Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight feature that shows you anti-virus alerts, vulnerabilities, firewall activity, IDS/IPS alerts, and authentications by users that show the most activity and enable you to dig in deeper by filtering by user. You can get to the new stats page by clicking on the Active Users link on your UserInsight dashboard:
What you'll see is the stats for five different data types:
- Virus Alerts: Most security professionals see anti-virus solutions as a protective solution for mass malware rather than a detection solution. However, we believe there is some value to this much-bashed data when you apply statistics to them and break them down by user. In our demo system, the user Shawna Roy popped up at the top of the list with 65 virus alerts. By clicking on the little graph icon on next to the name on the right, you can display the data for this user only (and add additional users to the chart by clicking their icon). Shawna saw 30 alerts on August 14, which is probably worth investigating. By clicking on the name itself, you can get more context on Shawna's activities, such as assets and cloud services she authenticated to, applications she accessed, and locations she logged on to the network from. This may show other indicators of compromise that can be helpful in triaging this statistical outlier.
- Exploitable Vulnerabilities: Slicing vulnerability data by CVSS score, exploitability, and critical hosts is something security professionals are very familiar with. However, most security programs can't provide visibility by user, which can be important in the context of phishing and other social engineering campaigns that target client-side vulnerabilities. The more exploitable vulnerabilities a user has, the more attack surface cyber-criminals have to work with. The new UserInsight vulnerabilities user stat feature shows you which users have the most exploitable vulnerabilities and warrant a second look to ensure that a security program is prioritizing the right vulnerabilities for remediation. It can also help give context of the likelihood that an attack against a certain user successfully exploited their machine.
- Firewall Activity: Firewall activity is very noisy, especially if you don't just take denies but all traffic. In the following example, Joshua Green had a million firewall connections in a single day, which is clearly an outlier when we filter for this user. This is definitely worth investigating, since it may be a sign of a malware/botnet infection that is scanning the Internet or participating in a DDoS attack.
- IDS: IDS/IPS data is also extremely noisy data. One customer we spoke to has 20,000 alerts per day, making it impossible for him to investigate every single one. Providing user context can also greatly increase visibility and help make sense of the data. Check out Matt's blog post on canceling noisy alerts, which covers a lot of this topic already.
- Authentications: Both successful and failed authentications can provide a lot of visibility into what's happening on your network. Accounts with many successful authentications can be legitimate or a cause for concern. There will be some obvious accounts, such as your vulnerability scanner or a backup solution that logs onto many devices many times, but there may also be accounts that should not exhibit this type of activity. You may discover that a user account is being abused as a service account, for example, which is not a best practice. Failed authentications may point you to a brute force attack on a certain user, or show you an issue with a device using an outdated password.
Check out the new user stats page and let us know if you discover a use case that we're not listing here, or a new stat you'd find useful. The feature is already live in your UserInsight environment. If you don't have UserInsight yet, please sign up for a free guided demo and chat with us about a proof of concept in your environment to detect and investigate incidents.