You may have heared of Aruba's relative new security product for User Entity Behavior Analysis (UEBA) called IntroSpect and you may wondered what is it good for and why would I need it?
I will try to explain from a technical –and not a marketing- point of view why would you need another security product in your infrastructure.
If you did not do due diligence and have a security policy in place and applied measures to fulfill the policy, then please don’t read this article. Introspect is not made for you.
This article is directed to people who already made their homework and can recognize the high value assets in their network and apply measures to protect them and have means to go back to the logs to understand what happened. Those experts might ask why would I need Introspect although I (might) have state of the art firewalls, proxies, email security, anti-malware, SIEM …?
I will answer with giving you just one scenario.
Assume Peter is an employee in an enterprise working in HR. The enterprise already have best security practices in place. In addition they have Introspect running as proof of concept. As an HR employee Peter is allowed to access the HR applications and also have access to the internet.
Introspect has noticed that Peter is unusually downloading more data as usual from the HR server. The emphasis here in on the word “unusual”. Introspect had created a baseline for Peter and it found out that he usually downloads 30MB of data in workdays in average, but today it has been more than 200MB. You might say Peter had a busy day. But Introspect tells you even when comparing Peter to his HR colleagues he downloads much more than the average of his colleagues of let’s say 50MB. You might still say, Peter might be working on a project and therefore he needs this data. Well Introspect will assume something similar, as this is an isolated event the Risk Score for Peter is low.
The other day Peter is uploading data externally much more he usually did in the past. Introspect will now increase the risk score for Peter. In addition Peter has accessed a server he never accessed before and he is also trying to access via Remote Desktop more machines he or his HR colleagues usually do and the rate of failed login attempts is also unusually high. The risk score keeps increasing but it is not in the red sector yet as for all this there might be a logical explanation.
However, the threat level is changed dramatically if Introspect detects that Peter has received an email from micnosoft.com before all this happened. As you may have not noticed this is a spoofed domain with high certainty the sender wanted to fool Peter with a domain from microsoft.com. With Machine Learning techniques, Introspect call tell if a domain is spoofed by comparing it to the top 1million domains on the web. Now if all previous events happened after Peter received the email, Introspect will correlate the events together and Peter will be placed as a high risk user.
Note that in this scenario Introspect provided the following
- History baseline for Peter, which application, servers, protocols, data traffic and to which extend he used in addition to time of access, and authentication errors.
- Peer baseline for Peter’s colleagues in the HR department. This is to answer the question is Peter’s behavior common in his department?
- Detection of anomalies in the communication, in this case it was domain spoofing.
- Correlating the events together, and according to the order and severity of these events a risk score is assigned to the user.
As response to the threat level, you decided to put (or automatically after a risk threshold is reached) Peter’s device in a quarantine role. After investigation you found out, that Peter’s device was infected with a new kind of malware (zero-day attack). Thanks to the quick response of Introspect more serious damage has been prohibited. It would be very hard if not impossible for the security infrastructure in place in the enterprise to detect the attack.
And as for all scenarios and stories, the happy end here the customer was helped and he bought IntroSpect.