There is a discussion on the active feedback loop that all software vendors need to have with their customers. When we are showing a demo of UserInsight to incident response teams, I commonly hear a skeptical question: "Our environment is unlike any other I have seen. How much of the feature set that you show here can we expect to get?" Here's the thing: Every organization's network is unique.

It's this complexity and uniqueness that makes securing an organization so incredibly difficult and also why most people expect deployment to take on the order of three to six months. UserInsight was designed to deploy in hours or a few days in any environment, primarily slowed only by the pace that you can get access to the right event sources. There are two main reasons that this has been successful despite the unique and complex nature of every organization's infrastructure and I will once again try to use 90s movies to assist in my explanation.

Active Feedback

I understand that this sounds like a promise that you have heard before, but we receive regular notes and comments from our customer base via that simple "LEAVE FEEDBACK" button ever present at the bottom right of UserInsight. This is not exactly a novel concept (we actually took it from consumer applications), but according to customers, our response certainly has been. I consider the differentiation analogous to one of the few SFW statements Sidney Deane made in "White Men Can't Jump":

"Look man, you can listen to Jimi but you can't hear him. There's a difference man. Just because you're listening to him doesn't mean you're hearing him."

Whether it is a challenge that we felt stupid for not already solving or a note that an event source is not functioning, we always hear the feedback or reach out for more detail when we don't understand. Here are 3 examples of feedback that led to UserInsight enhancements:

  • "I frequently find myself looking for all of our assets in UserInsight. In this particular case, I'm thinking 'I want to start tagging some assets as critical,' but as I look around, I'm getting the notion that there should be an easy way to get a list of the assets so I go through them and flag those that I would want to tag." | Enhancement: Import "Real Context" Criticality Tags from Nexpose
  • "It would be great to see the office field from active directory when reviewing an incident involving a user account." | Enhancement: Include "Office" and "Manager" on every user page
  • "I'm starting to find that it would be useful to be able to get a view of all "Admin Activity" which I'm finding valuable, but also tedious to drill down through each Admin user account to determine what each did." | Enhancement: "Show All Admin Activity" button

Behaviors

Normalization is nothing new. Most of the leading monitoring solutions out there already normalize the information in logs to define events. However, when we made the conscious decision not to serve as a log aggregator, but instead complement them, the team focused on parsing various data sources, normalizing the relevant information into user "behaviors", and ignoring the rest of the noisy data that is seen. I mention this process because in combination with the active feedback from our customers, it makes the overhead of deployment and ongoing maintenance extremely low. This means that rather than our clients having to take a blank slate, build a custom solution on top of it and maintain their solution in isolation, each one benefits from the consistent behaviors that we look to identify across all environments.

I am going to use one of my more geeky movie references and compare this to the reasons that the Borg were so strong in "Star Trek: First Contact" (yes, I am fully aware that they appeared in multiple seasons of TNG, but I am using movie references). For those that have spent more time out in the fresh air, the Borg were an alien race that assimilated new species and their knowledge to the collective mind with the intent to achieve perfection. Well, our process is definitely a lot less violent, but the concept of assimilating new event sources is similar. Two examples:

  • We don't care which version of Windows or Linux your systems are running. We can monitor lateral movement across all of your systems because we normalize all of the events logged on these systems into common authentication or less common impersonation behaviors.
  • When we identify a behavior from DNS data that is both suspicious and not noisy (which I explained in my last blog post), that behavior will trigger an IOC at any customer with a DNS event source, Microsoft or otherwise.

These are just two reasons that it has been simple for our customers to take advantage of ALL of UserInsight's features that are seen in a short demo. It is not some fake environment that is unreachable, but rather the capabilities all of our customers can attain. To see this demo for yourself or get in running in your unique environment, give us a call or fill in our Contact Us form.