Resolving Anomalous Admin Behaviors With Fortscale User Behavior Analytics v1.4

Over the past month, we have been quietly rolling out a new version of our User Behavior Analytics platform and are very excited to officially introduce some of the latest features and upgrades. Version 1.4 preserves the look and feel of our industry leading analytics platform, but contains extensive upgrades that provide even better overall value for our Fortune 1000 clients.

 

Building on the success of recent deployment and operation of the new release, we bring you samples from some of the threats successfully identified and investigated using v1.4.

A routine scan of admin accounts in a large corporate network using Fortscale UBA v1.4 summoned several potentially abused accounts. New additions to our Behavior Analytics engine, such as Global Event Scoring, Enhanced Peer Based Insights, Flexible Scoring Definition, and Integrated Confidence Level, allowed us to thoroughly inspect admin accounts across our environment.

 

High Risk Admin Accounts – Canned analytics designed to identify abused admins inside the network.

 

Scanning for admin accounts that had been observed with a risk score of 50 and more, we began investigating the results using our recently introduced Rapid Response Toolbox. Quickly thereafter, we found an admin account that raised our suspicions. Receiving an initial risk score of 65 while accessing anomalous sets of machines, we drilled-down to inspect his baseline behavior history.

 

Further investigation of the account was then divided into two stages – first, determining if the user had a consistent behavior, and second, checking if this behavior could connote this account had been abused.

 

Stage 1: User Access Investigation – Visualizing which machines our account had been accessing, and which of these events were in fact anomalous for this user.

 

 

Stage 2: User Access History – Visualizing account baseline behavioral history with respect to current threat indicators.

 

Finally, leveraging our new Operational Workflow Integration, we were able to quickly forward our findings to the company SIEM to complete the response cycle, successfully attributing our findings to a company employee and further treatment and remediation.

 

 

In the near future, we will uncover more innovative applications for rapid mitigation of insider threats.

Already convinced? Schedule a Demo and see Fortscale UBA v1.4 in action.