Forcepoint UEBA

User & Entity Behavior Analytics

Kaan Kayan
Sales Engineer
kaan.kayan@forcepoint.com

Copyright © 2017 Forcepoint. | 1

TODAY’S REALITY: THE ZERO-PERIMETER WORLD

1. Significantly increased attack surface

2. Lack of Visibility
You cannot secure what you cannot see

3. Disjointed Security Policy

From one perimeter to defend to many
Remote Users 4. Silo’d Intelligence & limited visibility
to risk
Unable to make informed decisions for the entire
business

5. Ineffective Enforcement
Unable to make informed decisions for the entire
business

6. Compliance
Remote Users Things just got a lot more complicated

Copyright © 2017 Forcepoint. | 2

 THE HUMAN POINT IS ABOUT UNDERSTANDING

the rhythm of your people AND the flow of your data

Copyright © 2017 Forcepoint. | 3

BENEFIT FROM THE HUMAN POINT

Identify your data and users everywhere

Visibility your people work
rhythm of
your people One policy to manage data movement &
Control access across ALL distributed systems

Consolidated view of risk that considers user

Risk actions & value of the data in addition to
machine logs
rhythm of your
people Risk adaptive protection to act on change in
Enforcement human risk to critical data in real time
flow of your data

Effectively enforce compliance no matter

Compliance where your data resides

Copyright © 2017 Forcepoint. | 4

 THE FORCEPOINT SOLUTION FOR DATA AND USERS
the rhythm of your people
Forcepoint UEBA
Risk analytics platform for
broad view of user activity and
risk scoring
Context of behavior –
not just anomalies
 Communications + logs +
Machine data + HR info
Out of box analytics + flexibility to
adapt to new threats
AND the flow of your data
Forcepoint Insider Threat Forcepoint DLP
Endpoint-based deep visibility Identify and control flow of data
and analysis of user behavior Cloud
User risk scoring Endpoint
Baseline & deviations Network
Machine logs + user actions Discovery
Correlate user across systems Secure regulated data
Detailed monitoring that respects Protect intellectual property
user privacy
Copyright © 2017 Forcepoint. | 5
 UEBA: TRUSTED INSIDERS VS. COMPROMISED USERS & ASSETS

Customer challenge: Customer challenge:

Centralized, correlated Cyber threats target
visibility to user activity the people &
Trusted Compromised authorized users who
Cloud apps
Insider Insider or Asset access data & critical
Devices
systems
User communications
Mean time to detection:
HR data ~150 days

Risk Management Security Operations

UEBA Buyers and Users

Pinpoint threats Reduce signal to noise ratio

Source: Gartner, Dec. 2016 Copyright © 2017 Forcepoint. | 6

USER & ENTITY BEHAVIOR ANALYTICS
Anomalies provide little value without context to data at risk & specific threats
st
1 Generation UEBA:
 Analyze SIEM data & find anomalies from the
billions of logs & machine event
SIEM Analytics Module:
Imbedded analytics in the SIEM
Results
From 1000s of events to 100s of anomalies
Anomalies are not actionable
Anomalies serve as “clues” of interest but lack
context of what to do next
No context of data at risk
Analyst must jump to other products to see if the
user action puts the enterprise at risk
No context of user vs. machine action
“A UEBA product that only ingests
logs may miss important activity,
especially if it does not have full
visibility into the endpoint device
used by the user … Unstructured
contextual information (such as
performance appraisals, travel logs
and social media activity) can be
extremely useful in helping discover
and score risky user behavior.”
– Gartner, Dec. 2016
Copyright © 2017 Forcepoint. | 7
FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS

Integrate data Identify &

Investigate &
sources for prioritize high risk
Act to reduce risk
visibility into users & critical
& protect data
human risk data

Copyright © 2017 Forcepoint. | 8

FORCEPOINT UEBA: HOLISTIC VIEW OF THE USER

Communication System
What are they feeling? How are they behaving digitally?
With whom are they interacting? What sites and systems are they
Data: Email, chat, voice accessing?
Data: SIEM, endpoint, web browsing,
logins, file sharing

