Forcepoint · Enrich events with observed features of interest, ... • SharePoint • Web Server Logs • HR • Web Proxy • Windows • Linux • User Activity Monitoring •

Copyright © 2017 Forcepoint. | 1

Kaan Kayan

Sales Engineer

[email protected]

Forcepoint UEBAUser & Entity Behavior Analytics


TODAY’S REALITY: THE ZERO-PERIMETER WORLD

Remote Users

Remote Users

1. Significantly increased attack surface

2. Lack of VisibilityYou cannot secure what you cannot see

3. Disjointed Security PolicyFrom one perimeter to defend to many

4. Silo’d Intelligence & limited visibility

to riskUnable to make informed decisions for the entire

business

5. Ineffective EnforcementUnable to make informed decisions for the entire

business

6. ComplianceThings just got a lot more complicated


the rhythm of your people the flow of your dataAND

THE HUMAN POINT IS ABOUT UNDERSTANDING


rhythm of

your people

rhythm of your

people

flow of your data

BENEFIT FROM THE HUMAN POINT

VisibilityIdentify your data and users everywhere

your people work

ControlOne policy to manage data movement &

access across ALL distributed systems

RiskConsolidated view of risk that considers user

actions & value of the data in addition to

machine logs

EnforcementRisk adaptive protection to act on change in

human risk to critical data in real time

Compliance Effectively enforce compliance no matter

where your data resides


THE FORCEPOINT SOLUTION FOR DATA AND USERS

Forcepoint DLP

Identify and control flow of data

Cloud

Endpoint

Network

Discovery

Secure regulated data

Protect intellectual property

Forcepoint Insider Threat

Endpoint-based deep visibility

and analysis of user behavior

User risk scoring

Baseline & deviations

Machine logs + user actions

Correlate user across systems

Detailed monitoring that respects

user privacy

Forcepoint UEBA

Risk analytics platform for

broad view of user activity and

risk scoring

Context of behavior –

not just anomalies

Communications + logs +

Machine data + HR info

Out of box analytics + flexibility to

adapt to new threats

the rhythm of your people the flow of your dataAND


Customer challenge:

Centralized, correlated

visibility to user activity

Cloud apps

Devices

User communications

HR data

Customer challenge:

Cyber threats target

the people &

authorized users who

access data & critical

systems

Mean time to detection:

~150 days

UEBA: TRUSTED INSIDERS VS. COMPROMISED USERS & ASSETS

Source: Gartner, Dec. 2016

Pinpoint threats Reduce signal to noise ratio

Trusted

Insider

Compromised

Insider or Asset

Risk Management Security Operations

UEBA Buyers and Users


USER & ENTITY BEHAVIOR ANALYTICS

1st

Generation UEBA:

Analyze SIEM data & find anomalies from the

billions of logs & machine event

SIEM Analytics Module:

Imbedded analytics in the SIEM

Results

From 1000s of events to 100s of anomalies

Anomalies are not actionable

Anomalies serve as “clues” of interest but lack

context of what to do next

No context of data at risk

Analyst must jump to other products to see if the

user action puts the enterprise at risk

No context of user vs. machine action

Anomalies provide little value without context to data at risk & specific threats

“A UEBA product that only ingests

logs may miss important activity,

especially if it does not have full

visibility into the endpoint device

used by the user … Unstructured

contextual information (such as

performance appraisals, travel logs

and social media activity) can be

extremely useful in helping discover

and score risky user behavior.”

– Gartner, Dec. 2016


FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS

Integrate data

sources for

visibility into

human risk

Identify &

prioritize high risk

users & critical

data

Investigate &

Act to reduce risk

& protect data


FORCEPOINT UEBA: HOLISTIC VIEW OF THE USER

CommunicationWhat are they feeling?

With whom are they interacting?

Data: Email, chat, voice

SystemHow are they behaving digitally?

What sites and systems are they

accessing?

Data: SIEM, endpoint, web browsing,

logins, file sharing

HRWhat is their motivation?

Why might they have malicious intent?

Data: Performance reviews, Active

Directory

PhysicalHow are they behaving physically?

Where are they going and when?

Data: Badge data, traveling


EXAMPLE DATA INTEGRATIONS

Endpoint

Entity Information

Proxy

Print Logs, Removable Device

Logs (Windows, Endpoint)

Physical Data Movement

SIEM

Communications

User Access

System Administration

DLP


PLATFORMANALYTIC APPROACH


USER BEHAVIOR ANALYTIC APPROACH

INSIDER INSIGHTS BASED ON

Enrich events with observed features of interest,

scored for rarity and normalized by individual or peer groupScore non-activity based indicators

about an entity to influence scoring

SCENARIOS“Connect the dots” across event/entity models

for a composite measure of risk

ENTITY ATTRIBUTE AND FEATURE COLLECTION

(gathered from HR, Active Directory, CMDB)

Entity AttributeEntity Features

EVENT INGEST AND ENRICHMENT

(Streaming or Batch Ingest via API)

Who They AreWhat They Do

EVENT ANALYTICS - “What They Do” ENTITY ANALYTICS - “Who They Are”

PEOPLE OF

INTEREST

EVENTS OF

INTEREST


Only vendor that covers structured & unstructured business data PLUS

communications to leave no detection gaps.

