Upload
logrhythm
View
806
Download
0
Embed Size (px)
Citation preview
Detecting Insider Threats with User Behavior AnalyticsA Use Case for Financial Services at Every Stage of the Cyber Kill Chain
Once the attacker has credentials, they can move freely within your network, with the ability to inflict immense damages.
An employee within your organization is targeted with a spearphishing email. With just a click, they take the bait and their credentials are stolen.
Insider Threats Within Financial Services Organizations
TheScenario
The Human Element
Spearphishing is a human vulnerability.It takes an employee to click on the bait.
So how can you defend against insider threats? You have to have a solution in place to protect against the human element.
The solution: User Behavior Analytics (UBA)
How User Behavior Analytics Can Help Stop Insider Threats
UBA can help you to detect and respond to:
1. Insider threats 2. Compromised accounts3. Privileged account abuse
Anatomy of an AttackUsing UBA to Stop an Insider Threat Attack at Any Stage of the Cyber Kill Chain
Detecting a Compromised Account
Compromised accounts are at the heart of most financial breaches.
The good news? Indicators of a compromised account can be detected at different stages across the cyber kill chain.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Spearphishing
The compromise: An employee receives
an email that looks like it’s from a co-worker. She doesn’t notice the small difference in spelling of the domain name as she opens the email. The trap has been sprung.
How you stop it: LogRhythm’s Network
Monitor deep packet analytics detects the inbound attack then produces a high-impact alert on the incident. Your SOC team investigates, responds and neutralizes threat.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Compromised Hosts
The compromise: A piece of malware
slips through traditional perimeter defenses and is installed on a machine.
How you stop it: LogRhythm detects
when the malicious process starts on the endpoint and either terminates the process or isolates the endpoint to stop the spread of malware.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Lateral Movement & Account Sweeps
The compromise: Malware makes its
way onto a machine. It then uses an employee’s compromised credentials to log onto other systems on the network.
How you stop it: LogRhythm detects
the authentication attempts against multiple hosts and sends an alarm to your SOC for further investigation, response and neutralization.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Brute Force Authentication
The compromise: Malware has made its
way onto an employee’s machine. It then tries to move to another user by identifying the password through brute force.
How you stop it: LogRhythm detects
the authentication failures against multiple hosts and sends an alarm to your SOC for further investigation, response and neutralization.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Authentication from Abnormal Location
The compromise: An attacker
successfully gains control of a
corporate machine. Then uses the employee’s credentials to connect to the network
via VPN.
How you stop it: LogRhythm detects
the authentication from an abnormal location and sends an alarm to your SOC for further investigation, response and neutralization.
The Cyber Kill Chain: Identifying The Moment of Compromise
TheScenario:Unauthorized Trades and Transfers
The compromise: A compromised user
account attempts to perform unauthorized trade and transfers.
How you stop it: LogRhythm’s User
Behavior Analytics detects the unauthorized actions and alerts on the incident. Immediately initiating SmartResponse™ to lock down the compromised account.
How LogRhythm Stops Insider Threats
LogRhythm’s User Behavior Analytics Stop Insider Threats
At every step of the insider threat cyber kill chain, LogRhythm can detect the anomalous behavior and prevent movement to the next stage.
LogRhythm’s detection capabilities go beyond the usual UBA suspects because of its ability to monitor network activity and file information—keeping your financial institution protected no matter where the point of compromise is attempted.
LogRhythm Disrupts the Financial Insider Threat Kill Chain
ExfiltrationCorruption Disruption
Initial Compromise
Reconnaissance& Planning
Command& Control
LateralMovement
TargetAttainment
MalwareSpearphishing Brute force and unauthorized
account access
VPN Financial transfer
Holistic Threat Analytics
Embedded Security• Recognized security experts
• Build machine data intelligence, with support for 750+ devices
• Develop pre-packaged threat management modules:• AI Engine rules• Reports & saved searches• Dashboard layouts• SmartResponse™ plug-ins
• Frequent updates via cloud
Threat Intelligence
Open Source
Custom
Commercial
User Behavior Analytics (UBA)Brute force attacks, compromised user accounts, insider threat detection, privileged user account monitoring & moreNetwork Behavior AnalyticsMalware outbreak, suspicious network communications, DOS attacks, network-borne data exfiltration & more
Endpoint Behavior AnalyticsEndpoint manipulation, malware activity, suspicious process & application activity, local data exfiltration & more
Rapid Value• Arm your analysts to work
smarter and faster with machine-based analytics
• Detect and respond to threats across the holistic attack surface
• Accelerate deployment with pre-packaged threat management modules
LogRhythm can help you protect your holistic attack surface—including your users, networks and endpoints.
Rarely do attackers target one vector, so we leverage data from all vectors and sources (e.g., honeypots and threat intel feeds) so you can correlate user behavior with network and endpoint data.
In case of an attack, you’ll be able to detect and respond lightning fast with an efficient workflow.
Protecting Your Holistic Attack Surface
See LogRhythm in Action
You already know that hackers will get in—regardless of the prevention technologies you’ve put in place to keep them out.
Click the below button to watch this in-depth demo to see how LogRhythm can help you detect a phishing attack and stop it in its tracks.
Watch the Demo