Академический Документы
Профессиональный Документы
Культура Документы
HP ArcSight
User Behavior Analytics
Tim Wenzlau, HP UBA Product Manager
#HPProtect
Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Insider Threat
Application Misuse
HP ArcSight
User Behavior Analytics
Rogue users
Compromised
accounts
Security challenge
Expanding data
& scope
Many credentials
for each user
Identity
Contextual Visual
Investigation
Learn
normal
Access
Identify
Weird
UBA
Events &
Applications
Abnormal Behavior
Detection
Risk scoring &
Prioritization
Active Monitoring of
Events
Privileged Account
Intelligence
Privileged Account Threat
Monitoring
Service Account Threat
Monitoring
Key stroke monitoring
Identity Intelligence
User Centric Monitoring
Peer Group Context
Statistical Base lining
Centralized view of user context
and risk score
Insider Threat & Account
Compromise
Access Intelligence
Rogue Access Identification
Enable risk-based access
reviews
Enable risk-based access
requests
Account Compromise
Target >>
IAM
HR AD LDAP
What >>
How >>
Behavior Anomaly
Peer Anomaly
Suspicious Activity
Faster event
resolution
Prioritization of high
risk users
Investigation
efficiency &
visualization
5-1 ROI
Impact
Step 1:
Calling out the abnormal behavior based on identity & behavior context
Identity context
Detecting the
abnormal
Behavior context
Peer Outlier
Event Rarity
Amount Spike
Frequency Spike
Visualization
Step 2: Define normal for that user and those like him
Profile each users normal behavior in each application
and log source
Learn what
normal looks
like
Watch for
Deviations
+1
Frequency
Spike
Behavioral Analysis
Behavior Profiles
Peer Group Profiles
Peer Analysis
Event Rarity
+1
Amount Spike
+1
Peer Group
Comparison
Cohesiveness
JobKey
30003509
75%
80%
Division
SECURITIES
OPS
Dept.
INVESTMENT
MGMT
Jane Doe
Manager
J.Smith
SECOND VP
97%
92%
Title
High Risk
Step 4: Identify highest risk users through risk scoring & prioritization
15
Full Time
Employee Contractor
E
v
e
n
t
JobKey
30003509
Host
Cloud
Perimeter
Manager
J.Smith
Division
Hire Date
Jane Doe
D
a
t
a
Title
SECOND VP
IP metadata
Lookup
Data
Active
Directory
SailPoint
THEN
Aveksa
User Watchlist
Asset Criticality
Oracle
Sentiment
Courion
IF
Part Time
Shared
Department
Properties Manager
Dept.
INVESTMENT
MGMT
Division
SECURITIES
OPS
Type
ELSE
Human
HR
Data
Resources
AND
WHERE
Phone/Address
Last Review
18
Step 2: Identify highest risk users through risk scoring & prioritization
20
23
Description
HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an AES encryption to mask the data.
Typically Privacy officers hold the password to decrypt
Audit Logs
Exception Monitoring
To avoid data snooping, Security analyst cannot view user activity unless there is an exception.
Only exceptions can be viewed with SSO, first name, last name masked
Privacy Officer with access can decrypt only users who have violation using decryption key provided.
Reports for DLP intelligence can only be generated by DLP team.
Email Notification
In an event an account has been identified with unusual activity, system has capability to notify the individuals and
their managers where there is a likely adverse affect on privacy.
Security Hardening
HP UBA integrates with AD to disable terminated users and allows SSO/ LDAP authentication enabled
HP UBA database is security hardened and even data base admins cannot login
Security assessment kit to remove unnecessary services, applications, open ports and network protocols
Questions?
Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Appendix:
Architecture
Description
HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an AES encryption to mask the data.
Typically Privacy officers hold the password to decrypt
Audit Logs
Exception Monitoring
To avoid data snooping, Security analyst cannot view user activity unless there is an exception.
Only exceptions can be viewed with SSO, first name, last name masked
Privacy Officer with access can decrypt only users who have violation using decryption key provided.
Reports for DLP intelligence can only be generated by DLP team.
Email Notification
In an event an account has been identified with unusual activity, system has capability to notify the individuals and
their managers where there is a likely adverse affect on privacy.
