by Nitin Agale, SVP, Product & Strategy
In our previous blog, 10 Things You Need to Do to Stay Secure When Employees Work Remotely, we spoke about how to secure your enterprise from the threats that can emerge when a large section of your workforce is working from home. With the unique challenges presented by the current crisis, it has become critical to be able to provide a secure, reliable remote working setup that enables employees to effectively work from home.
Security monitoring and alerting plays a key role in detecting these threats.
The Securonix Threat Research team has been collaborating with customers and industry experts in order to identify key challenges and develop security monitoring and security information and event management (SIEM) use cases to address these challenges.
Top 10 SIEM Use Cases
Here are the top 10 SIEM use cases we are seeing customers deploy, and Securonix’s approach to meeting these challenges:
1. Insider Threat Monitoring – Excessive Permissions
With users suddenly working from home, a lot of sensitive data is exposed through channels that it has not been before. Due to the sudden nature of the change, security teams have had a very limited time, if any, to evaluate and deploy strong security controls. This introduces a huge risk to the organization, where users may end up with excessive permissions to critical data and infrastructure.
Organizations are looking to SIEM and other security solutions to help identify permission creep and take corrective action.
Securonix is a user and entity behavior analytics (UEBA)-based SIEM with the ability to ingest and analyze access permissions. It leverages techniques such as peer analysis to compare permissions against job role and peers to detect outliers. Securonix also integrates with identity and access management (IAM) and identity governance and administration (IGA) tools to recommend corrective action.
Real-World Examples of Insider Threat Detection
- Excessive File Access: Detect when a user accesses significantly more files than usual within a short period, indicating potential data theft or leakage.
- Unusual After-Hours Activity: Monitor for employees accessing sensitive systems or data outside of normal working hours, which may signal unauthorized actions.
- Abnormal Email Behavior: Track instances where an employee sends large volumes of data to external email addresses, especially to domains not associated with business partners or vendors.
- Permission Anomalies: Identify cases where employees gain permissions that are not in line with their current job functions or past behavior, suggesting manipulation or errors in access control.
- Unapproved Application Installation: Alert on unauthorized installation of software that can be used to bypass security protocols or harvest data, often a precursor to insider threats.
2. Insider Threat Monitoring – Data Exfiltration
With a newly remote work force and data being exposed through new channels, the risk of data compromise has increased significantly. This can lead to intentional or accidental compromise.
Organizations require their SIEM to be able to detect and alert on data exfiltration attempts.
Securonix, with its built-in UEBA, uses behavior profiling and rarity algorithms to baseline normal behavior and alert on a rare or sudden increase in access to sensitive data that can indicate that data is being exfiltrated.
Practical Examples of Data Exfiltration Monitoring
- Unusual Large Data Transfers: Identify instances where large amounts of data are transferred out of the network, which may indicate an attempt to exfiltrate sensitive information.
- Frequent Access to Sensitive Data: Monitor for abnormal frequency or patterns of access to classified or sensitive data repositories, potentially signaling preparation for data theft.
- Use of Unauthorized External Storage: Alert on the connection of unauthorized external storage devices which could be used to physically remove data from secure environments.
- Access from Unusual Locations: Detect when data is accessed from geographic locations that do not align with the user’s normal activity pattern, suggesting compromised credentials.
- Anomalous Email Attachments: Track emails sent with attachments that contain sensitive data, especially if sent to unusual or non-corporate email addresses.
3. Insider Threat Monitoring – Credential Sharing
In a remote work environment, it is possible that certain users may not have the permissions they had before. In this scenario, users may resort to sharing credentials. This in turn may lead to security challenges related to unauthorized access, separation of duties (SoD) violations, and more.
In order to address this challenge, SIEM monitoring should have use cases catered to monitoring credential sharing.
Securonix uses a variety of machine learning and identity context-based checks to detect potential credential sharing attempts. These checks include:
- Land speed analysis: A user logging in from two distinct locations at the same time when it is humanly impossible for them to be physically present at these locations.
- Physical and logical geolocation correlation: With identity context, Securonix can identify the home office location of a user and identify if a log in from a different location could be red flag (especially at this time, when there are strict travel restrictions across the globe).
- Rare logins: A user logs in from a rare location for his profile, but the location happens to be normal baseline location for a peer within the organization.
4. Monitoring for Phishing and Fake Alert Email Campaigns
The current crisis has gotten people more curious than ever before. The bad guys are looking to cash in with fake email alerts and impersonation campaigns. We have been seeing organizations getting an average of 350 emails daily on this topic. While some emails are legitimate, others are not.
