You’ve probably heard “An organization’s security is only as good as its weakest link”.
Companies spend a tremendous amount of money, time, and energy on security products, services and software, thinking that these will be enough? But the bitter truth is that all it takes is one person to burst the bubble. A majority of all “major” attacks that exist today are due to a single mistake by a single person using Social engineering, a bad password, opening an email virus or something similar. That is why the weakest link in the data security chain is, and always will be, “human error”.
User Behavior Analytics was defined by Gartner in 2014 as a category of cybersecurity tools that analyze user behavior on networks and other computer systems and apply advanced analytics to detect anomalies. These can be used to discover security threats like malicious insiders and privileged account compromise, which traditional security tools cannot see.
So, the question arises how does a company analyze the behavior of its employees.
The User Threat Quotient (UTQ) report provided by Sophos XG firewall does exactly that. This provides security intelligence to an administrator and gives them information on the risky users who are posing security threats on the organization’s network.
Sophos XG Firewall (SF) calculates the UTQ score of each user based on the following two criteria:
- Web surfing behavior (Only Allowed, but potentially risky and Denied Web traffic for each user)
- Advanced Threat Protection (ATP) logs (Infected clients/hosts or clients that are part of a botnet)
UTQ help administrators to:
- Spot risky users at a glance.
- Identify which clients/hosts within the network are infected or part of a botnet.
- Find malicious insiders.
- Avoid the chances of human oversight when correlating data from various logs and reports.
- Take appropriate actions like fine-tuning security policies, security awareness training, etc.
The UTQ Dashboard is displayed in the form of a bubble graph and a table. The bubble graph is plotted between Relative Risk Ranking and Relative Threat Score; the bubble represents a user and the bubble size represents the Relative Threat posed by the user. Moving the mouse over the bubble displays details like the Username, the Relative Threat Score and the Relative Risk Ranking of a user.
The bubble graph area is divided into three sections where:
- The top 10% are marked as High-Risk Users
- The next 40% are marked as Medium Risk Users
- The remaining 50% are marked as Low Risk Users
The table at the bottom contains the following information:
User: The username of the User as defined in SF. If the User is not defined, then it will display ‘N/A’ which means the traffic is generated by an undefined user.
Relative Threat Score: The threat posed by the user (as a number), relative to the web behavior of all the other users, in the selected date range.
The UTQ reports for a particular can also be viewed. To view these reports for a particular user, navigate to Reports > Dashboards. In the Show field, click on the drop-down menu and then select User Threat Quotient (UTQ). Click on the bubble of a particular user or click on a user under the User column at the bottom of the page in order to view the report.
You can view the reports for the selected user, Advanced Threats, Detailed View ATP, Security Heartbeat ATP, High Risk Web Categories/ Domains, and Blocked High-Risk Web Categories/Domains by accessing the relevant widgets from the screen shown above.
By using such features, the network administrators will be able to identify the risky users, educate them or take actions respectively. By having such insights of the network users, the probability of attacks will be dramatically decreased.
No comments:
Post a Comment