Isolate User Behaviors That Pose Threats
Buttercup Games, a fictitious company, runs an e-commerce site to sell its products. As a best practice, Ram, a security analyst at Buttercup Games tries to track user behavior and maintain the security hygiene of his security operations center (SOC) by monitoring the accounts that are created, the purpose for which the accounts are created, and the expected usage of the accounts. However, the size of his SOC makes it impossible to maintain all the records of when an account is created, when an account is dormant, if an account is shared between individuals, or if the account is a service account. So Ram uses Splunk Enterprise Security to make the task of tracking account activity easier and to monitor user behaviors. User behaviors that represent security threats in this particular SOC include compromised user credentials, insider threats, and misuse by privileged users. Compromised user credentials represent the biggest threat for the assets and identities in Ram's SOC. Ram knows that user credentials can be compromised due to any of the following reasons:
- When phishing emails are sent to user accounts from purportedly reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.
- When passwords are shared across multiple user accounts.
- When passwords are inadvertently exposed due to insecure password sharing, and so on.
Ram also wants to identify all high-priority accounts. High-priority accounts are accounts that typically have administrative privileges and executive-level authority, which can access sensitive or confidential assets. By identifying high-priority accounts, Ram can prevent unauthorized users from misusing the accounts. Ram also knows that a valid credential might be used by an insider in an unauthorized manner. This use case describes how Ram, a security analyst, uses the various dashboards, correlation searches, risk factors, and other analytics provided by Splunk Enterprise Security to monitor user behaviors that pose a security threat to the SOC of Buttercup Games using the following steps:.
Investigate risk notables that represent a threat
Use Dashboards to track user behavior
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0