Detecting Insider Threats with User Behavior Analytics

Detecting Insider Threats with User Behavior AnalyticsA Use Case for Financial Services at Every Stage of the Cyber Kill Chain

Once the attacker has credentials, they can move freely within your network, with the ability to inflict immense damages.

An employee within your organization is targeted with a spearphishing email. With just a click, they take the bait and their credentials are stolen.

Insider Threats Within Financial Services Organizations

TheScenario

The Human Element

Spearphishing is a human vulnerability.It takes an employee to click on the bait.

So how can you defend against insider threats? You have to have a solution in place to protect against the human element.

The solution: User Behavior Analytics (UBA)

How User Behavior Analytics Can Help Stop Insider Threats

UBA can help you to detect and respond to:

1. Insider threats 2. Compromised accounts3. Privileged account abuse

Anatomy of an AttackUsing UBA to Stop an Insider Threat Attack at Any Stage of the Cyber Kill Chain

Detecting a Compromised Account

Compromised accounts are at the heart of most financial breaches.

The good news? Indicators of a compromised account can be detected at different stages across the cyber kill chain.

The Cyber Kill Chain: Identifying The Moment of Compromise

TheScenario:Spearphishing

The compromise: An employee receives

an email that looks like it’s from a co-worker. She doesn’t notice the small difference in spelling of the domain name as she opens the email. The trap has been sprung.

How you stop it: LogRhythm’s Network

Monitor deep packet analytics detects the inbound attack then produces a high-impact alert on the incident. Your SOC team investigates, responds and neutralizes threat.


TheScenario:Compromised Hosts

The compromise: A piece of malware

slips through traditional perimeter defenses and is installed on a machine.

How you stop it: LogRhythm detects

when the malicious process starts on the endpoint and either terminates the process or isolates the endpoint to stop the spread of malware.


TheScenario:Lateral Movement & Account Sweeps

The compromise: Malware makes its

way onto a machine. It then uses an employee’s compromised credentials to log onto other systems on the network.


the authentication attempts against multiple hosts and sends an alarm to your SOC for further investigation, response and neutralization.


TheScenario:Brute Force Authentication

The compromise: Malware has made its

way onto an employee’s machine. It then tries to move to another user by identifying the password through brute force.


the authentication failures against multiple hosts and sends an alarm to your SOC for further investigation, response and neutralization.


TheScenario:Authentication from Abnormal Location

The compromise: An attacker

successfully gains control of a

corporate machine. Then uses the employee’s credentials to connect to the network

via VPN.


the authentication from an abnormal location and sends an alarm to your SOC for further investigation, response and neutralization.


TheScenario:Unauthorized Trades and Transfers

The compromise: A compromised user

account attempts to perform unauthorized trade and transfers.

How you stop it: LogRhythm’s User

Behavior Analytics detects the unauthorized actions and alerts on the incident. Immediately initiating SmartResponse™ to lock down the compromised account.

How LogRhythm Stops Insider Threats

LogRhythm’s User Behavior Analytics Stop Insider Threats

At every step of the insider threat cyber kill chain, LogRhythm can detect the anomalous behavior and prevent movement to the next stage.

LogRhythm’s detection capabilities go beyond the usual UBA suspects because of its ability to monitor network activity and file information—keeping your financial institution protected no matter where the point of compromise is attempted.

LogRhythm Disrupts the Financial Insider Threat Kill Chain

ExfiltrationCorruption Disruption

Initial Compromise

Reconnaissance& Planning

Command& Control

LateralMovement

TargetAttainment

MalwareSpearphishing Brute force and unauthorized

account access

VPN Financial transfer

Holistic Threat Analytics

Embedded Security• Recognized security experts

• Build machine data intelligence, with support for 750+ devices

• Develop pre-packaged threat management modules:• AI Engine rules• Reports & saved searches• Dashboard layouts• SmartResponse™ plug-ins

• Frequent updates via cloud

Threat Intelligence

Open Source

Custom

Commercial

User Behavior Analytics (UBA)Brute force attacks, compromised user accounts, insider threat detection, privileged user account monitoring & moreNetwork Behavior AnalyticsMalware outbreak, suspicious network communications, DOS attacks, network-borne data exfiltration & more

Endpoint Behavior AnalyticsEndpoint manipulation, malware activity, suspicious process & application activity, local data exfiltration & more

Rapid Value• Arm your analysts to work

smarter and faster with machine-based analytics

• Detect and respond to threats across the holistic attack surface

• Accelerate deployment with pre-packaged threat management modules

LogRhythm can help you protect your holistic attack surface—including your users, networks and endpoints.

Rarely do attackers target one vector, so we leverage data from all vectors and sources (e.g., honeypots and threat intel feeds) so you can correlate user behavior with network and endpoint data.

In case of an attack, you’ll be able to detect and respond lightning fast with an efficient workflow.

Protecting Your Holistic Attack Surface

See LogRhythm in Action

You already know that hackers will get in—regardless of the prevention technologies you’ve put in place to keep them out.

Click the below button to watch this in-depth demo to see how LogRhythm can help you detect a phishing attack and stop it in its tracks.

Watch the Demo

https://logrhythm.com/neutralization-of-a-phishing-attack-demo/

Technology

Detecting Insider Threats with User Behavior Analytics