HR
What is their motivation?
Why might they have malicious intent?
Data: Performance reviews, Active
Directory
Physical
How are they behaving physically?
Where are they going and when?
Data: Badge data, traveling

Copyright © 2017 Forcepoint. | 9

EXAMPLE DATA INTEGRATIONS
SIEM Endpoint

Communications
Entity Information

User Access

Proxy

System Administration

Physical Data Movement

DLP Print Logs, Removable Device

Logs (Windows, Endpoint)

Copyright © 2017 Forcepoint. | 10

PLATFORMANALYTIC APPROACH

Copyright © 2017 Forcepoint. | 11

USER BEHAVIOR ANALYTIC APPROACH
PEOPLE OF EVENTS OF
INTEREST INTEREST

SCENARIOS
“Connect the dots” across event/entity models
for a composite measure of risk

EVENT ANALYTICS - “What They Do” ENTITY ANALYTICS - “Who They Are”
Enrich events with observed features of interest, Score non-activity based indicators
scored for rarity and normalized by individual or peer group about an entity to influence scoring

Entity Features Entity Attribute

EVENT INGEST AND ENRICHMENT ENTITY ATTRIBUTE AND FEATURE COLLECTION

(Streaming or Batch Ingest via API) (gathered from HR, Active Directory, CMDB)

What They Do INSIDER INSIGHTS BASED ON Who They Are

Copyright © 2017 Forcepoint. | 12

FORCEPOINT UEBA TECHNOLOGY DIFFERENTIATORS

Comprehensive Only vendor that covers structured & unstructured business data PLUS
Visibility communications to leave no detection gaps.

Focus on behaviors, not just anomalies, with precise narratives that

Deep Context indicate unwanted behavior. Utilizing sentiment analysis and Natural
Language Processing.

Easily build or customize risk models to fit your unique enterprise and support
Flexible any risk use case.

In-depth analytics within a single platform allows investigators to pivot from

Efficient alert to investigation.

Copyright © 2017 Forcepoint. | 13

FORCEPOINT UEBA – USER & ENTITY BEHAVIOR ANALYTICS

Users & Investigate

Visibility
Critical Data & Act

Copyright © 2017 Forcepoint. | 14

 THE HUMAN POINT
Humans are increasingly the number one source of risk to organizations
Disgruntled Employee Unknowing Accountant Entitled Insider Blackmailed Developer Internal Activist Careless Manager

Saboteur Compromised IP Thief PII Thief Media Leaker Negligent

“Huge fight with boss. Quit
and deployed time-bomb
corrupting our HR system,
inserted false transactions
in a client back-end
system.”
“Downloaded a “Recruited by a “Social media posts about “Became disillusioned “Taped passwords to his
spreadsheet with competitor. Took client financial troubles led a after reading executive monitor, refused to lock
malware, unknowingly lists, product ideas, ‘recruiter’ to contact her. emails, chats, and his screen. Regularly
exposing our company. It internal working Simple requests quickly compensation logs. Went emailed himself sensitive
took us weeks to figure documents - everything escalated into blackmail.” to the media with a story.” information he needed to
out who was patient zero.” he’d ever been a remember.”
part of.”

Copyright © 2017 Forcepoint. | 15

 OUT-OF-BOX USE CASES | BASELINE ANALYTICS MODEL

Data Compromised Malicious Negative Illicit

Exfiltration
• Internal Data Movement
Risk
• External Data
Movement Risk
• File Operations Risk
• Data Reconnaissance
Models Risk
• Evasive Action Risk
• Human Resources Risk
User Account User
• Malware Risk • Network Reconnaissance
• Compromised Risk
Authentication Risk • Systems Administration Risk
• Phishing Risk • Malicious Authentication Risk
• Baseline Configuration • Malicious Actions Research
Deviation Risk Risk
• Malware Resources • Baseline Configuration
Risk Deviation Risk
• Physical Access Risk
• Permissions Elevation
Request Risk
• Human Resources Risk
Behavior
• Sexual Harassment Risk
• Workplace Violence Risk
• Obscene Content Risk
• Leaver Risk
• Decreased Productivity
Risk
• Corporate Disengagement
Risk
• Financial Distress Risk
• Negative Sentiment Risk
• Human Resources Risk
Behavior
• Organizational Conflict of
Interests (OCI) Risk
• Information Leakage Risk
• Corporate Espionage Risk
• Whistleblowing Risk
• Clearance Investigation
Evasion Risk
• Human Resources Risk

