You have to have a solution in place to detect abnormal shifts and deviations from normal behavior. The solution: User Behavior Analytics (UBA). UBA keeps your financial institution protected no matter where the point of compromise is attempted.
At every step of the insider threat cyber kill chain, LogRhythm can detect the anomalous behavior and prevent movement to the next stage.
LogRhythm’s detection capabilities go beyond the usual UBA suspects because of its ability to monitor network activity and file information—keeping your financial institution protected no matter where the point of compromise is attempted.
Interested in learning more? Watch an online demo of LogRhythm's Security Intelligence Platform now! https://logrhythm.com/neutralization-of-a-phishing-attack-demo/
Detecting Insider Threats with User Behavior Analytics
1. Detecting Insider Threats with
User Behavior Analytics
A Use Case for Financial Services at
Every Stage of the Cyber Kill Chain
2. Once the attacker has
credentials, they can move
freely within your network,
with the ability to inflict
immense damages.
An employee within your
organization is targeted
with a spearphishing
email. With just a click,
they take the bait and
their credentials are
stolen.
Insider Threats Within Financial Services Organizations
The
Scenario
3. The Human Element
Spearphishing is a human vulnerability.
It takes an employee to click on the bait.
So how can you defend against
insider threats? You have to have a
solution in place to protect against the
human element.
The solution:
User Behavior Analytics (UBA)
4. How User Behavior Analytics Can Help Stop Insider Threats
UBA can help you to detect and
respond to:
1. Insider threats
2. Compromised accounts
3. Privileged account abuse
5. Anatomy of an Attack
Using UBA to Stop an Insider Threat Attack at Any Stage of the Cyber Kill Chain
6. Detecting a Compromised Account
Compromised accounts are at the heart
of most financial breaches.
The good news? Indicators of a
compromised account can be detected
at different stages across the cyber kill
chain.
7. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Spearphishing
The compromise:
An employee receives an
email that looks like it’s from
a co-worker. She doesn’t
notice the small difference in
spelling of the domain name
as she opens the email. The
trap has been sprung.
How you stop it:
LogRhythm’s Network Monitor
deep packet analytics detects
the inbound attack then
produces a high-impact alert
on the incident. Your SOC
team investigates, responds
and neutralizes threat.
8. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Compromised
Hosts
The compromise:
A piece of malware slips
through traditional perimeter
defenses and is installed on a
machine.
How you stop it:
LogRhythm detects when the
malicious process starts on the
endpoint and either
terminates the process or
isolates the endpoint to stop
the spread of malware.
9. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Lateral
Movement &
Account
Sweeps
The compromise:
Malware makes its way onto
a machine. It then uses an
employee’s compromised
credentials to log onto other
systems on the network.
How you stop it:
LogRhythm detects the
authentication attempts
against multiple hosts and
sends an alarm to your SOC for
further investigation, response
and neutralization.
10. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Brute Force
Authentication
The compromise:
Malware has made its way
onto an employee’s machine.
It then tries to move to
another user by identifying
the password through brute
force.
How you stop it:
LogRhythm detects the
authentication failures against
multiple hosts and sends an
alarm to your SOC for further
investigation, response and
neutralization.
11. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Authentication
from
Abnormal
Location
The compromise:
An attacker successfully
gains control of a corporate
machine. Then uses the
employee’s credentials to
connect to the network
via VPN.
How you stop it:
LogRhythm detects the
authentication from an
abnormal location and sends
an alarm to your SOC for
further investigation, response
and neutralization.
12. The Cyber Kill Chain: Identifying The Moment of Compromise
The
Scenario:
Unauthorized
Trades and
Transfers
The compromise:
A compromised user account
attempts to perform
unauthorized trade and
transfers.
How you stop it:
LogRhythm’s User Behavior
Analytics detects the
unauthorized actions and
alerts on the incident.
Immediately initiating
SmartResponse™ to lock down
the compromised account.
14. LogRhythm’s User Behavior Analytics Stop Insider Threats
At every step of the insider threat cyber kill chain,
LogRhythm can detect the anomalous behavior and
prevent movement to the next stage.
LogRhythm’s detection capabilities go beyond the
usual UBA suspects because of its ability to monitor
network activity and file information—keeping your
financial institution protected no matter where the
point of compromise is attempted.
15. LogRhythm Disrupts the Financial Insider Threat Kill Chain
Exfiltration
Corruption
Disruption
Initial
Compromise
Reconnaissance
& Planning
Command
& Control
Lateral
Movement
Target
Attainment
MalwareSpearphishing Brute force and
unauthorized
account access
VPN Financial
transfer
16. Holistic Threat Analytics
Embedded Security
• Recognized security experts
• Build machine data intelligence,
with support for 750+ devices
• Develop pre-packaged threat
management modules:
• AI Engine rules
• Reports & saved searches
• Dashboard layouts
• SmartResponse™ plug-ins
• Frequent updates via cloud
Threat
Intelligence
Open Source
Custom
Commercial
User Behavior Analytics (UBA)
Brute force attacks, compromised
user accounts, insider threat
detection, privileged user account
monitoring & more
Network Behavior Analytics
Malware outbreak, suspicious
network communications, DOS
attacks, network-borne data
exfiltration & more
Endpoint Behavior Analytics
Endpoint manipulation, malware
activity, suspicious process &
application activity, local data
exfiltration & more
Rapid Value
• Arm your analysts to work
smarter and faster with machine-
based analytics
• Detect and respond to threats
across the holistic attack surface
• Accelerate deployment with pre-
packaged threat management
modules
17. LogRhythm can help you protect your holistic attack
surface—including your users, networks and endpoints.
Rarely do attackers target one vector, so we leverage data
from all vectors and sources (e.g., honeypots and threat
intel feeds) so you can correlate user behavior with
network and endpoint data.
In case of an attack, you’ll be able to detect and respond
lightning fast with an efficient workflow.
Protecting Your Holistic Attack Surface
18. See LogRhythm in Action
You already know that hackers will get in—regardless of the
prevention technologies you’ve put in place to keep them out.
Click the below button to watch this in-depth demo to see how
LogRhythm can help you detect a phishing attack and stop it in
its tracks.
Watch the Demo