduced
training costs
Bi-directional capabilities enable ingest and
outbound alerting
Critical management/monitoring features including:
Real-time monitoring interface
Configurable throttling and back-pressure
Robust error handling and error reporting
Copyright © 2017 Forcepoint. | 19
UI PURPOSE-BUILT FOR ANALYSTS
Identify Highest Risk EmployeesThe Analytic Dashboard
“connects the dots” to
identify unknown risks
and provide broad
situational awareness
using holistic risk
assessments.
The holistic assessments
- Entity Risk Scores -
are derived from
advanced analytics that
look at all monitored
employees across all
their activity.
Copyright © 2017 Forcepoint. | 20
UI PURPOSE-BUILT FOR ANALYSTS
Fast, Friendly Forensics
Copyright © 2017 Forcepoint. | 21
UI PURPOSE-BUILT FOR ANALYSTS
Streamlined Event Review
Copyright © 2017 Forcepoint. | 22
UI PURPOSE-BUILT FOR ANALYSTS
Streamlined Event Review
Copyright © 2017 Forcepoint. | 23
Thank you