TALKING
‘‘ business
Departments within an organization may be easily distinguished by where they are situated in an office building ( when we are allowed into our offices , that is ) – perhaps finance and sales share floor two , and executives are up on floor six – but their network activity is just as identifiable .
Every user on a network performs specific tasks and generates unique events every day . These events are logged and collected to provide valuable information to security analysts that can be used for activity profiling and anomaly detection .
As cyberattacks become more complex and harder to find , correlation rules often lack context and also require significant maintenance , which generate false negatives or miss unique incidents . To mitigate threats and ensure malicious activity by attackers is not overlooked , security analysts must be able to benchmark baseline behaviors for users at all levels of an organization . for bad actors . Finance managers and staff may access quarterly budget documents , collect spending records for different organizational departments or deal with accounts receivable and payable .
They may access payroll documents – but likely wouldn ’ t be downloading information on a company vendor or employee contract , which often hold personal information like bank details , social security numbers or private addresses . Those activities should certainly raise alarm bells .
Human Resources
Chief People Officers and HR managers often act as the primary liaison between the organization ’ s management and employees . Human Resources are often very active on a company network due to the nature of their work , which means their network activity can be complex and difficult for legacy systems to monitor .
Orion Cassetto , Director , Product Marketing , Exabeam
Machine Learning-based behavior analytics is increasingly deployed by security teams to identify when legitimate user accounts exhibit anomalous behavior and provide insights into both compromised and malicious users to SOC analysts and insider threat teams .
Let ’ s dig into what some normal network activity might look like for various company personas and examples of anomalous behaviors that might raise suspicion for SOC analysts – and how to address them .
Company executives – CEOs , COOs and CFOs
Using software like DocuSign or DropBox would likely be a baseline behavior for HR departments , which would help them facilitate the hiring and onboarding of new employees . Anomalous behavior by an HR
Anomalous behavior by an HR employee might look like a user attempting to access financial records or download employees ’ personal tax documents .
The highest-ranking members of a company are often the most lucrative targets for cybercriminals . Since they hold significant clout within a company , cybercriminals can easily obtain assets by impersonating these individuals . Normal network behavior for a CEO and other high-level executives might include sharing earnings documents with stakeholders , accessing new business plans , reviewing contracts , competitive data or mergers and acquisition information .
If one of these individuals is suddenly directing suspicious wire transfers or sending mass emails to staff or stakeholders containing malicious links , it would trigger SOC analysts to investigate further .
Finance
Similar to executives , finance departments deal with sensitive and privileged assets , proving them a goldmine employee might look like a user attempting to access financial records or download employees ’ personal tax documents .
Sales and marketing
Baseline behavior for sales and marketing users would likely include accessing apps like Zoom or Skype to host sales pitches or meetings , but they likely wouldn ’ t need to be viewing personnel files or financial documents .
This type of behavior would likely generate a highrisk score and require further investigation . They also often send large files , like design files , videos , webinar recordings , etc and send them out of the organization ; whether that be via file sharing apps , to a website , or to partners and customers .
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 37