Hi, I'm Sean Barker, product manager of Change Auditor. Today, I'm excited to introduce our new user threat detection module.
Change Auditor has always done a great job of auditing every change and user activity in the Active Directory windows environment, complete with all the details about the change including the who, what, when, where, and originating workstation, and the before and after values. These audit events are easy to interpreted by humans, and they're in the same format, regardless of the platform they come from.
Historically, you could set up rules to detect critical changes that you were aware of, such as a member being added to a built in administrator group, or a modification to a group policy object. But aside from a handful of rules, change auditors' audit data is primarily used reactively to forensically piece together what happened, and who did it, after the problems already been uncovered.
Enter Change Auditor Threat Detection, which employs unsupervised machine learning, and smart correlation technology to model individual user behavior patterns in order to detect anomalous activity that could be indicative of suspicious users, or compromised accounts. It models user behaviors based on the audit data from Change Auditor for Active Directory, Change Auditor for Log On Activity, and file activity from 4 platforms-- EMC, NetApp, Windows file servers, and FluidFS.
The users with the highest risk scores are highlighted in the left panel of the Change Auditor Threat Detection dashboard, creating a dynamic watch list of emerging user threats, sorted by severity. Change Auditor Threat Detection rates the criticality of each risky user relative to the other activity taking place in your environment, ensuring that when a true attack, or a misuse of privileges takes place, it will stand out immediately.
The user's risk score is an aggregate of all the smart alerts that have been raised for that user. The user's profile makes it very easy to see the timeline of activity that led to the high risk user score. Each alert is a correlation of multiple threat indicators that, when combined, establish a suspicious pattern of user activity. The percentages make it clear what were the most concerning activities that triggered the alert.
Every threat indicator displays the anomaly that triggered it in the context of the user's behavior baseline. And when an indicator is raised, all of the raw audit events are retained, and displayed below, which provide immediate context around the alert, accelerating the ensuing investigation.
In this example, we see that a brute force authentication alert was raised because of user experienced a very high number of failed indications, and those log on attempts came from a computer that the user never logs in from, and at a time that is outside of their typical working hours.
Change Auditor Threat Detection will detect when there are active user threats or attacks under way. However, it also provides day to day value by highlighting the most suspicious user behaviors.
For example, a user may not be trying to cause destruction, but they could be misusing their credentials, or taking advantage of lax folder permissions to access files and resources that are not part of their job responsibilities.
Not only are there a high number of file access events in an hour period, but also, a very high number of folder open events, which is not behavior you typically see a user perform interactively. There could be a malicious application exploiting her credentials, or perhaps she is looking for information to take with her to her next job.
Given that there is a succession of smart alerts, including abnormal file activity, and the beginning of a high number of file renames, indicates that this is a user and behavior that we'll want to investigate in more detail.
Change Auditor Threat Detection allows you to switch from being reactive to being proactive about detecting potential insider user threats and suspicious user behaviors. To learn more about this new module, visit quest.com/threatdetection.