ES Episode11

From Security Weekly Wiki
Jump to navigationJump to search

User Behavior Analytics (UBA)

Paul Asadoorian John Strand

This week Logrhythm has a free network monitoring tool, SAP HANA, the hottest technology you didn't see at Blackhat, free anti-ransomware, Beyondtrust product announcement and traps

Episode Audio


  1. - Not what I was expecting, and a poor choice of words as most people stopped reading after the word "documentation" Are you ready? Here it is… documentation. The oft forgotten, deprioritized and time-intensive process of creating documentation is the strongest weapon in the information security arsenal. There isn’t an out-of-the-box toolset that can anticipate your business goals, what needs to be protected, how systems communicate, or your most valuable data.
  2. - Kaspersky managed to do this thanks to two pieces of technology: the cloud-based Kaspersky Security Network that processes data from participants around the world, as well as System Watcher, which is a technology that records and analyzes networks to provide evidence of malicious activity. So yea, basically threat intelligence can save you from ransomeware....
  3. - SAP HANA is the foundation for all your data needs, removing the burden of maintaining separated legacy systems and siloed data, so you can run simple in this new digital economy. So HANA needs access to all of your applications, cool to monitor, but better to have a plan to secure it in the first place (which by the way, typically is not).
  4. - IAM is a big deal today, it solves a lot of problems. An interesting new feature, which seems like it was a PITA before this: “Admins who manage dozens of sessions on a daily basis are challenged with time-consuming login and access processes. With DirectConnect, Password Safe, customers have a way to establish direct connections to SSH sessions, and they can utilize time-saving shortcuts within tools like PuTTY and MobaXterm,” said Brad Hibbert, chief technology officer, BeyondTrust. “Managing user access for both privileged and non-privileged accounts requires multiple interfaces. While identity and access management (IAM) solutions help IT teams answer ‘who has access to what’, only PowerBroker also accounts for privileged user access, addressing ‘is that access appropriate?’ and ‘is that access being used appropriately?’”
  5. - This is pretty sweet: Today Bromium uses micro-virtualization to hardware isolate end-user tasks that access untrusted content and the web, to protect the endpoint host OS. Although we monitor the host (desktop) for signs of compromise using the same LAVA technology that gives us precise forensics for introspection of micro-VMs, we have always wanted to enhance the protection of the host from (for example) east-west attacks. We want to protect high-value information on the endpoint (eg: credentials) from theft using a clean, hardware based capability that does not rely on detection, and SGX is a key technology that helps us to achieve this.
  6. - Traps is yet another endpoint protection agent-based solution, this one from Palo Alto. It lists all sorts of fancy stuff it uses to prevent malware: Static Analysis via Machine Learning, WildFire Inspection and Analysis, Trusted Publisher Execution Restrictions [new]. Not sure what all that means, but there is certainly no shortage of this technology in the market today.
  7. - Note: Logrythm is a new sponsor on the Security Weekly network. LogRhythm has released the Freemium network monitor. It is a commercial-grade network monitoring, forensics and analytics product suitable for advanced threat detection and incident response. It enables the detection of threats traversing the network by identifying more than 2700 applications and performing analytics on network and deep packet application data in real time. This is something I can't wait to try!
  8. - Wow, this sums it up: Ransomware infections have gone up, but they cost less to fix Ha!

Discussion: User Behavior Analytics (UBA)

What is it? Why do you need it? How does it work? Who are the vendors? What do they do? What are the gaps? How do you measure success?