Security Hardening
HP UBA integrates with AD to disable terminated users and allows SSO/ LDAP authentication enabled
HP UBA database is security hardened and even data base admins cannot login
Security assessment kit to remove unnecessary services, applications, open ports and network protocols
Integration
Command
5
ESM
CEF
Connector
3
HP UBA
CEF
Connector
2
Logger
1
Connectors
Identity &
Access
HP UBA hardware
31
32
Security
Events
Context
Enrichment
Activity
Access
Privileges
Identity
Aggregation
Peer Group
Analysis
Behavioral
Profiles
Outlier
Detection
Risk
Aggregation
HP
ArcSight
Threat
Intelligence
Investigation
& Response
Event
Rarity
Model
Refinement
33
Anomaly
Amplification
2014 HP UBA
Threat
Modeler
Inappropriate Activity
Unusual Transaction
Never before seen IP address
1) Build Context
Poor HR Review, Upcoming Termination
Database username to identity correlation
2) Classify Normal
User profile of frequency and time of DB access
User/peer profile of common database
commands
User/peer profile of normal volume of
database files accessed and removed
34
Terminated user analysis Anomalous activity from an account belonging to a terminated user
Dormant account usage Sudden spike in activity from an account that has been dormant for 90 days or more
Service account misuse Service account logs in from a new IP address (e.g., VPN) and performs activity never seen before; interactive
logon by service account
Rogue/Orphan account misuse Anomalous activity by accounts that could not be correlated to a user or identified as service/shared
accounts.
Suspicious account changes - Sudden increase in the number of account creations/deletions; large number of password resets or changes
in a short time period
Unusual login pattern - multiple failed login attempts from an IP address never used before
Account Misuse Privileged account executes commands not seen before e.g., zero day malware, backdoor
Suspicious sequence of activities - Creation, use and deletion of local admin account
Tampering of audit logs - Change or deletion of audit logs anomalous to peer behavior
Anomalous activity - spike in data read/write events (e.g., SELECT, COPY, UPDATE) on database tables with sensitive data (e.g., customer
PCI records)
Critical database activity (e.g., DROP, DELETE TABLE) that has never been performed before by the user or peers with similar roles/title
DBA account or service account logs in from an IP address or domain never seen before (e.g., login from Nation State IP location)
Suspicious login pattern during non-business hours (e.g., failed logins at odd times)
Critical admin activities performed at odd hours (e.g., admin in US location makes backups of sensitive dB tables at 2 am)
Anomalous usage of a service account (e.g., SELECT * on customer data; clearing of audit logs)
DBA access dB directly bypassing the jump box (e.g., non-citrix user)
DBA user has access privileges on database that are anomalous to peer group (e.g., edit refunds)
Access outlier detection - Use advanced peer group analysis techniques to identify true outliers in access privileges assigned to a
user. Peer groups can be defined based on user HR attributes such as Manager, Dept., Division or other inputs as such project data,
timesheets, AD group membership, etc. Peer analysis can yield organizations a reduction of more than 90% in the access
privileges sent for review and an average of 60-80% revocation rates.
HPA account detection Automated identification of privileged service, shared, and human accounts through advanced
correlation
Segregation of duty (SOD) checks Detect segregation of duty violations based on access privileges assigned to users
Terminated account analysis Detect active access accounts belonging to terminated users
Rogue/Orphan accounts Identify human accounts which could not be associated with the active users in HR data source
Dormant user analysis Identify accounts that have not logged in for the past 90 days or more
Risk based access reviews Easy integration with access review tool using restful APIs to automate continuous risk based access
reviews
Unusual connections to confidential data store (e.g., login from new IP, use of PSExec never used before)
Suspicious emails send to competitor (e.g., user sending email attachment to competitor when peers are not)
Flight risk analysis (risk booster only) User continuously accessing job, contractors with termination date within 30 days
Suspicious SSH activity to critical servers (circumventing monitoring controls) Users authenticates outside PIM (Cyberarc/Liberman)
solution.