Comprehensive

Visibility

Focus on behaviors, not just anomalies, with precise narratives that

indicate unwanted behavior. Utilizing sentiment analysis and Natural

Language Processing.Deep Context

Easily build or customize risk models to fit your unique enterprise and support

any risk use case.Flexible

In-depth analytics within a single platform allows investigators to pivot from

alert to investigation.Efficient

FORCEPOINT UEBA TECHNOLOGY DIFFERENTIATORS


FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS

VisibilityUsers &

Critical DataInvestigate

& Act


THE HUMAN POINT

Humans are increasingly the number one source of risk to organizations

Disgruntled Employee Unknowing Accountant

“Huge fight with boss. Quit

and deployed time-bomb

corrupting our HR system,

inserted false transactions

in a client back-end

system.”

Entitled Insider Blackmailed Developer Internal Activist Careless Manager

“Downloaded a

spreadsheet with

malware, unknowingly

exposing our company. It

took us weeks to figure

out who was patient zero.”

Saboteur Compromised IP Thief PII Thief Media Leaker Negligent

“Recruited by a

competitor. Took client

lists, product ideas,

internal working

documents - everything

he’d ever been a

part of.”

“Social media posts about

financial troubles led a

‘recruiter’ to contact her.

Simple requests quickly

escalated into blackmail.”

“Became disillusioned

after reading executive

emails, chats, and

compensation logs. Went

to the media with a story.”

“Taped passwords to his

monitor, refused to lock

his screen. Regularly

emailed himself sensitive

information he needed to

remember.”


OUT-OF-BOX USE CASES | BASELINE ANALYTICS MODEL

Data

Exfiltration

Compromised

User Account

Malicious

User

Negative

Behavior

Illicit

Behavior

Models

• Internal Data Movement

Risk

• External Data

Movement Risk

• File Operations Risk

• Data Reconnaissance

Risk

• Evasive Action Risk

• Human Resources Risk

• Malware Risk

• Compromised

Authentication Risk

• Phishing Risk

• Baseline Configuration

Deviation Risk

• Malware Resources

Risk

• Network Reconnaissance

Risk

• Systems Administration Risk

• Malicious Authentication Risk

• Malicious Actions Research

Risk

• Baseline Configuration

Deviation Risk

• Physical Access Risk

• Permissions Elevation

Request Risk


• Sexual Harassment Risk

• Workplace Violence Risk

• Obscene Content Risk

• Leaver Risk

• Decreased Productivity

Risk

• Corporate Disengagement

Risk

• Financial Distress Risk

• Negative Sentiment Risk


• Organizational Conflict of

Interests (OCI) Risk

• Information Leakage Risk

• Corporate Espionage Risk

• Whistleblowing Risk

• Clearance Investigation

Evasion Risk


Data

Sources

• Web Proxy

• Windows

• Linux

• User Activity Monitoring

• Email

• Chat

• Network Flow Logs

• SharePoint

• Web Server Logs

• HR

• Web Proxy

• Windows

• Linux

• User Activity

Monitoring

• Email

• Chat


• VPN

• Firewall

• Anti-Virus

• HR

• Voice

• Web Proxy

• Windows

• Linux


• Email

• Chat


• VPN

• Badge Data

• Voice

• HR

• Web Proxy

• Email

• Chat


• HR

• Voice

• Web Proxy

• Email

• Chat

• Firewall

• HR

• Voice

• DLP


BASELINE ANALYTICS MODELS | REGULATORY SURVEILLANCE

“Out-of-the-box”

models for scenarios

across regulatory

surveillance and

information security

Known as BAM,

these models are use

case "best practices"

developed via the

sharing and

compounding of

knowledge within our

customer base

Market Manipulation

(MM)Insider Trading (IT) Conduct Risk (CR)

Models

MM-1 Trades FX Rate Fixing

MM-2 Comms FX Rate Fixing

MM-3 Trades Libor Rate Fixing

MM-4 Comms Libor Rate Fixing

IT-1 Trades Outlier Activity

IT-2 Comms Insider Trading

IT-3 Comms Disclosure of MNPI

IT-4 Web Personal Trade Activity

IT-5 Trades Surveillance Alerts

CR-1 Disengagement from work

CR-2 Personal Duress

CR-3 Oversight Evasion

CR-4 Ethics Risk

Data

Sources

• Email

• Chat

• Trade

• Voice

• Trade Alerts

• Web Proxy


• SharePoint

• HR

• Email

• Chat

• Trade

• Voice

• Trade Alerts

• Web Proxy


• SharePoint

• HR

• Badge Data

• Email

• Chat

• Voice

• Web Proxy


• HR

• Badge Data


DATA INTEGRATION ENGINE | APACHE NIFI

Enterprise-ready ETL framework based on Apache NiFi

Rapid time-to-value for onboarding new data feeds

Includes library of reusable data flow templates to target

most common data sources, such as ArcSight, Splunk,

Hadoop, etc.

Out-of-the-box based connectors (FTP, syslog, etc) and

GUI-driven template builder for fast setup and reduced

training costs

Bi-directional capabilities enable ingest and

outbound alerting

Critical management/monitoring features including:

Real-time monitoring interface

Configurable throttling and back-pressure

Robust error handling and error reporting


UI PURPOSE-BUILT FOR ANALYSTS

Identify Highest Risk EmployeesThe Analytic Dashboard

“connects the dots” to

identify unknown risks

and provide broad

situational awareness

using holistic risk

assessments.

The holistic assessments

- Entity Risk Scores -

are derived from

advanced analytics that

look at all monitored

employees across all

their activity.



Fast, Friendly Forensics



Streamlined Event Review



Streamlined Event Review


Thank you

Documents

Forcepoint · Enrich events with observed features of interest, ... • SharePoint • Web Server Logs • HR • Web Proxy • Windows • Linux • User Activity Monitoring •