Speaker 1: Here's a quiz for you. Can you see which one of these is different? Look for the the one that deviates from the pattern. Ready? Here we go. Two. One. Did you see it? Well, maybe you did, and maybe it's more obvious to you now because we're highlighting it. But if we hadn't, that might be like looking for a needle in a haystack. Well, let's take another example. That's not IT related, that's just generally looking for a pattern. What if we put up a screen like this, and I say take a look at all of these log records, and here you can see that we've got the source listed, the log source, we've got the type of alert it is, we've got source address, destination IP address, we've got timestamps, all of this information, a wealth of information. Now tell me which one of these is the bad record? Who's the bad user that we've just caught in this? Not so obvious, right? What if I said we'll take this information and distill it down to this? Now it's really obvious. This guy Dan, it turns out, you can see him highlighted there in red, you can see his trend for risk has increased over time. Now it's obvious who this user is, and that they've been doing stuff that deviates from the norm. What is this kind of technology? We call it user behavior analytics, and user behavior analytics is all about looking for anomalies. It's baselining information, like we could look at Dan and his peers, and then looking for how he deviates from that. So let's take a look. How does the technology work? Well, in fact, the way it works is we end up with a lot of different log records. So I have different sources of security telemetry. It could be individual systems, it could be databases, it could be network equipment, things like that. So I'm going to take all of this information that I have, it's a massive amount, and I need to find the needle that's in that huge haystack. Well, how do I do that? I'm going to take this information and feed it down into what is, in essence, a huge funnel. This funnel we call, again, user behavior analytics, and it uses machine learning techniques in order to look for the patterns and the anomalies. What kinds of things does it use to make that determination? Well, it's looking at things like volume. A particular user maybe was downloading 50 records a day, and then suddenly they start downloading 50,000 records a day. That would be a deviation from the norm and might be a suspicious activity. Other things that could happen would be related to frequency. So they used to download or log into a system, maybe as an example. They'd log into a system two or three times a day, and then suddenly they start logging in 50 times a day. That would possibly signal that something weird is going on here. Some other things might be location. Let's say this user normally works out of the Chicago office, and we suddenly see all their activity is coming in from the Beijing office. Well, unless we know that that user is over there, then that could indicate a problem. Other things that we could use, as I mentioned previously, is peer groups. So I could do this in a fixed way and define this user is part of this group, and here are all the other users that essentially do the same job, and I want to profile them and see what do they do, and is this person deviating from that. We could also do dynamic profiling, where a user basically, we look at all of their data and see what other users they generally match, and then look for their deviations from this. It's all about anomaly detection. Another thing we might look for is a particularly anomalous sequence. Maybe a system administrator logs into a system, creates a new account, then logs into that account, does a few things, and then deletes the account, and then keeps doing that again and again. That might be suspicious. Why are you creating accounts and then instantly, almost instantly, deleting it? It doesn't make a whole lot of sense. So that might be an indication of a problem. Well, what I'm going to do is take rules like this and use machine learning techniques to look for patterns, and I'm going to use that across my user base, and I'm going to look at all of the users that are here and figure out which ones are good users and which ones are suspicious or risky users, because if I have 100 users, 1,000, 10,000, 100,000 users, it's going to be really hard to figure out which ones of them are doing the wrong things, and if I don't have a way to triage down to the riskiest users, then I really don't know where to start. I can't examine the activities of a thousand users or a hundred thousand users every single day, but if I had a display like this UBA display, this User Behavior Analytics display that I mentioned previously, it's telling me here's the top five or the top ten riskiest users, then I could go look at those and see what's going on. Now, I could also take these same techniques that I've applied to users with the UBA and apply it to entities. In other words, let's look at our network routers, switches, servers, other things that are not humans, and we call that User Entity Behavior Analytics. So, it's human users as well as other entities in our network and in our environment, and we can look for them and baseline them and look for their anomalies. We use this kind of technology in conjunction with a SIEM, a security information event management system, in order to triage and figure out where do I need to put my focus. If I can do that, then I'll know where I need to do investigations and avoid the false positives, focus in on the actual users that are creating the real threat in the environment. Thanks for watching. Please remember to like this video and subscribe to this channel so we can continue to bring you content that matters to you.