User Behavior Analytics. How can Varonis help here?
In today's world, information security is a serious threat to information security, which occurs as a result of random or deliberate actions of information system users themselves. Most leaks are so-called “unstructured data,” that is, data that is created and used by the users themselves and stored on file servers or in users' mailboxes. Thus, it would be reasonable to start analyzing the state of information security from the inside, assuming that a potential or already existing intruder is already inside the local network. And in order to understand where a potential leak is possible, it is necessary to identify the presence of confidential data on the file server and to understand who has access to it and who uses it most often. In addition, users who should not have access to confidential information should also be identified, because they either do not use this data or use it very rarely.
It should be noted that the User Behavior Analytics component has always been part of. Varonis DatAdvantage collects information about all user actions on the file server and shows the access rights of the individual user to the folder or file, and users who have access to the file or folder. From here you can easily understand who has access to the file and uses it, and who should not have this access due to lack of activity when working with information, or in accordance with the security policies defined in the company. You can also build a specific user profile — what it does, which folders or mailboxes it has access to, how often it is accessed, and so on.
Varonis also allows you to analyze some kind of abnormal activity on the part of users. Collecting statistics DatAdvantage in automatic mode can identify the excess user activity in comparison with his previous activity on the file server. That is, if the user, for example, has exceeded his average daily activity (by the number of actions with files on the file server), then this can be detected automatically with all the statistics of user actions and logs. Thus, after the fact it is possible to identify the anomalous activity of the user, which can help in the investigation of various IS incidents.
You can also receive notifications about abnormal user activity in real time. Bulk file deletion or mass copying may indicate a certain malicious activity. The range of different types of notifications is very wide. If you want to monitor the deletion or copying of certain files (for example, containing confidential information), this can be easily customized. It should be noted that users will no longer be able to use confidential information, and information security administrators will not be aware of this.
')
Another important aspect of user behavior can be unsuccessful access to files or folders. If the same user tries to open files or folders to which he does not have access, you should probably pay attention to this activity. If an account tries to open multiple files or folders for a short time without access to them, it may be some kind of virus activity, which is also an information security incident.
Also an important aspect of analyzing user actions may be an audit of administrative accounts. To prevent data leakage, it is always helpful to know which accounts have administrative rights and what activity they perform on the file server. You can also monitor the elevation process for a specific account. Whether this change was agreed with the information security officer and whether it does not contradict the security policy adopted by the company. Perhaps you should also monitor the availability of administrative access to files containing confidential information. If it was implemented, then for what purpose and how often does it occur.
Mail handling is also an important aspect of analyzing user behavior. It is always useful to know who has access to a specific mailbox, who enters this box and how to use the data that is in it. It often happens that users do not even suspect that someone else can read their mail. And if someone sends messages on behalf of another user, then such cases are often difficult to track without a product that collects similar statistics. Availability of information about access to the mailbox also allows you to reduce redundant access or take away access from users who do not need such access at all.
Analyzing user actions also involves analyzing the actions of non-user accounts. If under the service account actions occur that should not occur, then perhaps you should pay attention to them. It is also easy to instantly detect the operation of a crypto-fiber program that encrypts data, including on the file server. The work of a crypto-fiber can be traced both to multiple file modifications in a short time, and by changing the file extension.
User behavior analysis is used in many information security solutions (in particular, SIEM). Varonis DatAdvantage does not attempt to repeat the functionality of other solutions, but uses its own approach, collecting information about working with files and data both on the file server and in mailboxes. In addition, it should be noted that notifications about what changes on the file server can be sent directly to the SIEM solution. In this regard, Varonis and SIEM can complement each other, increasing the effectiveness of information security.
It should be noted that the User Behavior Analytics component has always been part of. Varonis DatAdvantage collects information about all user actions on the file server and shows the access rights of the individual user to the folder or file, and users who have access to the file or folder. From here you can easily understand who has access to the file and uses it, and who should not have this access due to lack of activity when working with information, or in accordance with the security policies defined in the company. You can also build a specific user profile — what it does, which folders or mailboxes it has access to, how often it is accessed, and so on.
Varonis also allows you to analyze some kind of abnormal activity on the part of users. Collecting statistics DatAdvantage in automatic mode can identify the excess user activity in comparison with his previous activity on the file server. That is, if the user, for example, has exceeded his average daily activity (by the number of actions with files on the file server), then this can be detected automatically with all the statistics of user actions and logs. Thus, after the fact it is possible to identify the anomalous activity of the user, which can help in the investigation of various IS incidents.
You can also receive notifications about abnormal user activity in real time. Bulk file deletion or mass copying may indicate a certain malicious activity. The range of different types of notifications is very wide. If you want to monitor the deletion or copying of certain files (for example, containing confidential information), this can be easily customized. It should be noted that users will no longer be able to use confidential information, and information security administrators will not be aware of this.
')
Another important aspect of user behavior can be unsuccessful access to files or folders. If the same user tries to open files or folders to which he does not have access, you should probably pay attention to this activity. If an account tries to open multiple files or folders for a short time without access to them, it may be some kind of virus activity, which is also an information security incident.
Also an important aspect of analyzing user actions may be an audit of administrative accounts. To prevent data leakage, it is always helpful to know which accounts have administrative rights and what activity they perform on the file server. You can also monitor the elevation process for a specific account. Whether this change was agreed with the information security officer and whether it does not contradict the security policy adopted by the company. Perhaps you should also monitor the availability of administrative access to files containing confidential information. If it was implemented, then for what purpose and how often does it occur.
Mail handling is also an important aspect of analyzing user behavior. It is always useful to know who has access to a specific mailbox, who enters this box and how to use the data that is in it. It often happens that users do not even suspect that someone else can read their mail. And if someone sends messages on behalf of another user, then such cases are often difficult to track without a product that collects similar statistics. Availability of information about access to the mailbox also allows you to reduce redundant access or take away access from users who do not need such access at all.
Analyzing user actions also involves analyzing the actions of non-user accounts. If under the service account actions occur that should not occur, then perhaps you should pay attention to them. It is also easy to instantly detect the operation of a crypto-fiber program that encrypts data, including on the file server. The work of a crypto-fiber can be traced both to multiple file modifications in a short time, and by changing the file extension.
User behavior analysis is used in many information security solutions (in particular, SIEM). Varonis DatAdvantage does not attempt to repeat the functionality of other solutions, but uses its own approach, collecting information about working with files and data both on the file server and in mailboxes. In addition, it should be noted that notifications about what changes on the file server can be sent directly to the SIEM solution. In this regard, Varonis and SIEM can complement each other, increasing the effectiveness of information security.
Source: https://habr.com/ru/post/303824/
All Articles