A SIEM use case should be able to detect and alert on malicious phishing campaigns.
Securonix Next-Gen SIEM uses machine learning algorithms to analyze email data – senders, email domains, subjects, attachment names, etc. – in order to detect phishing attacks. Some of the common techniques we look for include:
- Typo-squatting (misspelled domains)
- Emails from newly registered domains
- Spear phishing targeting a specific peer group of users
- Emails from malicious domains (integrating threat intelligence)
5. Monitoring for Suspicious Logins and Account Compromise
With a huge surge in remote logins, user accounts are more vulnerable to attacks than before. The bad guys are looking for any weakness in the authentication process that they can exploit. This includes weak passwords, weak multi-factor authentication, or weak detection of brute force attacks.
A SIEM use case should be able to monitor for suspicious login patterns.
Securonix Next-Gen SIEM leverages machine learning and identity context correlation to monitor for several scenarios that can indicate a suspicious login or an account compromise. This includes:
- Enumeration behavior patterns to detect sophisticated brute force attacks
- Rare login behaviors (based on time, geolocation, IP address, etc.)
- Spike in failed logins
- Logins from fake accounts (dictionary attack)
6. Security Monitoring of Cloud Applications
A large percentage of enterprises today utilize the cloud for both critical and non-critical applications. With a remote workforce it is important to monitor activities within the applications in order to detect any patterns of misuse or compromise.
A SIEM use case should be able to monitor application activity in order to detect suspicious patterns. The monitoring use case should include the ability to detect data compromise, excessive privileges, unauthorized activity, and sabotage.
Securonix Next-Gen SIEM differentiates itself based on the ability to monitor enterprise and custom applications. Securonix has packaged connectors and content for all major cloud applications and services including Microsoft Office 365, Salesforce, Box, AWS, Azure, and Google Cloud Platform, among others.
7. Security Monitoring of VPN and Remote Authentication Devices
With a remote workforce, remote authentication and VPN devices can be a single point of failure and result in significant business disruption if unavailable.
SIEM use cases should monitor for threats to remote authentication and VPN devices.
Securonix monitors activities on VPN and remote authentication devices in order to detect any suspicious behavior patterns, including a spike in failed logins, bulk password resets, suspicious connections, shutdown/reset, privilege escalations, and more.
8. Security Monitoring for Host Compromise
With the increased phishing activity observed recently, it is only a matter of time before one or more users fall into the trap and have their system compromised. Identifying and isolating such systems is critical to prevent damage.
SIEM use cases should be able to monitor endpoints for signs of malware communication, anomalous process, and more.
Securonix monitors hosts and endpoints for suspicious behavior patterns including:
- Command and control (C2) communication/beaconing
- Rare or suspicious process execution
- Anomalous connection patterns
- Communication to newly registered or unregistered domains
9. License and Compliance Monitoring
This is not a cyber security challenge that would usually come to mind, but we are not in usual times either. With the shift to remote work, organizations struggle to track and report on the usage of licenses for various technologies that enable a remote setup.
SIEM uses cases should be able to support monitoring for software license usage.
Securonix entity-based monitoring enables us to implement use cases that monitor and report on the usage of applications by users, hosts, and IP addresses.
10. Productivity Monitoring
One concern for organizations that do not already have a work from home culture, is the possibility of a drop in productivity. Organizations are looking for ways to monitor productivity based on log in and other activity patterns.
SIEM use cases should support the ability to monitor for productivity based on log in and usage patterns. They should be able to detect the session time and duration and be able to report on employees that do not meet a certain threshold.
Securonix user-based monitoring plays a critical role in our ability to monitor productivity. With user session timeline tracking, Securonix is able to monitor session time, duration, and the activities within the session. This data can be used to create monitoring reports and dashboards to alert on a drop in activity.
In Conclusion
Identifying the use cases that are relevant and important in the current business environment and preparing for them should be the top priority for security teams. As use cases are identified, solutions that can address those use cases and provide the security required to enable the enterprise to continue with business as usual, even in an extremely open remote working environment, will need to be identified and invested in.
The Securonix platform, with its user centric monitoring approach and behavior analytics capabilities, provides organizations with the ability to deploy use cases that are tailored for remote work force setup, as well as several more generic and specific use cases for various industry verticals and threat classes.
Contact us to find out more.
Read more about Securonix Next-Gen SIEM and Securonix UEBA.