Access and Data Security
Abstract: When deciding what’s most important, every organisation will place protecting internal legacy application data at the top of the list. Ensuring all mission-critical legacy application data does not become exposed. Also, this guarantees that any potential insider threat (cyber attacks, brute-force attacks, compromised accounts) is made aware to the organisation allowing them to protect the data well in advance.
UEBA (User and Entity behaviour Analytics) Solution
New Scaler, has developed a solution that has helped customers in a variety of industries, including nuclear, police, health, the NHS, government, and others, deal with a wide range of cyber attacks and reduce risks, while always keeping a cost optimisation solution in mind. This solution aims to detect any suspicious behaviour—differences from normal daily patterns or usage. For example, if a specific network user downloads files of 20 MB daily but suddenly starts downloading 4 GB of files, the UEBA system would consider this an anomaly and either alert an IT administrator or, if automations are in place, automatically disconnect that user from the network.
Sentinel UEBA detects anomalies using dynamic baselines that are created for each entity across multiple data inputs. The baseline behaviour of each entity is determined by its own historical activities, those of its peers, and those of the organisation as a whole. Anomalies can occur as a result of the correlation of various attributes such as action type, geo-location, device, resource, ISP, and others.
The following are the anomalies can be detected:
Furthermore, we have developed custom analytics rules that can continuously monitor all Azure resources and trigger incidents whenever any owner or contributor assigns permission for mission-critical application resources to determine whether or not the activity is authorised. This can be useful if any user attempts to initiate in any suspicious activity, including if it is outside of business hours.
Also, it has the capabilities to validate if anyone is assigning and approving PIM requests outside of business hours and monitors trends for suspicious activity.
As previously mentioned, we have a custom analytics rule in place, which continuously monitors all resources. As an example, in our current mission-critical application, the Owner has permission to give other users permission, which is triggering an incident in the SOC solution, as shown in the image below.
As incidents occur, all relevant information is collected, making it easier for the SOC team to investigate all the details.
When the SOC team begins investigating an incident, they will be able to find all relevant information, such as the timeline, user and entity details, and insights.
Conclusion:
In this tutorial, we looked at strategies for protecting data from applications that are critical to the operation of those industries that are inherently protective and secure with data.
Click our video link for a simplified version of this blog.
To get started, contact us for a free consultation on info@newscaler.com or call us on 01628 306 600.