Background
Versa UEBA incorporates GraphML to generate insights and detect anomalies in user relationship graphs.
Anomaly and behavior detections are just the first step. We then need to quickly pivot into building the forensics to inform response and remediation. This can involve determining the origination point of a malicious activity or an attack and building the scope and scale of a potential breach.
The Versa approach
With UEBA relationship graphs helps forensic analysts explore the connections between various entities like users, devices, locations, gateways, applications etc to spot anomalies and investigate security incidents. By using GraphML, analysts can visually determine the scale and root cause of an incident, as well as assess its potential reach. This method provides a clear visualization of network relationships, which is critical for effectively responding to and understanding security threats.
Example: Conducting Forensics
The following is a simple example. In this scenario, ‘Johnacr’ has previously triggered an alert for anomalous and potentially malicious behaviors- specifically tied to files that he wouldn’t be expected to access. With our relationship graphs, we were able to see the apps, resources and locations that are associated with the his activities.
To build the forensics thread, the analyst clicks on the first app that the user has accessed. This then gives additional pathways to other users who have accessed this app. In this case, we see that user ‘gopetlr12@” has also accessed this app.
Expanding the view, we are then able to see that the credentials for ‘gopeltr12’ has been accessing resources from two locations and accessing an unapproved application.
A click into the user profile then highlights that this user has a history of behaviors that access confidential information with likely movement into aggregation / staging servers. This has contributed to a lower user confidence score.
With a flexible platform that allows you to pivot between the ‘entities’ in a workflow or relationship. The alerts generated by the UEBA platform can be consumed via email, viewed on the dashboard, or integrated into third party dashboards and automation agents via Kafka clients.We have several examples for how post-detection forensics can be accelerated with automation and visualization of relationships. We’d be happy to share them – please reach out and I’d be happy to share more of what we observe our communities are doing.
Gartner Research Report