IUWorld Cybersecurity Governance, Risk & Compliance Part — II
Part II: User and Entity Behavior Management (10-minute discussion & demo)
Jeff: Welcome to the 2nd Episode of IUWorld Thought Leadership Series in Cybersecurity GRC — Governance Risk & Compliance. A big welcome to all of you who have joined us in this webinar. 1st of all, let me introduce the team. My name is Jeff Chau, director, digital transformation from IUWorld.
Welcome Snehal for joining us the IUWorld Thought Leadership series. Next, I like to introduce IUWorld.
We are 20 years in ICT business; rooted in HK & Macau and what we now call the Greater Bay Area. Our clienteles range from banks & financial institutions, Government & NGOs to commercial enterprises & Gaming resorts. Today we specialize in Cybersecurity services with focus on GRC innovations.
The way we work is, through these technology innovations, to craft organizational business case for business resilience. I like to call it “Transformational Project”.
Let’s move on to today’s topic — user entity behavior analysis (UEBA).
Recognising the growing importance of Regulatory Technology (Regtech), one of the key aspects is to look into user & entity behavior in an organization for prudential risk management & regulatory compliance.
Let’s take a look at the definition of UEBA. It really is about whether one has visibility into its user / system within their data, network host.
What it means is how one is able to monitor system-to-system communications and from human interactions with applications & the ability to identify malicious insiders / external attackers infiltrating their organizations.
This is a use case of Regtech on analytics of activities — how AI can help to draw insights from these behaviors (what is considered normal or anomaly that can be identified in a timely manner).
It is indeed for transparency, consistency & standardization how organization delivers sound interpretation the regulations.
JEFF: Hello Snehal, today I want your thoughts on User Entity Behavior analysis — UEBA — and how you see it transforming Governance, Risk and Compliance
SNEHAL: Jeff, thanks for hosting another session with us. And I could not agree more. UEBA is transforming cybersecurity and is in fact — center stage — because of our new normal
- Our customers and partners say now they have many new remote users — changing all your baselines and creating new attack vectors
- And many organizations have even more cloud and SaaS infrastructure — potentially limiting visibility and loss of control
- With these challenges, UEBA ensures your SOC team can more quickly uncover complex attacks — Users and Entities at the end of the day a strategic way to look for complex attackers
JEFF: So are you saying that UEBA is pretty strategic with our new normal?
SNEHAL: Correct Jeff, and UEBA needs more than SIEM logs, you need network traffic, and application awareness, cloud and SaaS awareness. By correlating data across a broader set of tools, you can proactively piece complex attacks together across all IT infrastructure. SIEMs alone lack this comprehensive visibility and force you to use your talented security analysts to write queries.
We see AI — artificial intelligence — as a key enabler to help a broader community of companies take advantage of advanced SOC solutions. Computers are good at seeing patterns. AI is a way to help SOC teams scale, so they can focus on strategic work.
JEFF: I see, AI is hot topic here in Hong Kong — Before we dig deeper into UEBA, can you share the common challenges your customers had before you helped them?
SNEHAL: Even with all the right tools in place, a lot of our customers shared failures rather than success. The issue is visibility — organizations are faced with users and entities virtually everywhere.
- In the cloud
- On premise
- At home
- Passing through the physical network
Your attack surface is bigger than ever — and — dynamic
JEFF: I see this is why siloed tools won’t help, you need to look across everything and in between things too!
SNEHAL: Correct Jeff, we call this comprehensive visibility and have patented sensor technology that ensures you see across cloud, endpoints, network and users — anywhere!!
JEFF: For the new normal, scalability & interoperability across heterogenous environments are essential then.
JEFF: can you show our audience this idea of comprehensive visibility — how do you track a user or entity’s behavior?
SNEHAL: Jeff, sure let me open the GUI and draw your attention to this COLLECT button. As you can see on the left, we ingest lots and lots of sources of data. On the right, you also see connectors that help us gather user and entity data from AWS, Microsoft365, Google Cloud, and also email, Syslogs, network. From these data, we are extracting user and entity information. Now, let me drill into an event. Here, I can show you the power of our Interflow records, that capture everything about each incident of user and entity behavior.
