Understanding and monitoring the network traffic as such might be enough but it is not. You can use Solarwind, IBM, HP and others network monitoring tool but how much they support and utilize machine learning to understood the user behavior instead of protocols and packet size, source and target address at the Ethernet and IP level not forgotting the OSI model 4 liker TCP or UDP and application layers.
So having and saving logs is not enough in the future, instead those are important part of the process but there should be more proactive and real time actions alerting based on abnormal user behavior.
 |
| @Microsoft Advanced Thread Analytics video |
To understand what is abnormal behavior, machine learning is one key word to find and identity changes and this works multiple ways. Most of the security breach still and unfortunately starts from poor user credentials and user behavior where attacker has got the user name and password somehow - and quessing the user name is not hard work. Does user have email - Yes, does user have SIP address -Yes - conclusion might then be that SMTP address = SIP Address = User Principal Name - not hard or what?
When attacker has the user name and password and can remotely login to user PC the world is open to him or her. This hacked account is the key to start to browse the corporate network and find workstations and servers/services with know vulnerabilities without installed fix. This way the attacker start to know more more from your network and unfortunately your own IT knowing nothing.
Microsoft Advanced Thread Analytics is one tool for this while it start to learn how users behave and alerts then from abnormal behavior. Example Jack is working in London Office from 8-17 and suddenly some day there is normal logging in that time but also different time from different PC and locations. So with Machine Learning you can start to find this patterns and hopefully when having alert have also control actions and governance how to proceed.
Next article will discuss from Azure AD premium and how it support the GDPR journey.
Use the following links to check the video from ATA by Microsoft
Microsoft ATA video
"All comments, thoughts and picture's are my own"
 |
| Fast and Rusty Beetle - Extreme CarShow Helsinki 2010 |
No comments:
Post a Comment