• Web Proxy • Web Proxy • Web Proxy • Web Proxy • Web Proxy
• Windows • Windows • Windows • Email • Email
• Linux • Linux • Linux • Chat • Chat
• User Activity Monitoring • User Activity • User Activity Monitoring • Network Flow Logs • Firewall
• Email Monitoring • Email • HR • HR
• • • • •
Data •
Chat
Network Flow Logs •
Email
Chat •
Chat
Network Flow Logs
Voice
•
Voice
DLP
Sources • SharePoint • Network Flow Logs • VPN
• Web Server Logs • VPN • Badge Data
• HR • Firewall • Voice
• Anti-Virus • HR
• HR
• Voice
Copyright © 2017 Forcepoint. | 16
BASELINE ANALYTICS MODELS | REGULATORY SURVEILLANCE
“Out-of-the-box” Market Manipulation Insider Trading (IT) Conduct Risk (CR)
models for scenarios (MM)
across regulatory
MM-1 Trades FX Rate Fixing IT-1 Trades Outlier Activity CR-1 Disengagement from work
surveillance and
MM-2 Comms FX Rate Fixing IT-2 Comms Insider Trading CR-2 Personal Duress
information security
Models MM-3 Trades Libor Rate Fixing IT-3 Comms Disclosure of MNPI CR-3 Oversight Evasion

Known as BAM, MM-4 Comms Libor Rate Fixing IT-4 Web Personal Trade Activity CR-4 Ethics Risk

these models are use IT-5 Trades Surveillance Alerts

case "best practices"
• Email • Email • Email
developed via the • Chat • Chat • Chat
• Trade • Trade • Voice
sharing and • Voice • Voice • Web Proxy
compounding of Data • Trade Alerts • Trade Alerts • User Activity Monitoring
• Web Proxy • Web Proxy • HR
knowledge within our Sources • User Activity Monitoring • User Activity Monitoring • Badge Data
• SharePoint • SharePoint
customer base • HR • HR
• Badge Data

Copyright © 2017 Forcepoint. | 17

DATA INTEGRATION ENGINE | APACHE NIFI
 Enterprise-ready ETL framework based on Apache NiFi

 Rapid time-to-value for onboarding new data feeds

 Includes library of reusable data flow templates to target

most common data sources, such as ArcSight, Splunk,
Hadoop, etc.

 Out-of-the-box based connectors (FTP, syslog, etc) and

GUI-driven template builder for fast setup and reduced
training costs

 Bi-directional capabilities enable ingest and

outbound alerting

 Critical management/monitoring features including:

 Real-time monitoring interface
 Configurable throttling and back-pressure
 Robust error handling and error reporting
Copyright © 2017 Forcepoint. | 18
 UI PURPOSE-BUILT FOR ANALYSTS

Identify Highest Risk Employees

The Analytic Dashboard
“connects the dots” to
identify unknown risks
and provide broad
situational awareness
using holistic risk
assessments.

The holistic assessments

- Entity Risk Scores -
are derived from
advanced analytics that
look at all monitored
employees across all
their activity.

Copyright © 2017 Forcepoint. | 19

UI PURPOSE-BUILT FOR ANALYSTS

Fast, Friendly Forensics

Copyright © 2017 Forcepoint. | 20

UI PURPOSE-BUILT FOR ANALYSTS

Streamlined Event Review

Copyright © 2017 Forcepoint. | 21

UI PURPOSE-BUILT FOR ANALYSTS

Streamlined Event Review

Copyright © 2017 Forcepoint. | 22

Thank you

Copyright © 2017 Forcepoint. | 23