Suspicious FTP data transfer Use of insecure file transfer method for large volume of data transfer
XTERM, XWindows - User exports display terminal to another IP, where session is not able to be monitored
Password Storage - User retrieved password from a file that was not secured
Telnet - Presence and attempted use of the telnet utility, which is a highly insecure remote access method
Clear-text Password - Password that is either visible to the user, making it searchable in command history, or the credentials are being
sent insecurely
No Authentication - Authentication was not required for user action, where it should have been
Lieberman: Ability to connect to Lieberman and download detailed Password Vault data and session data. UBA uses the
detailed session data to conduct behavior analytics on individual user commands for use in identifying the misuse or
compromise of privileged credentials and the replacement of manual auditing requirements
EPIC: Ability to import detailed logs from EPIC for the identification of high risk user behavior using out-of-the-box
behavior and threat models specific to EPIC and Healthcare environments such as data/VIP snooping and break-the-glass
privileged user sessions
Cerner: Ability to import detailed logs from Cerner using a Listener architecture for the identification of high risk user
behavior using out-of-box behavior models for Cerner and Healthcare environments such as data/VIP snooping
AWS: Ability to import Amazon Webservices events related to the services accessed on AWS - logon, logout, instances
started, edited stopped, IAM users added, edited etc. Detect privilege abuse for users managing the AWS instances
Box: Ability to import file sharing and administrative events from Box.com and analyze for data snooping/theft and
account abuse
41
Tier 4
Tier 3
Tier 2
Tier 1
Kill Chain
42
RECON
Early Indicators
Data Gathering
Privilege
Escalation
Lateral
Movement
Maintain
Presence
Data
Compromise
Exfiltration
Attack Vectors
Negative Sentiment
Job Site Searches
Emailing Resumes
Negative Review
Increased Activity
Unusual File Access
Off Hours Activity
Unusual Transactions
Unusual Volume
Unusual File/Data
Access
Connect to shared
resources
Execute commands
on systems remotely
Connect to C&C server
Beaconing
connections
Upload data to C&C
via ftp, email, http
Multiple Exfiltration
Vector Detection
Unusual Transactions
Data Sources
-
User Sentiment
Human Resource
Mail Gateways
Proxy Server
IAM
- DLP
- Third Party
Intelligence
2015 HP UBA
Threat Indicators
Anomalous
Login Pattern
Account
Compromise
Privilege
Misuse
Data Sources
HP UBA
IP attribution
Sudden spike in failed logins on VPN, DC, etc.
Login from a new IP address or location never seen before
Interactive logon by a service account
Jump box violations
Remote login when physically badged in
- CyberArk, Lieberman
- Active Directory
- Database/ Application
authentication
Active Directory
CyberArk, Lieberman
VPN devices
FW/Application/DB
Badge
2015 HP UBA
Threat Indicators
Data Compromise
FileShares
Applications
SharePoint/Documentum
Databases
HP UBA Premium
Data Exfiltration
(Others)
Proxy
Printer
End-Point Security
FW/VPN
Situational
Awareness (Risk
Booster)
HR system
Proxy
Active directory
HR data
Legal requirements
Data Exfiltration
(Email)
Privacy
2015 HP UBA
2013 HP UBA
HP UBA has the industrys most advanced capabilities around Data Masking and Privacy Controls.
HP UBA uses 256 bit AES encryption to encrypt and store data in its database
HP UBA supports granular role based access control to restrict access to authorized users
HP UBA supports detailed audit trail of all activities performed by the user
Description
Data Masking at DB
Level
HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an 256 bit AES encryption to mask the data.
Typically only the designated Privacy Officer holds the password to decrypt
Audit Logs
Exception Monitoring
To avoid data snooping, security analyst cannot view user data unless there is an exception.
Only exceptions can be viewed even then SSO, first name, last name can be masked/
Only designated Privacy Officer can decrypt users using decryption key provided.
Email Notification
In an event an account has been identified with unusual activity, system has capability to
notify the individuals and their managers where there is a likely adverse affect on privacy.
Security Hardening
HP UBA integrates with Active Directory to disable terminated users and allows SSO/ LDAP
authentication enabled.
HP UBA database is security hardened and even data base admins cannot login.
Audit trail
RBAC in application
Define roles and give access to role
Defined roles
Role assignment
55