User Behaviour Analysis

Do you know what have your users done?
Is there any abnormal behavior?

What is User Behaviour Analysis

  • User Behavior Analytics or UBA focuses on what the user is doing: apps launched, network activity, and, most critically files accessed (when the file or email was touched, who touched it, what was done with it and how frequently).
  • User behavior analysis is one part of a multilayered, integrated IT and information security strategy to prevent attacks and investigate threats. It can be an incredibly powerful tool to detect compromise early, mitigate risk, and stop an attacker from exfiltrating an organization’s data.

Top 9 abnormal user behavior

Unknown new AD admin user
  • Keep an eye on any new members in AD admin group
Unauthorized Access
  • Repeated access for the unauthorized folder / accounts
Massive changes in servers
  • Massive changes: deletion, modification, read  in the file servers
Suspicious ransomware detection
  • creation for many encrypted files
Temp. user created and removed
  • unauthorised creation and removal of account
Huge amounts of user file and email activity
  • Investigation to massive user activities
Multiple login locations within 10 minutes
  • multiple logins from different locations within 10 minutes
User Activity Surges
  • Action surges abnormally compared with before
Monitoring  for third party vendor activity
  • Video recording for access from third party vendors

SIEM vs UBA (User Behavior Analysis)

User Behavior Analysis

UBA focuses on what the user is doing: apps launched, network activity, and, most critically files accessed (when the file or email was touched, who touched it, what was done with it and how frequently).

The main focus of UBA will be on abnormal user activities. for example, if one single user changed 100 files during the last 15 minutes.  It is an abnormal event which should be investigated.

Security and Incident Event Management ( SIEM )

SIEM has focused on analyzing events captured in firewalls, OS, and other system logs in order to spot interesting correlations, usually through pre-defined rules.

For example, several login failure events in one log might be matched to increased traffic exiting the network recorded in yet another log. SIEM might decide this is a sign of hackers entering the system and removing data.

Integrated solution for User Behavior Analysis

– Netwrix Auditor –

Abnormal user behavior

detected from Netwrix Auditor

William deleted 100 files within last 10 minutes

A sales manager, leaving company next month, is now copying 30 files from confidential  folders / SQL in last 15 minutes

Ken Wong became admin user last night and rolled back after one hour last night 

Massive file extension changed to encryption format from last 15 minutes

Permission changes for confidential folders

Repeated failed logon for the same user on critical applications and folders

Netwrix Auditor detection steps

Discovery from dashboard

  • Get a high-level view of what’s going on in your hybrid IT infrastructure with enterprise overview dashboards for IT Audit. Spot surges in anomalous activity, see which users are most active and determine which systems are most affected.

Abnormal user behavior investigation

  • Whenever you detect user activity that violates your corporate security policy, use our interactive Google-like search to investigate how it happened
  • Customize any criteria for your future reporting or alerts

Responds to your findings

  • Either email to stakeholders or save them in a dedicated file share future  reference.
  • Integrate with your SIEM, network devices and Active Directory for immediate action for critical events

What’s NEXT?

TIL provides remote demo, technical material, ballpark figure and solution advisory

REQUEST A DEMO DOWNLOAD DATASHEET

We are ready to help now

Don’t hesitate to drop us a line to clarify the details. Contact us at 852 2961 4860 or info@tilsol.com.

CONTACT US