Isolate user behaviors that pose threats with risk-based alerting

Ram, a security analyst at Buttercup Games, tracks user behavior and maintains the hygiene of Buttercup Games' security operations center (SOC) by monitoring the accounts, their purpose, and their expected usage. Certain users or systems in Ram's security environment pose a higher risk to your organization than others.

For users, this might be due to an impending termination, a history of security incidents, or the prominence of a particular individual, thereby increasing the likelihood of the user falling victim to attack. To mitigate this risk, Ram can place a user on a Watchlist. This is similar to tagging a restricted asset and can trigger alerts due to the increased risk associated with that particular user. Ram can also prioritize users based on their role or department such as whether they are a C-suite Executive or an assistant. User behaviors that represent insider security threats include compromised user credentials and misuse by privileged users.

Ram can also prioritize systems based on their exposure to vulnerabilities such as internet facing applications or a DMZ network, which refers to an organization's exposed, outward-facing un-trusted services. Systems in production can also be more at risk as opposed to development systems.

Ram identifies all high-priority accounts that typically have administrative privileges and executive-level authority. By identifying high-priority accounts, Ram can prevent unauthorized users from misusing the accounts that can access the sensitive and confidential assets of Buttercup Games.

Without risk-based alerting

Prior to using Splunk Enterprise Security, Ram must wait for a reported issue and then, identify how to remove the data from the impacted device.

1. First, Ram must decide whether to get the device shipped or run an onsite forensic imaging.
2. Then, Ram prepares a report on the findings.
3. Finally, Ram partners with various teams to respond to the insider threat.

Though Ram has effective partnerships with other departments and a response plan, Ram realizes that automating the process can increase efficiency.

In addition, Ram's work is impacted by the following constraints:

• The size of the SOC at Buttercup Games makes it impossible for Ram to maintain all the records such as when an account got created, when an account became dormant, shared accounts between individuals, or if an account is a service account.
• Additionally, constantly evaluating multiple security tools and struggling with the massive alert volume makes it difficult to quickly identify unauthorized user behavior.
• Finally, the risk of insider threat from company employees has significantly increased due to remote work and greater access to data from anywhere in the world.

With risk-based alerting

Instead of waiting for insider threat reports, Ram decides to proactively use risk-based alerting for existing data in the SOC to efficiently track account activity and monitor user behaviors to protect the business.

Follow these steps to see how Ram uses risk factors based on risk scores to identify unauthorized usage by insiders that pose a security threat to the SOC of Buttercup Games.

1. Track high risk behavior using lookups
2. Assign risk scores to high risk users
3. Modify risk scores using the where command
4. Increase risk factors to identify unauthorized usage
5. Use the Risk Analysis dashboard to isolate user behaviors
6. Investigate the risk notables using Threat Topology visualization