As user-based attacks become the most common attack vector, the need to identify abnormal user behavior as an indication of an attack is growing. We'd like to share with you some new features that we're releasing in the upcoming weeks which enhance UserInsight's capability to detect and investigate attacks.
Attacker gets busted covering his tracks
You can't get good visibility to user behavior unless you have good visibility to activity on endpoints. That's why UserInsight scans every endpoint (and we can do it without an agent!). By monitoring the endpoint, we can detect things that are only logged in the endpoint security logs and we've previously used this information to alert you to people trying to impersonate an administrator. With this release, we're adding an alert whenever the attacker clears the event logs to tries to cover his or her tracks. The new incident turns the attacker's natural desire for secrecy into a smoking gun pointing to exactly where they are on your network.
Get alerted when an attacker impersonates your CEO (or any other watch list user)
Impersonating another user -- such as an administrator -- is an indication of an attacker moving laterally in the network. Last month we started alerting you when a user impersonated an administrator account. But what about your critical users? Is there any good reason for someone other than your CEO to have access to your CEO's account? We think not, which is why we now alert any time the users on your watch list are impersonated by another user.
Monitoring Endpoints: The start of something big.
Last month, UserInsight added monitoring of unusual processes running on users' endpoints. That provides visibility to unique processes that could indicate malware and help identify which users runs a specific process on their endpoints.
But without more insight into the endpoint, we couldn't gather the hashes of each process and other details like who signed it. We understand the “yet another agent” syndrome that is currently plaguing the security industry, so instead of deploying an agent we built what we are calling a dissolving monitor. We launch it from our central collector, it runs, and then it dissolves off the system. There's nothing to maintain and no hassle from deploying an agent.
As we mentioned above when detecting attackers covering their tracks, we're proud of our ability to determine a lot about your endpoints without deploying any code. We also have big plans for this dissolving monitor , so stay tuned, but in the meantime we started using it for extracting the process hashes, as this information improves our algorithms and allows you to link files with different names together.
Visualizing User Movement
We always want to know what a security team “does next” when they discover suspicious behavior on their network. There is so much information that could be gathered and every incident is different. Our goal is to make as much of this information instantly accessible as we can. This month we're starting to expose our User Graph. This is a map of every user and asset on your network and how they relate to one another. We feel this view has the potential to become an integral part of every team's incident response. It can answer a lot of questions really fast; for every asset you can instantly discover who's accessed it, who elevated privileges or changed identity? Were local user accounts accessed? What outbound connection were made?
We've heard from security teams that getting visibility into what's happening on their network is really valuable and this gives a single view for a lot of that information.