User identities are a major target for attackers since they are the key to resources throughout the organization. Determined attackers might evade detection, succeed in stealing user account credentials and leverage them for lateral movement and data access.
Cynet User Behavior Analysis continuously monitors and profiles user activity to define a legitimate behavioral baseline and identify anomalous activity that indicates compromise of user accounts.
User Behavioral Baseline
Cynet utilizes real-time user activity monitoring to achieve a baseline, utilizing the number of hosts they log into, location, frequency, internal and external network communication, accessed data files and executed processes.
Real-Time Activity Context
Real-time activity context is achieved through continuous correlation of user activities with other entities’ events, including endpoints, files and external network locations, providing rich context to determine associated risk.
Enhance Accuracy with User Verification
Move to Proactive Login Monitoring
Leverage internal knowledge of users’ roles, group, geolocation and working hours to define access patterns to SaaS and on-prem resources that are likely to indicate user account compromise.
Examples include first-time logins to resources, login outside of working hours, login to multiple machines within a short timeframe, etc.
Define for each user or users’ group access policies for internal resources, on-prem or SaaS.
Cynet sends a Verification message automatically via phone or email to validate the login nature and avoid false positives.
Cynet triggers an alert on compromised user identity. Cynet’s admin can define that any such alert drives automated disabling of the user account.
User Behavior Analytics: Common Scenarios
Real time monitoring of all the interactions users initiate: hosts that they log into, number of host, location, frequency, internal and external network communication, data files opened, executed processes and many more.
User is logged in to his laptop and logs in to a sensitive database.
New VPN Connection
User remotely logs in to a file server via VPN for the first time.
Multiple Concurrent Connections
User is logged in to multiple resources within a short timeframe.
Off Hours SaaS Login
User that typically works on an on-prem desktop logs in remotely to the organization’s Dropbox.