We perform Deep Packet Inspection — DPI — on all data ingested and that helps us see even more into your attack surface
We can see DNS tunneling attacks. We can tell you what applications are being hijacked. We fuse all this data with 3rd party threat intel like geolocation to ensure you have a complete picture for security analysis.
JEFF: Snehal, impressive, I also see it is readable and thus I am sure you can search on this information
SNEHAL: Correct Jeff, we have a single data lake where all this meta data is stored and we perform big data analysis on it to help you see trends — when user or entity behavior changes, our AI highlights this as a critical anomalous detection.
JEFF: Snehal can we now go deeper on user behavior, I think you have some interesting insights there.
SNEHAL: Thanks Jeff, we do. Today’s hackers don’t attack you in the traditional ways — this is key — a perimeter approach, or a log capture approach no longer secures you. Now, they gain access to low-profile assets and start to gather intelligence about more critical systems through lateral movement, then they go for more valuable information.
JEFF: Can you explain the example on the slide?
SNHEAL: Sure, let’s say you have tagged your CEO as a critical person, and you just see that they logged in in Tokyo and then in Sydney Australia two hours later. That is clearly an impossible travel event, yet his log-in was valid. Then you see him using commands to access an application, say SSL to access data on a SQL server.
JEFF: Why would the CEO be using SSL and why would he be looking for SQL data? Something is very suspicious and different than his normal behavior, but all three actions are still valid based on everything we can establish from the existing tools and data — right?
SNHEAL: Exactly Jeff, to summarize what UEBA really needs is a way to bring all your tools and feeds together, and process it with AI to help find patterns, and purpose-built to find the RIGHT data. We call this Open- — XDR –extended detection and response with the ability to integrate with any system, tool or data feed. Just as we augmented firewalls with SIEMs, it is time to reconsider how we build a SOC. A collection of tools — or — an intelligent platform is the key.
JEFF: So the way I hear this is, it’s about user behavior with broad visibility, that seems to be a great way to uncover a hack?
SNEHAL: That’s exactly right Jeff.
SNEHAL: Sure Jeff, First, I just identified an infected server, it has been hacked. Our UEBA capability helped identify the infection. I will block the device from sending traffic. I used our Threat Hunting library to trigger a response, to close the port. Now, let’s finish this use case with the final step, by seeing if the server is now infecting other devices, like we first discussed, this is a common way hackers infect other devices in your environment by having lateral movement. See, many other devices now need attention.
JEFF: Thanks Snehal, I am convinced I can see you really did a lot and that was simple and really only took a few minutes.
JEFF: The last topic I would like to cover is Compliance. A lot of our clients need to pass compliance and governance initiatives annually or even more frequently. How does your platform support reporting?
SNEHAL: Great point Jeff we have put a lot of capabilities into our reporting engine as you can see here. We have many pre built templates, for example, PCI compliance, CIS compliance and HIPAA compliance
JEFF: Can you easily build customer reports?
SNEHAL: Sure Jeff we can build a customer report from any dashboard we have in the platform, here you can see I have all user login failures from the Threat Hunting Library. I can very easily edit the dashboard and create a customer report from it
JEFF: Snehal, I think we need to wrap this up, can you summarize our discussion today?
SNEHAL: Sure Jeff, I think the most important thing I can say is visibility is the key to success in security. You can’t manage what you can’t see — and that means across your entire attack surface — cloud, endpoint, network and user — and as we both highlighted today, user and entity behavior is strategic to ensuring you can see complex attacks. Stellar Cyber’s advantage is we can bring new insights to tools and telemetry you already trust, it’s cloud native and open API driven. For cybersecurity governance, risk and compliance — UEBA ensures you close blind spots that logs alone will let through.
JEFF: Thanks Snehal, I think this session helped clients see they can easily track critical assets and users across cloud, endpoints, and network — helping to simplify governance, risk and compliance reporting –..till next time
To conclude, for transforming Cybersecurity to a centralized & intelligent platform that is able to under the baseline, undercover blindspots, compliment & integrate all the tools available and filter, normalize & correlate events & incidents into critical alerts for detection & response actions.
It is continuous journey!
Thank you very much.